The Concept of Cracking

The Concept of Cracking

The scene of cracking has exploded, mostly due to the availability of cracking programs and popularity of websites that cost money. The Internet is filled with predictable and Internet dumb users. With these users comes an opportunity for you to take what is not yours by brute force.

This article is meant to guide you to successfully cracking accounts. So let’s get on with it.

The Main Principle of Cracking

One difficult to grasp fact new crackers come to find out is that cracking a particular account is usually difficult. Understanding this fact is a key step in becoming a successful cracker. There’s great success in numbers. The more user accounts you have to try and crack, the more likely you’ll have success. The reason behind this is simple and logical. If you have a pair of dice, and need to roll snake eyes(two ones), the more tries you have, the better the chance of success.

The main principle of cracking is trying as many valid users(will be covered later) as possible. Despite what others may think, have 10,000 user accounts to try and crack is a much better scenario than having 3 user accounts and 10,000 passwords.

Internet Dumb Users

Most people on the Internet do not take security seriously. There is a misconceived notion about the Internet that it’s secure and anonymous. This lack of concern leads to guessable and common passwords. Patterns, common words, and common names are usually likely passwords. These are usually chosen by these users because they’re easy to remember. Another common lapse in judgment is the fact that these users usually use the same password for all things they have a password for; bank or credit card accounts, E-Mail accounts, and pretty much anything else you can imagine.

All About Passwords

Choosing passwords to crack with is a critical of your success. Using “tert34g” as a password to crack with is not a good idea. Yeah, there’s some small chance that you may achieve one successful attempt with it, but it’s a waste of time.

Think about it. What do most people have in common? Names, favorite foods, favorite animals, favorite sports teams, favorite colors, etc. Instead of relying on preexisting password lists, try creating your own. Why? Things change. What was popular last year is no longer popular. MySpace as a password was logical two years ago. Now, most people haven’t logged into their MySpace in months. Your unique ideas may provide you great success. Think about what’s popular now… Justin Bieber, Obama, or the Miami heat. I bet you never thought of “heat” as a password.

Selective passwords are what I call passwords that are applicable only to a single website. If you’re attempting to crack Facebook accounts, passwords like facebook, Facebook, or FACEBOOK are likely to be successful. If you’d like to go further, go into why people use Facebook. You can logically come to the conclusion that people use it for friends, buddies, etc. Those are logical passwords. The web site’s name is one of the most common passwords used by users because it’s easy to remember, and that same logic applies to every site they have an account with.

Passwords are usually lazy. Most people are too lazy to put any effort into a password, so people will rarely capitalize a password. Any part of the password. Usually, passwords cased like Michelle are rarely successful. The extra motion needed to reach the shift key is usually not a desirable motion for most users. Lowercase passwords are by far the most popular. Uppercase passwords like PASSWORD follow in second, and “properly” cased passwords like “Password” are third.

Name as password = success. One of the most successful method for cracking is using the user name as a password. Bobby’s password is possibly bobby, and Janet’s is likely to be janet. You can go further, and remove numbers with some programs. Bobby1945′s password is possibly bobby, or even boby1945. Again, laziness. Most programs support the use of user name as password, and can remove the letters or numbers from the password foradded control.

Research the Website You’re Cracking

A lot of sites are becoming critical of their users’ passwords. Now, most require a minimum password length, and even have particular rules like they must contain a number. To help with this, I’ll explain the most common passwords should these kinds of rule apply.

If a website requires a number, try common passwords, and add a “1″, or any other number, on the end. password1, adam1, facebook1 are all quite plausible and lazy(which is what you’re going for).

If a website requires a capital letter, try capitalizing the first letter, or all letters: Facebook, Password, PASSWORD, LOVE.

If a website requires a capital letter and a number, try capitalizing the first letter and adding a “1″, or any other number, at the end: Password1, Michelle1, Rachel1.

If a website requires a symbol, try an exclamation mark(!) or a period(.) at the end of common passwords: password!, iloveyou., etc.

Research will prevent you from wasting time. If you don’t do proper research, and you’re cracking a site that requires passwords with a length of more than 4, and you’re using “1234″ as a password, you’re not doing a bit of good other than wasting bits and bytes of bandwidth.

Trying Other Sites with Cracked Accounts

9 times out of 10, a user has at least two accounts with the same password. An ideal situation is when you crack an account, and look in the account information, then find the user’s E-Mail address. It’s not even 50% likely, but there’s a better chance than usual that you know that E-Mail address’s password. If and when you access the E-Mail account, it’s probable that all other sites the user has registered on has sent him or her an E-Mail. Not many people clean their E-Mail box.

Don’t Crack Air; Use Valid Users

If a user account doesn’t exist, why would you try to crack it other than to waste time? Understand that like passwords, a lot of user names are common words, phrases, or patterns. bobby1 is more likely to exist than bobby10382.

As of this moment, there are a few program available for validating whether or not accounts exist. I will not discuss or list these programs, but do the research; it’s well worth it.

Combos(Password Databases)

Combos, as they are called by most crackers, are lists of user names and passwords that have already been cracked for other sites. These are highly successful, but the success can be short lived if other users have access to the same combo. Programs that search for combos are useful, but as I just stated, the success they give can be short lived. These programs are predictable, by that I mean that they use the same, repetitive collecting mechanism.

Combos are a great asset to cracking, but it can be a gold rush which other users can “steal” your hard work.

Sample List

Here’s a small sample password list off the top of my head that will likely be successful:

123456
123456789
abc123
asdf
asdfghjkl
54321
password
password1
lakers
bieber
michael
chris
jesus
money
green
yellow
blue
tiger
puppy
kitten
kitty
james
brandon
michelle
elizabeth
stacy

As you can see, all passwords are common words, or easy to remember patterns.

In Summary

Cracking accounts can be easy; and it can be hard. This all depends on your research and effort before cracking. Success is paved with research.

Enjoy…..

Read More

How to Add Entries for Certain File Types in Right-Click Menu

The Right-Click menu is one of the most messed with pieces of Windows. If you have installed a large amount ofapplications, your right-click menu can become quite large and eventually just take way too long to load.

Sometimes you may have a certain file type, e.g. .doc (Word document) that you would like to do something special with, e.g. open .doc as an email attachment. Today we will be looking at how to do just that. In other words, show you how to add additional options to right click menu when used on certain files. So let’s get started!

Step 1: Go to “My Computer.” Click “Tools” and then click “Folder Options.”

Step 2: Click on the tab labeled “File Types.”

Step 3: Find a file type and select it. Then click “Advanced.”

Step 4: Click “New.” In the Action field type the name that you would like to appear.

Step 5: In the Application used to perform action textbox enter the path of the application you would like the file to load in (with quotes). E.g. “C:\Program Files\Mozilla Firefox\firefox.exe”.

Step 6: Click “OK” and you have your own customized right-click menu!

Removing Entries from Right-Click Menu

Sometimes, instead of adding entries, maybe your right-click menu has become too big. Eventually right-click menu’s (like mine) can take forever to load. If you would like to, you can definitely remove some of those useless options. Ready for a faster right-click menu? Let’s do it!

Step 1: Go to “Start,” “Run,” and type regedit.

Step 2: Navigate to HKEY_CLASSES_ROOT\*\shellexe\ContextMenuHandlers

Step 3: Find the folder that indicates the entry in the start menu and right-click. Select “Remove.”

Remove Entries for Certain File Types

Maybe your right-click menu has become way too long, and takes forever to load (like mine). If you would like to only remove entries for certain file types, simply go to the Folder Options menu like we did before and you may do the following:

Step 1: Go to “My Computer.” Click “Tools” and then click “Folder Options.”

Step 2: Click on the tab labeled “File Types.”

Step 3: Find a file type and select it.

Step 4: Find one of the entries and select “Remove.”

Read More

Better Way To Protect Your Website from Hackers

Better Way To Protect Your Website from Hackers

Hackers are ethical testers to find faults in systems so they can be corrected before unethical hackers (crackers) exploit them. So, this is really about how to protect your website from crackers.

Keep your files up to date

If your site uses the popular SendMail script, please be sure your version is a current one. Visit Anti-Spam Provisions in Sendmail 8.8 to edit the FormMail script. We have the updated SendMail in use for the HarleyShopping Cart site. FormMail is another popular script used to send form results to an email address or database. We use that file for our website form. These scripts are located in the cgi-bin on the web host server.

Signing up for updates for scripts (programs) your site uses will let you know if there are any. You should use the latest update to protect yourself. This is often the reason the update is released. If you are unsure of the scripts used on your website, contact your web developer.

Remove unnecessary files

Your website changes, old files are ignored. They should be removed. Keep copies offline in case you wish to add them again, but remember to update any scripts. Old files are often indexed by search engines. So even if you do not link to those pages anymore, the search engines lists them for Internet users to find and visit. Automated programs to search for these files can find them to exploit them.

Implement passwords

Any sensitive files, databases or scripts should be protected. Please use passwords that are difficult to guess. Use letters AND numbers, but be careful to keep the number of characters within the programmed limits and remember that passwords are case-sensitive.

Include robots.txt

Create a file to tell search engines not to index files that are restricted to certain users. You can also disallow indexing of images, so people who search for images to use illegal do not steal your images.

Check permissions of uploaded files

Left-click each filename in your web host server, then right-click and select CHMOD to make sure files are set to the proper permissions. Check with your web host if you are unsure. Remember to upload images as binary and most other files as ASCII files. Choosing Auto for automatic selection may be incorrect if certain extensions are not specified.

Protect email addresses

If you ever got a strange email that tested your form or simply sent you an email to yourself, one of those spammer programs found your email address from your website or someone else’s. There are scripts to split up your email address, so spammer software programs cannot read them. Another way is to place your email address in an image or simply have an “Email us” link. I haven’t done this, but I didn’t have any problems until recently. I still want to make my contact information visible to my target audience.

If you sign guestbooks, go to forums or newsgroups, or share your email address with anyone else, your email address can be posted and shared all over the Internet. I often use several email addresses when making posts, because spammers look there first for email addresses. To spammers, a guestbook is an email address database. So use a Hotmail account for your email, but you can still include your web address in your signature. If the Internet user visits your site, the user can contact you using the link on your site. The spammers probably won’t visit your site, so the spam goes to the posted email address.

Protect your source code

Some people use that stupid right-click script to protect their source code. Not only does that not protect your code, you are disabling browser functions such as adding your site to their favorites or printing. Though many people have “borrowed” my source code, I would not want to disable functions that my target audience wants to use. There are scripts to make your source code hidden. This is more effective, but a pain for anyone who wants to edit your site. The preferred method is external files such as external style sheets or javascript files.

Include copyright information on the page and in the meta tags for every web page. Watermark all images. Keep copies of previous versions of your site with the last modified information intact. Save files on disks, so they can be retrieved. if necessary. Visit the WayBack Machineo find previous versions of websites, if you cannot find your files. Though the information is incomplete, it is better than nothing. Buy the copyrights to important files to protect yourself from competitors or other parties.

Enjoy …….

Read More

Tutorial On DNS Poisoning

Tutorial On DNS Poisoning

This is an introduction to DNS poisoning which also includes an example of quite a nifty application of it using the IP Experiment. It’s purely educational, so I’m not responsible for how you use the information in it.

To start, you’ll need

• A computer running Linux (Ubuntu in my case)

• A basic understanding of how the Domain Name System (DNS) works.

Note that this is a more advanced topic; don’t try this if you don’t know what you’re doing.

Why DNS?

The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.

Here’s a pretty diagram to help explain it

If we can find a way to tell the client the wrong IP address, and give them the IP of a malicious server instead, we can do some damage.

Malicious DNS Server

So if we want to send clients to a malicious web server, first we need to tell them its IP, and so we need to set up a malicious DNS server.
The server I’ve selected is dnsmasq – its lightweight and the only one that works for this purpose (that I’ve found)
To install dnsmasq on Ubuntu, run sudo apt-get install dnsmasq, or on other distributions of Linux, use the appropriate package manager.

Once you’ve installed it you can go and edit the configuration file (/etc/dnsmasq.conf)

sudo gedit /etc/dnsmasq.conf

The values in there should be sufficient for most purposes. What we want to do is hard-code some IPs for certain servers we want to spoof

The format for this is address=/HOST/IP

So for example;

address=/facebook.com/63.63.63.63

where 63.63.63.63 is the IP of your malicious web server

Save the file and restart dnsmasq by running

sudo /etc/init.d/dnsmasq restart

You now have a DNS server running which will redirect requests for facebook.com to 63.63.63.63

Malicious Web Server

You probably already have a web server installed. If not, install apache. This is pretty basic, so I won’t cover it here.

There are a couple of things you can do with the web server. It will be getting all the traffic intended for the orignal website, so the most likely cause of action would be to set up some sort of phishing site

I’ll presume you know how to do that though

Another alternative is to set up some sort of transparent proxy which logs all activity. I might come back to this in the future.

I Can Be Ur DNS Server Plz?

An alternative is to, instead of a spoof webserver, set up a Metasploit browser_autopwn module . You can have lots of fun with that

But how do you get a victim? Well this is where my project, the IP Experiment could come in handy

If you don’t know, the IP Experiment basically harvests people’s IPs through websites such as forums and scans them for open ports. A surprising number of these IPs have port 80 open and more often that not, that leads straight to a router configuration mini-site. ‘Admin’ and ‘password’ will get you far in life; its fairly easy to login and change the DNS settings, and BOOM. You have a victim!

The same techniques can be applied to in many different ways.

Enjoy…….

Read More