How many of you know how to crack a password of a paysite?
 

I was wondering how this password guys can crack so many passes and update them every fucking day. So, I went to one of the password forum's so called security discussion part. I kept reading the posts about password cracking for an hour. I downloaded the software that many of them use. Then, all I needed to have is a proxy list and a wordlist. Oh well, they had threads where they posted wordlists and proxy lists in zip files. After downloading all the zips I had a list of 1500+ working proxies and 30k+ wordlist. I was still not believing that it could be so easy.

Well, I picked one of the most popular sites to crack a pass. It took no more than 5 mins to get access. I thought I was lucky that time and still not believing that this list would help to get access to more sites. Believe it or not right now, I have passes to more than 20 sites ( I almost have %100 success).... I think this is very fucked up. Learning how to use this software and getting a decent word lists does not take more than an hour. Also, the software I used is not much complicated than kazaa. Anybody who knows how to read e-mail can use this program.
Also, I noticed that same fucking passes works for many many sites.

I always thought those guys that run sites like ultrapasswords are very good hackers. Fuck, any of us can run a password site just by doing a search for an hour and we can get paid by lensman...

Nemisis -

Thanks for the info. Now tell us how to PREVENT them from cracking the pw's.

Which sites couldn't you crack, and why? Shit, I got busy with other stuff, didn't check my log files, bw was up a little but not a lot, 2 days ago realized I had a thief in there for the past month. Fortunately, I only get about 3-4 a year, but still, how to have zero? It's also possible the subscriber just gave out his un/pw to a trading site . . .

:stoned

vik

There's even easier ways than that, but it's unlikely that I will post them here, just not good for business...:winkwink:


Having a site which allows access will likely always be accessible by some "un-savory" types for lack of a better word, but I think you just have to stay on top of it, and make sure that it doesn't get out of hand...

Nevermind:(

I really don't know, I am not a hacker. But, it seems like paysites with lots of members are easier to crack (I read it on that forum). One solution would be; billing companies stop accepting the same pass/user combination for the whole network. I mean, If i used nem/nemesis combination for xxxwhatever, I should not be allowed to use the same combination for xxxwhatever2 even after my membership is already expired with the first one. It seems like members use the same user/pass for all sites they become a member.

Isn't there third party tools for this?

i just thought of something. when you submit to al4a and they have the picture of the generated number and you have to type that in for verification.... what if someone was to make a password script where you have to type in the generated # along with your user and pass. wouldnt that get rid of the password crackers?

p.s. teach me how to crack sites.

are you saying everytime someone logs in, they have to type the randomly generated text in the image?
sure, it'll make your site more secure, but it'll piss off a lot of people and you'd probably end up losing rebills

Force users to have randomly generated passwords...

ie..
x8572dwesx12312a
Longer then 8 letters, that will stop many of these word list program attempts.

i'd never remember that

yeah, it could even only be 3 #'s. but i think it will solve your problem. im sure no one will care about typing 3 #'s when they log in.

That could be bruteforced just as well. The best thing (and what i do) is to install software that monitors the incoming http requests and if too many requests are made in $x amount of seconds then the ip gets firewalled out. The other thing is to monitor your access logs and have software that watches for simultaneous access from different IP's with the same username and then kills that account or notifies you by email or mobile text message.

Also most account bruteforcing software isnt able to work with forms so stop using http authentication and switch to a cgi based form authentication.

i wish billing companies can force surfers
to use email address as usernames

this is will eliminate 90% of the current hacking software

if he email address is the username, and he chooses his own password, it'll remain the same on any site he signs up for. get his password and you got access to all his sites.
it'll prevent against word lists tho.

how could they get the authentication code with brute force if its generated every time and its in a picture so they cant really read it? right now they use different proxies to crack the password so banning the ip wont help. and when they do crack the password, they give the people the proxy to use on it so everyone who uses it has the same ip address. you would be better off monitoring bandwidth on the account.

Using pics with random numbers would make hacking much more difficult, but certainly not impossible. Writing a program that "reads" a picture is very doable. This method will probably scare 99% of password crackers away though. :thumbsup

One must probably ask though, is stopping 5 freeloaders a year worth potentially pissing off your customers?

well you can look at it like this.... if someone cracks 10 of your accounts and you lose 10 customers because they get pissed that their accounts get fucked with. is having this script worth avoiding it? if they have to go through the trouble of typing their using name and password what is typing a few #s from a picture above a text box going to hurt?

it's funny you mentioned that, cuz the same subject was brought up this week at sexswap (no spam intended).

yea, you are right, for some reason I didn't relize that each hacked password may result in a pissed off customer. If anyone wants a script like that customized to their website, I can get one done for a very reasonable price, ICQ me (33375924) if you are interested.

How do you protect a single picture if you are using cgi without http auth?

I.e. www.domain.com/members/fuckyou.jpg ?

I use a cgi based form reading the .htpasswd file and redirect to membersarea if auth is OK. But I still need http auth.

i would like a free one for thinking of it :)

Protecting a single picture is easy, I've done it on many paysites. Basically you disable access to *.jpg or *.gif or *.mpg or WHATEVER in your .htaccess file (for Apache, IIS will be different) - you can find info on doing this by reading the Apache docs. Then you write a "frontend" script to interface with the JPEGs. This can be done in any language but I've implemented it in Perl and PHP.

Basically what you do is have it spit out the header with the Content-Type of image/jpeg or image/gif ra ra ra and then read from a file, and spit it out to the browser. Works perfect. This is great if you want to limit user's bandwidth, or prevent multiple IPs from accessing images etc. etc. You can have immense customization.

Regarding hacking/cracking, breaking an HTTP auth password is a walk through the park. In fact, breaking most passwords on a paysite is fairly easy. What you need to do (and also make clear in disclaimers etc.) is limit the number of IPs a user can have connected at the same time, for starters. This way, if your password is broken, and the cracker decides to post your password to 5 zillion users on his pathetic XXX Passwords site, users won't get in. You can also consider suspending the account if this happens. The user may be unhappy, yes, but I think it's ultimately a better alternative than having 200GB of bandwidth being used up and paying 20 times what the user pays for that month.

You then also prevent the same IP from hammering your site (i.e. brute forcing, even dictionary cracking). All this can be done with simple Perl/PHP scripts (that is, if you're not using htaccess). If you ARE using .htaccess I'm fairly certain there are Apache modules that you can use that do just this.

There are many other methods you can use to safeguard password cracking, not solve it however.

The main concern with paysites, or in fact ANY sites these days, is the mere fact they are insecure overall. Breaking into paysites is generally EASIER to do by breaking into the whole box. The fact is, most don't have system administrators, and the ones that do are not competent enough to keep up to date with security issues.

This imposes much higher danger than a simple breaking of a password to the members' area. All they have to do is hide the amount of bandwidth you're using, backdoor your members' area, hide their files, hide everything and give people free access to the site and there'd be virtually know way of you knowing.

Employing a COMPETENT system adminstrator is important in my opinion. But hey, that's just me :P

Dragon Curve,

Your solution might work but is not optimal. Disappling access to ex. videofiles will not let a user download a video by rightclicking which is direct linking.

You can set the software to change the proxy after trying 5 user/pass combination. The zip i downloaded has more than 1500 proxies. So, blocking ip would not work.

This would work if the cracked password is posted on a website.

That will also annoy your paying customers causing them to cancel earlier.

I don't usually work for free :-/
but if you run a paysite, I'm sure we can work out a deal. I'm usually flexible, you can contact me via e-mail: woj at wojfun.com or ICQ:33375924.

i was just kidding.... i dont even need a program like that

As with any form of cheating, it is sometimes best not to discuss how to do it (or how to prevent it) in too much detail on public forums!

Do us a favor and crack this paysite:
http://www.gbf-archive.com

Details here:
http://gofuckyourself.com/showthread...threadid=82108

Fuckers.

Oh ya, and dont forget to post the U/P here please.

Every time people bring this shit up, there's still one or two that aren't educated.

www.proxypass.com

Get it, love it. It does everything that pennywize and IProtect do (with less server load) PLUS stops open proxies from accessing your site at all. It protects us very well, and is configurable as hell.

I don't own the company, have a stake it, or anything like that, I just like and use the software.

Cheers,
Backov

How do I get free porn again?

Thanks for the nice words Backov! If anyone has more Qs about ProxyPass please hit me up!
ICQ: 153529369

Best regards,
PxG

with all the free porn on the net , why bother?

unless you want to say "look what I done!"

maybe its a fun passtime (time waster) but the script is doing all the work, password cracking skill Zero.

if one ip or account is burning big bandwidth then he is stealing from you. dump him

How about a username and password for the username and a password for the password :Graucho