TeamXPC.com
XPC s Cracking Tutorial ʼ
Version 1
Contributors: Sammo, Francisko, Goku, Cobbel Sections: 1. K ey s 2. Co Comb mbos os 3. Pr Prox oxie ies s 4. Co Cook okie ies s
Keys A. Failurekeys: definition and criteria B. When a failurekey is faster than another one (headers & source code) C. The case of multiple failurekeys: trial & expired accounts D. More examples First of all I'd like to spend one word on popup sites, which act a little bit different with respect to failurekeys. Since the HTTP code on a failure is always 401 for popups, you don't usually need to set a failurekey for this kind of sites: your cracking tool already detects 401 in the received header and that's it (I assume you have at least a pretty vague idea of what a header is, but I'm not going to explain this in full detail; for the scope of this tutorial, you should just know that headers contain two relevant pieces of information for crackers: cookies set by the server after login and redirected URLs, in case of redirection). Of course, even for popups, you might still need to add some more failurekeys depending on the site behaviour: expired accounts, banned accounts, invalid redirections etc. (see point 4). Alright, let's get into the bulk of my tutorial.
A. Failurekeys: Definition and Criteria A failurekey is a unique string presented at the target website when you have entered an invalid login. The failure response is exactly what you get by going to the login URL and putting a random combo in the username/password fields. The HTML source code of the returning reply is the so-called "failure response". Alright, this has been pretty basic up to now, so let's be more specific.
TeamXPC.com
Failurekeys are used in your cracking program to tell if a user:pass combo is working or not. Since you set the failurekey to a phrase which you get after a failed login, the cracking program will look for that phrase after it tries a combonation. If it sees the phrase, exactly as you wrote it, it will report the combo as dead. If it doesn t see the phrase, then it will mark it as working. Simple, right? ʼ
As I've said, the failurekey must be a 'unique' one: what does that mean? It means that it should be impossible for that keyword to appear in the members area. If this happens, you will never be able to crack the site because all of your hits will be accidentally marked as misses (so this would be a very serious mistake). Now it's pretty obvious that significant keywords like: Bad username or password Login incorrect Bad login It seems like the login you entered is not working etc... will never in this world appear in a members area, so they are all unique and effective failurekeys. Now let's come to the tricky part: a common mistake I've seen (even from high-level crackers) is to think that the HTML title drawn from the failure response is always a good failure key. Although this might work fine in many cases, it is deadly wrong as a general rule, so it should never be applied without thinking! There are two main reasons why you should never choose a failurekey like that: first of all, unless you know the hit response from the server, it might happen that the members area has the same title as the failure response (unless the title is quite significant itself like:
VB3 - Login for the new videobox login), so that you won't get any hits in this unlucky case. One typical example of this behaviour is Wickedpictures: http://members.wickedpictures.com/access/login
The failure response bears the title:
Wicked, but I can tell you right now that the members area has exactly the same title, so that if you choose the title as a failure, you will make a terrible mistake that will cost you exactly zero hits from your wordlist (a correct choice for this site would obviously be
TeamXPC.com
seems like the password you entered isn't working. Now let's come to the second reason: I've just said that for videobox the string
VB3 - Login 'might' be used as a failure ('cause it's a significant one), but it's definitely not the best choice! Why? Well, here comes a subtle point, which is the difference between a failure and a login error (don't worry, even good crackers get sometimes confused about that): failure always means "bad combo", whereas a login error (which could be due to thousands of reasons, even wrong settings in your bruteforcer) doesn't really say anything about your combo being good or bad. You simply don't know! So handling a login error as if it was a failure is obviously wrong and it may cause you to lose lots of hits. Now let's come back to Videobox and make a little experiment: you can easily see that putting a random combo yields the (correct) failurekey: Login incorrect But why don't you try to delete your session cookie just before logging in? (This is not paranoia guys, some proxies don't bother forwarding cookies correctly during brute forcing). The result would be a different one: Your session has timed out. Please retry your request Does it mean that your combo was bad? No, it just means the login could not be processed due to other factors. This does not tell you if your pass is working or not! At the end of the story, it should be clear that a failurekey like
VB3 - Login will never allow you to distinguish between normal failures and login errors. That's the main reason why you should never set the response title as your failurekey, you'll never know if it's really correct! IN CONCLUSION, YOU ALWAYS HAVE TO LOOK FOR 'UNIQUE' AND 'SPECIFIC' FAILUREKEYS! THAT'S A GOLDEN RULE TO FOLLOW!
B. When a failurekey is faster than another one (headers & source code)
TeamXPC.com
Alright, now let's make this topic a bit more advanced. We've specified the requirements that make a failurekey 'correct' and 'effective'. But even between two correct failurekeys there might be differences. Most significantly, a failurekey is faster than another one if it's checked much earlier in a conversation. So that means you should always look for a key that is possibly placed at the top of the source code, or not too far from it. To emphasize this concept, I will tell you that the absolute best failurekey is the one contained in the header of a site. In most cases such a failurekey will be the redirection to some invalid URL. Why is it so effective? Because you don't need to wait for the whole response to see if a combo is good or not, the program usually checks the received header before looking at the body and, if a keyword is detected there, you will save a nice amount of time (by rough caluclation we can say that if your tool checks the header only half a second earlier than the body and you have 6000 bad combos in your wordlist, you will save about an hour of your cracking time). Not to talk about the advantage of having no need to take care of proxies that time out during redirections (if the bad redirection URL is detected in the header, you won't have to retry the combo when your proxy times out, thus saving even more time). Now this might seem not a great deal to most of you, but just think about it! If your time is precious, there's no reason to waste it! One famous public tool that allow you to check keywords in the header is C-force. In part 4 I'll give you examples of fail keywords contained in headers.
C. The Case of Multiple Failurekeys: Trial & Expired Accounts Let's now account for the case when the site returns many different failure responses, depending on the combo you're trying: they might be banned accounts, expired accounts, trial accounts, etc. These are often useless combos and you might want to filter them as well (unless you have some specific reasons or you like waiting for the expired members to renew their subscriptions, you never know!). As above, you have to look for specific failurekeys and add them to your list: if the response explicitly tells you that the account has expired, solution is straightforward.
TeamXPC.com
But some sites are very picky about that. Sometimes you'll find out too late that an account has expired, only when it comes about to downloading something. I'll give you some examples of that in the next and last section.
D. More Examples Ok, let's make some practice and apply the lessons we've learnt so far. First example, let's find the best failurekey for mofos. http://members2.mofos.com Let's put a random combo (and the correct captcha value) and look at the source code of the returning reply. It looks like the strings “
Bad Login” <br />
<br />
which is part of the title, or “the password you entered isn 't working” <br />
<br />
are both 'significant' and 'unique' failurekeys, so they're both correct. As we've explained before, the first one should be faster as it occurs earlier. But we can still improve it: you might have noticed that we've been redirected to the URL http://members2.mofos.com/members/badlogin/ and that marks a bad reply in an unambiguous way! As we've said, an invalid redirection is the simplest and best failurekey ever, as it's found in the header! So what are we going to do? Simply declare a bot failure if redirection contains the subdirectory “/badlogin ” or, if you're using tools that can check keywords in headers also, just set this one as your failurekey: Location: /members/ badlogin This is a line from the received header. Second example, how to set a failurekey for teamskeet's expired accounts. Well, I don't know how many of you have ever found such an account while<br />
<br />
TeamXPC.com<br />
<br />
cracking this site: the response source code is very very similar, if not identical, to that of a real hit! What are we going to do? Luckily there's a simple and effective shortcut, since the difference is in the redirected URL! As above, we can set an invalid redirection as a keyword like Location: http://members.teamskeet.com/canceled or whatever the received header tells you as a redirection (as I said, this works in tools like CForce when you tick the proper option "Check keywords in headers too"). Other cases might not be as simple. Sometimes the difference between a hit and an expired account can only be found in a very small detail (and you'll get that only after a deep and careful comparison); sometimes such a difference doesn't even exist, and you'll have to delete expired accounts manually when you check the site. Nothing is easy, guys, but I hope I've brought my contribution to the improvement of your cracking skills.<br />
<br />
Combos Combos are what we use to try and enter the site we want to gain access to. They are usually exploited from sites and often posted as passfiles in the private areas of sites like XPC. You can also get access to known combos on public sites that post cracked passes. There are a number of tools that are very easy to use to leech these combos for us such as Athena II and Staph. Since there are a number of things that we can do with Staph to increase our chances at getting a working combo faster (saving us time and proxies) i'll give you some advice on the best ways to use it. When staph leeches combos it looks for certain "keywords" and leeches combos only according to those keywords. Let me give you an example, if a person likes one milf site then chances are, that he likes other milf sites. Using staph you can enter the urls of as many milf sites as possible and it will only leech passes for those sites! Does a person who likes teen sites also like milf sites? Probably not, so why should we bother testing teen combos against a milf site? We shouldn't, so "theming" our combolists can make a very effective combolist for a specific site. Staph comes with several built in themes that you<br />
<br />
TeamXPC.com<br />
<br />
can add to or change for as many different niches as you want. You can also work your way up the staff area on TeamXPC and get the version I spent about a month working on. Keeping in mind that staph only leeches for certain sites that are entered into it there are other ways of increasing your odds of getting a hit faster. Most of you are familiar with brazzers.com I bet? Did you also know that Mofos.com is owned by the same company? A company will often have advertising and even offer better deals for other sites it owns in the members area of its sites. That being said using the example above if you wanted to get into mofos fairly easily you could leech as many combos for brazzers as possible and that would give you a very decent chance of getting a hit quickly. Using a porn review site like http://www.thebestporn.com/home.html for example that gives the "company info" is very useful however make sure that the sites you're leeching from are just owned by the same company and NOT part of the same network. In order to just gain access to a site you really want to get into you can use staph to leech combos just for that site or other sites in the network that have been posted publicly. Doing this is not actually cracking at all. It's re-cracking and even though you can do it for yourself DO NOT POST THESE PASSES on XPC. We like to maintain a certain quality for passes, which allows them to last longer then other sites that simply leech passes. I will point out that if the site you want to get into uses generated passwords (automatically created upon signing up and not user chosen) then this is your only chance to get in unless you have the knowledge to exploit it and get the passfile yourself. For very popular or non genre based sites and networks I like to use a general combolist that basically leeches as many combos as possible and sort them by frequency. This way the most common combos like username:password (morons) are on top of my combolists and the less frequently appearing ones are at the bottom. This works best on the major sites bangbros and naughtyamerica that don't really fit into a niche. Once you have your combos ready to use on the site make sure that you pretend to join the site. It will ask you to create a username and password. Start by entering "12" for both and hopefully it will tell you the minimum length of each combo. Next enter "12345678901234567890" for both and it should give you the maximum length for each combo. Most tools will have a combo length filter that you can use to remove non-complying combos. what I mean by this is that 6-16 or 6 character minimum and 16 character maximum is a very common restriction. That means that combos like test:test have no chance of being a hit and should be removed before cracking. Its also very important to note that if the site asks<br />
<br />
TeamXPC.com<br />
<br />
you for an email and a password only then chances are the email is your username and you'll have to use a special combolist using only emails as usernames. If the site never asks you for a username or a password then chances are the site uses generated user:pass combos which makes them much tougher to crack. There is a chance the site allows the real user to change their password after joining so if you run into a generated site don't give up hope altogether but keep in mind that it could be very hard.<br />
<br />
The Value of Success Keys and Failure Keys When cracking in order to be more efficient and save time on bruteforce and to understand how to get valid combos, having both success and failure keys is very important. What are the differences? Well Success keys will always be the priority, meaning if there is a success key returned in the header or the body , it will override anything else, and will always be a valid combo. A Failure key is something that when the header or body is checked, it means invalid combo. There is also a third key that is very important and that is the ban key. What is the ban key? That is the key when a proxy is bad, for example can be a codeen proxy, a banned ip by the website, or maybe a site that does not allow adult traffic. The importance of ban keys is that the cracking program will instead of saying the combo is bad, it will retry that combo using a different proxy. If you do not use ban keys, then it is possible you are missing valid combos because it never retries them again after getting a bad proxy.<br />
<br />
While success keys are very important, I think it is much more important to have valid failure keys, then success keys. In fact many times I leave success keys out and never even use them. The reason is, success keys change a lot, it might work for a month, and then the next time you try it, the success key changed because websites change their members page a lot. So you might go and try to crack a website and never get any valid combos because your success keys no longer works. If you just use failure and ban keys, then you just have to look at the possible hits and look at the headers or body to determine if it is valid combo.<br />
<br />
TeamXPC.com<br />
<br />
How do you get success and failure keys? The quickest way is to have a valid working combo for that site and then look at the members page and find something unique for a success and a failure. What if you do not have a valid combo and this is the first time you are trying to attempt to crack a site? Well failure keys are a lot easier to find with no working combo, since when you start cracking you will be getting lots of failures, so you stop your bruteforce for a bit and look at the failures and find a unique key. For success keys, the best way to find them if you do not have a working combo, is to look at many of the adult review websites, in there if you go to the review of that site, many times they show screenshots of the members page and you might be able to determine a success key.<br />
<br />
Proxies Proxies are a very important part of cracking but getting and testing proxies isn't always easy and not all proxies are created equal. For example some proxies have adult content filters on them that make them useless for cracking pornsites with. There are also US gov. and military proxies that we don't want to use. First of all what is a proxy? a Proxy is another computer set up somewhere that we can connect to and then connect to another site through. Say you're at school or work and they have facebook blocked. You can connect to a proxy then connect to facebook because as far as work/school knows you're just connecting to the proxy. In cracking this is how we hide our real ip manage to make multiple connections to the site at once without them banning our ip. Proxies come in a combination of 4 numbers ranging between 0 and 255 followed by a port. Within that there are different categories of proxies such as http, https and socks. Http proxies are the ones most commonly used they're broken up into level 1 high anonymous, level 2 anonymous and level 3 transparent. We only want to use level 1 and 2 because level 3 show our real ip. For certain sites we'll also need ssl enabled http proxies or https proxies (same thing) but only on sites that use encryption in their login. You'll notice this if the members url is https://site.com/login. All https sites require ssl proxies for cracking and before you ask http bugger is the only public tool that handles https sites. There are private tools that do the same thing but you'll need to work your way up the cracking ladder to get them. You don't find them, they find you.<br />
<br />
TeamXPC.com<br />
<br />
To get our proxies we're going to use a tool called proxyfire mastersuite. http://www.proxyfire...thread.php?t=33 Open it up and go to the p-search tab. Now on the bottom right you'll see "engine". Open up the google engine by pressing "edit" and replace everything there with the below. [search] name=Google1month engine=http://www.google.com/search?hl=en&as_q=&as_epq=%KEYWORD %&as_oq=&as_eq=&tbs=qdr %3Aw&num=100&lr=&as_filetype=&ft=i&as_sitesearch=&as_qdr=m&as_rights= &as_occt=any&cr=&as_nlo=&as_nhi=&safe=images link_start=<li class link_end=</ a><br />
<br />
As you may have figured out already this will limit the google search results for just the last month. I highly recommend this but you can also leave it as is which leeches way too many old dead sites or even move it up a notch to only leach for the last week. Now open up the "keywords" tab and enter FRESH AND CURRENTLY WORKING PROXIES. When you press go it will now google the first proxy in the list and leech all the proxies from the sites it found in google. It will then go on to the next proxy and do the same thing. If you check the smart loop box it will continue with the proxies it found while searching after it's done with the ones you entered in for keywords. When you're done hit stop and open up the results directory where you'll see mulitple text files. Search all is your proxies that you'll want to check in charon later but first there's also a .txt file in there called "retrieved_urls" which is a list of all the sites it got the proxies from. Open it u p in "once is enough" to sort it alphabetically and to remove duplicates then you can go through these urls and manually enter the good ones in "proper leeching format" in the p-leecher tab of proxyfire. To do this I go to the site manually in my browser and leech the proxies by hand and test them in charon by them selves. If enough of them are working anons then I add it. If not then don't add it but either way its a good idea to make a raptor 3 filter file to remove the sites that you've already checked from future lists so that you don't waste your time retesting the same sites.<br />
<br />
TeamXPC.com<br />
<br />
Now the reason we do this is simple. A site will have multiple pages with proxies in them. But the p-search tab will only find it if one of the proxies is in our keywords list. That means we could miss good pages containing good anons. The leeching format is as follows 1. page containing links 2. search string to follow 3. whether or not to follow search strings on that page also I'll give you an example using proxyfire itself (you'll have to login first) http://www.proxyfire...isplay.php?f=14 That's the forum for the anonymous http proxies. Here is a link to a thread on that page containg the proxies we want. http://www.proxyfire...ead.php?t=54026 so to get proxyfire to leech all the proxies in this forum we enter the main forum url from above followed by a specific search term found in all the threads in that forum that we want leeched. I'll use "showthread" followed again by a 0 meaning "do not look for more topics in that page or a 1 meaning to. Its almost always going to be a 0 so don't worry about it. Here is what we end up with. http://www.proxyfire...14|showthread|0 This also works the same way in forum proxy leecher. This process can be difficult and time consuming but I've gotten over 1500 proxies in the last year. Your leechlist that You're creating will also need to be checked every month or so as sites stop updating and then you'll be checking the same dead proxies over and over again. Now when it comes to checking your proxies you really will want to use chron. Why? Well remeber when I mentioned that not all proxies are good for cracking? Well charon is the tool out there that checks the proxies against the site to tell you if the proxy is good for cracking or not. Load up all your proxies into charon and under "judge options" test all judges and select the 5 fasted<br />
<br />
TeamXPC.com<br />
<br />
judges to test your proxies with. This will make sure your ip doesn't get leaked by a bad result from one crappy proxyjudge. Now go to the site you want to crack and get the members url and enter anything you want for a combo. Now that you've entered a bad combo your browser should bring up a failed login page. Under "site options" in charon delete the google that's there now and enter the members url of the site you want to crack and find a keyword from the failed login screen to enter as a keyword. I'll use bangbrosnetwork for an example. site members url http://members.bangbros.com/ <br />
<br />
and after entering a bad combo I view the page source and find this <title>401 - Access Denied - Bangbros
for proxy checking purposes always look for the
tags and use what's in them. Now when you check your proxies for anonymity it'll also check them against the site and if the proxy doesn't return the key we set then it will fail the site test. This is very important because it means the proxy could have an adult content filter on it which means that we could enter a valid combo and it wouldn't let us into the members area. That's the whole point of cracking!!! Most people that have problems cracking a site...its usually proxy related. Here's why. lets say 10,000 combos and 100 proxies for the sake of making the math easy to understand. that means you have 100 attempts per proxy. That means that for every bad proxy you lose 100 combos tested. I've tested my proxies and later had them go bad on me during a cracking session and I've gotten as many as 10-15 proxies go bad on me AFTER the cracking started. That's why you need to keep an eye on what's going on and keep a good list of bad proxy key phrases so that if a proxy does go bad on you while you're cracking it will get banned instead of just continuing to crack with it.Ok the first thing we need when we crack is the members url. This is the one we actually enter into our cracking programs so that it can try to login to the site using our combos. There are 3-4 different types of members urls that we deal with. They are basic-auth (easiest), form(a little bit harder but nothing major) and OCR/ strongbox(similar to eachother but different still)First we need to go to the site we
TeamXPC.com
want to crack and search around for the area that says something to the effect of "members login". This is where we find the members url. Right click on it and get the location of the link. Because it's sometimes hidden in a picture (ends in .gif or something like that) to make sure you have the correct url paste it into your browser and hit enter. You should now see the area to login either in the form of a pop-up box or a page asking for a username and password. If you don't have the members url yet keep searching, it has to be there but always sure you test the url by copy and pasting it into your browser to make sure you see it asking for your log in credentials.The first type of protection we'll talk about it basic-auth and where we should all begin our cracking journey. Bangbrosnetwork is a good example of basic-auth and is also easy to crack compared to most sites so lets start there. Here is the members url for you http://members.bangbros.com/ Now a brief word on what cracking actually is. Copy and paste that into your browser and enter anything you want for a username and password and hit enter. Our cracking tools are basically modified web browsers designed to do just that on a mass scale. We use combos that are known to be valid user pass pairs to keep the guess to a minimum and proxies to protect our real ip and the tool will use a combo from our list and connect to the site using a proxy and enter the combo telling us what happened. If we do this right it will let us into the members area of the site. You'll hear us talk about "bots" which is nothing more than the number of attempts going at once. 10 bots for example is equal to trying to login with your browser 10 times at once.The second type of protection is a form login. This is a little bit more complicated than a basic-auth site but luckily a nice little tool called c-force does all the work for you. For starters what's different about a form site is that you need something called a postdata query to enter the username and combo into. Also along with the members url you now have an action url that is the one the postdata query actually goes to. Redclouds.com is a nice example of a form site so I'll use that as an example. [/code]http://auth.redclouds.com/ [/code] for this site that's both the members url and the action url. That's a part of what makes this a good site to start with. our method = POST which is very common. GET is a possibility but very rare. our postdata username=
&password=
TeamXPC.com
Now for some sites its more confusing than this as there'll be more fields but that's why I chose this site. Now where you see the tool will enter our combos username and for it will enter the password and it will send that query to the site and wait for a response. hopefully redirecting us to the members area meaning a good hit.The other forms of security are strongbox and OCR. This adds a third field to the mix that require special private tools to crack. Generally you don't even mention private tools in a public area like this unless you want a warning/infraction but this time it has a purpose. Entering random combos into a site and hoping for a working sounds an awful lot like searching for a needle in a haystack...and it on certain sites it is. OCR sites where you have to enter a corresponding word along with the username and password can really complicate things. Some of these sites don't tell you what you entered wrong. Whether it was a bad combo or a bad code it will just tell you you're wrong and try again. 90% recognition on an OCR site is very good. That means that it reads the captcha right 90% of the time. That also means the 10% of the time its wrong and if you're testing 10,000 combos against a site with 90% recognition then automatically 1,000 combos aren't going to be tested properly. This is the reason for talking about private tools and information in a public area. On sites like this your combo skills and proxy skills will really be put to the test. These tools are also easily twice as slow as regular tools because it has to make more connections to the site and process the image. My advice to you is to work on the smaller stuff starting with basic-auth sites and work your way up to the regular form sites working on anything and everything having to do with both proxies and combos. Once you get up in the ranks it becomes very important.
Basic Cookie Tutorial Things you ll need: ʼ
•
Third-party software or Firefox addon (Live HTTP Headers will be shown in this tutorial) • Internet Browser (Firefox recommended) • Limited cracking/computer knowledge "OMG, ARE WE GETTING CHOCOLATE CHIP COOKIES?!??!!?" OHHHHH SORRY, I M NOT GOING TO BE TALKING ABOUT THOSE COOKIES :( ʼ
TeamXPC.com
I ll try to make this as noob-friendly as possible, so that you guys can understand cookies and how it's used in CRACKING. I won t delve into this topic too much, so I ll only explain what cookies are, the main reasons why people use it in cracking and briefly on how you can manipulate and use them. ʼ
ʼ
ʼ
I ll also throw in a nice little FAQ section in this thread and keep updating it when I receive questions about cookies. Many people who crack file hosting sites will find this insightful and some of you porn crackers may find it useful for your cracking knowledge as well. Let's start, shall we? ʼ
One important fact you have to keep in mind WHILE CRACKING is there are two sets of cookies; Cookie and Set-Cookie. Okay now, you re probably wondering “WHAT THE FUCK IS A COOKIE AND SET-COOKIE AND WHY ARE THEY IMPORTANT”. Well, when cracking some sites cookies may not be of need to you (e.g. http://www.hotfile.com/ ) but for other sites, they are necessity....this when cookies are absolutely a bare minimum need in order to attempt to crack a site. One site which requires a cookie to crack is http://www.naked.com/ . So make sure to use dynamic/static cookie-supported cracker to crack these sites! ʼ
What is a Cookie? [Cookie I received when visiting - http://www.hotfile.com/] To understand how to use, gain or manipulate a cookie, you will first need to know what it is. A cookie is a header value which contains information of a user. This cookie is then sent to the server (e.g. http://www.hotfile.com/ ) and also received by the user. This cookie usually contains user or user-inputted information (e.g. username and password) but can also contain other types of information which the webmaster of a server wants to grab (e.g. IP Address) when you visit a certain page of their website.
What is a Set-Cookie? [Cookie I received when attempting to log into an account - http:// www.hotfile.com/login.php]
TeamXPC.com
A Set-Cookie is basically a dynamic header value that you send, containing data which is used to create a login entry (can be another type of entry) on the site s database/system. When a user sends a request to a server, it is then (usually) matched or logged on the server. ʼ
One example for this can be to match up a Username and Password combo which is sent to the server from the user. If the information in the given by the user is correct/matching to the database, it will give a valid return(s). This can be a success key, successful redirection, auth cookie etc. (I ll explain a bit more about auths later in the tutorial). ʼ
You may also want to know what kind of information a cookie and set-cookie contains. These are just SOME of the information a cookie or set-cookie can contain:
Cookie • • • • • • • • •
· Last sites visited by the user/site referrer · First time and Last time user visited the site · Number of times user visited the site · IP Address · Time of login attempt by the user · Number of login attempts by the user · User details (only usually when browsing pages which require logging in) · DNS · Number of login attempts by the user
Set-Cookie • • • • •
· User authentication (a value which is returned when a username/ password is authenticated) · User ID/Other User Details (e.g. account type, date of expiry etc.) · Session ID · IP Address · Dynamic unique/custom IDs (may need a specialized cracker to crack sites containing these)
Some of the information you find in the cookie can also be present in the setcookie, vice-versa.
TeamXPC.com
You have to keep in mind that the information that is being grabbed/sent to server is at the webmaster s discretion (with or without user permission). ʼ
What can we use authentication values for? We mentioned a Set-Cookie auth value before. But what can we use this for? One main way to make use of this value can be for spoofing an account. This auth, in the case of Hotfile, contains a value which can be used to log into a specific account without a username/password, by spoofing it with a third-party addon. I m not going to explain what programs to use, how to specifically spoof cookies etc, but you can grab this auth value (for Hotfile, the value between “SetCookie: “ and the “;” – this value can be inserted into a cookie editor/third-party software to (for example) to overwrite your free account auth cookie value with a premium account auth cookie value, thus giving you access to that premium account and to enjoy its perks. ʼ
A reason why many people are now sharing auth cookies are to make accounts last longer by not sharing the username and passwords of premium accounts. Another upside is for some sites (e.g. ones that check IP Address when logging in, rather than during when you re logged in), any number of people can use the same auth value at the same time without the account getting banned. ʼ
FAQ - Cookies Q: How can I get these cookies/set-cookies? A:You can use addons or third-party software to grab these. I personally like using Live HTTP Headers because of its simple user interface. Q: Do I have to crack sites to get these cookies? A: For cookies, most of the time when you visit a site or send a request to a server you don t have to crack it, but for useful set-cookies, yes cracking is necessary…unless you already have the account logged in, just visit the site and look carefully in the headers for the correct value. ʼ
TeamXPC.com
Q: If I use a premium cookie for filehosting, will my free account be converted to premium? A: Sadly, no. You will need a premium cookie (from a premium account) to overwrite your original free cookie (from a free account) in order to use the premium account. Your free account will still be free. Q: Do cookies expire? A: This question will take up a lot of space and frankly I don t have the time at the moment, so I ll update this question when I do have time. Simply for now, most cookie values, yes but most don t for very, very long time and set-cookies can expire or change (if a user has changed his/her password and/or other details e.g. email, the auth value will change). ʼ
ʼ
ʼ
Q: Are cookies site-specific or do most of them have a similar pattern? A: Yes, cookies are site-specific and depend on the type of site. A custom site can use custom cookies which are unique (probably not similar to other cookies on other sites) whereas if a site is using a software which alot of other people use as well, let s say vBulletin, it will have a similar cookie or set-cookie starting values (not the value itself, but the “type” of value). ʼ
Q: Do all sites grab all my information in the cookie? A: No, some site webmaster may choose to grab just your session id while other site webmasters may want to grab your ip address, number of login attempts etc. Well anyways, that s it for now. If anyone wants me to elaborate, add or explain anything in this tutorial just post here. ʼ
Conclusion First off, thanks for reading our first Cracking Tutorial! Now if you have any suggestions or fixes, please reply here or pm co19. We will be revising this tutorial and adding more topics in future versions. edited by co19.
