password files for JTR
Views: 4687 - Replies: 10
|
03-27-2005, 05:11 PM
|
#2
|
Special Friend
ToRaZ is offline
Join Date: Jan 2005
Posts: 2,220
Threads: 259
|
id say collecting combos...and then use eg. raptor to split them into a username list and a password list...or just mix them into 1 big single file : )
|
|
|
03-27-2005, 07:50 PM
|
#3
|
Guest
|
Quote:
Originally Posted by toraz
id say collecting combos...and then use eg. raptor to split them into a username list and a password list...or just mix them into 1 big single file : )
|
you got me wrong.
i meant the encrypted password list (user data) from a specific site. the one i need to decrypt it with JTR.
no clue how do get them.
|
|
|
03-28-2005, 03:20 AM
|
#4
|
Special Friend
ToRaZ is offline
Join Date: Jan 2005
Posts: 2,220
Threads: 259
|
hehe...oh those...it will come with time dedication and effort : )
1st crack then spl0it...anyway there are still some ccbill.logs out there...read up on it in the tut section ...under slysnake : )
|
|
|
|
|
|
08-01-2005, 09:49 PM
|
#5
|
Special Friend
Wickerman is offline
Join Date: Jan 2005
Location: 22 Acacia Avenue Ohio, USA
Posts: 2,228
Threads: 324
|
I remember that years ago I use to ask questions like this, heh heh. The thing is there is no one way. There are all kinds of sploits. Many of them use post data and some of them you can do with your browser. Hell, a few you can even find googling. Mysql queries are another way. You just gotta' try to learn whatever sploits you can and then build from there. Googling for this kind of info is not easy. There isn't too much stuff publicly posted that is understandable to the layman. One way is to try to become a terrific bruteforcer and then maybe a skilled exploiter will notice and take you under his wing. It's funny but an exploiter who is working with you can make you understand something in just a few paragraphs of instruction that you couldn't make heads or tails of when reading dozens of white papers you found googling. But in order to get these guys to take an interest in you ya' gotta' get bruteforceing down to a science, prove that you are a hard worker and that you never give up. If a person doesn't have the patience to get bruteforceing down than there is no way they are going to make a good exploit student because it is much, much more difficult. There are sites out there like bugtraq and milworm that post news about new sploits. Good exploiters keep an eye on sites like these and utilize them before they have died. But it simply isn't like bruteforceing. With bruteforceing you use the same basic technique on mostly everything, with exploiting every different vulnerability can require lots of research and a different approach. But hell, there are lots of exploiters who only know how to use maybe 10 sploits or even less. But ten good ones can take you a long way, getting you into hundreds of different sites. Then you've got your masters who know much more than that, including using mysql queries, cookie manipulation, and other effective techniques. I think it will be ok for me to tell you that where nearly everyone starts is with ccbill logs and add-passwd.cgi. add-passwd.cgi is an ancient sploit which has post values and gives you server access and is still open on few servers. The most common thing you'll see if you ever get sploit access anywhere is shells, which are basically backdoors placed on the server by an exploiter. You'll have to learn how to use a few basic commands to use these, namely cat, ls -al, and locate. But sploit information is a secretive kind of thing. In fact, if I were to post info. here that was very specific I would probably get in trouble for it, heh heh. Exploiting tips are generally shared in private chats and emails, not in public forums. Like I was saying earlier try your best to become a master of the bruteforceing game. If you become really good at it and show that you are a hard worker who never will call it quits eventually someone will notice and decide to show you a few things.
__________________
"Hand of fate is moving and the finger points to you. He knocks you to your feet and so what are you gonna' do? Your tongue has frozen now, you've got something to say. The piper at the gates of dawn is calling you his way."
-The Wicker Man, Iron Maiden
Last edited by Wickerman; 08-01-2005 at 11:40 PM..
|
|
|
08-08-2005, 10:02 PM
|
#6
|
Mr. I'm elite and i want it all NOW
Mr. X is offline
Join Date: Jul 2005
Posts: 117
Threads: 8
|
Yea, Wickerman is 100% right. Learn how to use Google(lol), Triton and C-Sploiter. Maybe later you know what you can do with an "add-passwd.cgi" post data like this "ADD+;echo;ls -al;exit". It realy is a great feeling hacking your first server and it can make you totaly addicted.
Kind regards
Mr. X
|
|
|
|
|
|
08-08-2005, 11:25 PM
|
#7
|
The sPlicster
sPlico is offline
Join Date: Jan 2005
Location: Croatia
Posts: 9,487
Threads: 408
|
Quote:
Originally Posted by Wickerman
I remember that years ago I use to ask questions like this, heh heh. The thing is there is no one way. There are all kinds of sploits. Many of them use post data and some of them you can do with your browser. Hell, a few you can even find googling. Mysql queries are another way. You just gotta' try to learn whatever sploits you can and then build from there. Googling for this kind of info is not easy. There isn't too much stuff publicly posted that is understandable to the layman. One way is to try to become a terrific bruteforcer and then maybe a skilled exploiter will notice and take you under his wing. It's funny but an exploiter who is working with you can make you understand something in just a few paragraphs of instruction that you couldn't make heads or tails of when reading dozens of white papers you found googling. But in order to get these guys to take an interest in you ya' gotta' get bruteforceing down to a science, prove that you are a hard worker and that you never give up. If a person doesn't have the patience to get bruteforceing down than there is no way they are going to make a good exploit student because it is much, much more difficult. There are sites out there like bugtraq and milworm that post news about new sploits. Good exploiters keep an eye on sites like these and utilize them before they have died. But it simply isn't like bruteforceing. With bruteforceing you use the same basic technique on mostly everything, with exploiting every different vulnerability can require lots of research and a different approach. But hell, there are lots of exploiters who only know how to use maybe 10 sploits or even less. But ten good ones can take you a long way, getting you into hundreds of different sites. Then you've got your masters who know much more than that, including using mysql queries, cookie manipulation, and other effective techniques. I think it will be ok for me to tell you that where nearly everyone starts is with ccbill logs and add-passwd.cgi. add-passwd.cgi is an ancient sploit which has post values and gives you server access and is still open on few servers. The most common thing you'll see if you ever get sploit access anywhere is shells, which are basically backdoors placed on the server by an exploiter. You'll have to learn how to use a few basic commands to use these, namely cat, ls -al, and locate. But sploit information is a secretive kind of thing. In fact, if I were to post info. here that was very specific I would probably get in trouble for it, heh heh. Exploiting tips are generally shared in private chats and emails, not in public forums. Like I was saying earlier try your best to become a master of the bruteforceing game. If you become really good at it and show that you are a hard worker who never will call it quits eventually someone will notice and decide to show you a few things.
|
Quoted again for extra reading. This is sooooo true. Golden words from this man here. Haven't seen anyone sum it up so good.
Too bad i never found those people
|
|
|
08-13-2005, 07:21 AM
|
#8
|
Guest
|
Quote:
I think it will be ok for me to tell you that where nearly everyone starts is with ccbill logs and add-passwd.cgi. add-passwd.cgi is an ancient sploit which has post values and gives you server access and is still open on few servers.
|
yes, it's really ture
i'm stating E for nearly one month, and i found some useful logs, but still have lots of knowledge to learn, such as perl, C++, SQl, etc
|
|
|
|
|
|
08-22-2005, 01:51 PM
|
#9
|
Platinum Exploiter
daemon.azazel is offline
Join Date: Aug 2005
Location: Eastern Europe
Posts: 1,324
Threads: 104
|
@wickerman,
man, didn't we met somewhere else already but under the nick of "guidter"?
very nice small essay, and from some part covering also mine starts with this
kind of stuff.
just in addition to what you have posted i would like to notice that the most important
skill of any exploiter is fantasy... ...yes that is!!! there's no sense just to repeat the
sploits of others but also personally chalenge the status quo and trying trying trying
to learn more and more... once having a server access - not just locate .htaccess read
it, plunder passfiel and go... ...but also analyse: what other sites are there, what is the
script equipment on the site... ...is there a myphpadmin or not... ...some user management
scripts, is there a palce and sense for small own php shell... ...change the access rights
for directory, do the job, change it back - then modify the fille access time, try to erase logs... fantasy - as i said - that's it ;)
|
|
|
|
|
|
10-29-2005, 03:17 AM
|
#10
|
Guest
|
Quote:
Originally Posted by Wickerman
I remember that years ago I use to ask questions like this, heh heh. The thing is there is no one way. There are all kinds of sploits. Many of them use post data and some of them you can do with your browser. Hell, a few you can even find googling. Mysql queries are another way. You just gotta' try to learn whatever sploits you can and then build from there. Googling for this kind of info is not easy. There isn't too much stuff publicly posted that is understandable to the layman. One way is to try to become a terrific bruteforcer and then maybe a skilled exploiter will notice and take you under his wing. It's funny but an exploiter who is working with you can make you understand something in just a few paragraphs of instruction that you couldn't make heads or tails of when reading dozens of white papers you found googling. But in order to get these guys to take an interest in you ya' gotta' get bruteforceing down to a science, prove that you are a hard worker and that you never give up. If a person doesn't have the patience to get bruteforceing down than there is no way they are going to make a good exploit student because it is much, much more difficult. There are sites out there like bugtraq and milworm that post news about new sploits. Good exploiters keep an eye on sites like these and utilize them before they have died. But it simply isn't like bruteforceing. With bruteforceing you use the same basic technique on mostly everything, with exploiting every different vulnerability can require lots of research and a different approach. But hell, there are lots of exploiters who only know how to use maybe 10 sploits or even less. But ten good ones can take you a long way, getting you into hundreds of different sites. Then you've got your masters who know much more than that, including using mysql queries, cookie manipulation, and other effective techniques. I think it will be ok for me to tell you that where nearly everyone starts is with ccbill logs and add-passwd.cgi. add-passwd.cgi is an ancient sploit which has post values and gives you server access and is still open on few servers. The most common thing you'll see if you ever get sploit access anywhere is shells, which are basically backdoors placed on the server by an exploiter. You'll have to learn how to use a few basic commands to use these, namely cat, ls -al, and locate. But sploit information is a secretive kind of thing. In fact, if I were to post info. here that was very specific I would probably get in trouble for it, heh heh. Exploiting tips are generally shared in private chats and emails, not in public forums. Like I was saying earlier try your best to become a master of the bruteforceing game. If you become really good at it and show that you are a hard worker who never will call it quits eventually someone will notice and decide to show you a few things.
|
WOW!!!!! My breath has been taken away from me!! This greatly sums up everything someone would want to know in regards to xploiting like myself. THANKS A LOT for taking the time to write this wickerman!!!
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -4. The time now is 05:24 AM. |
|
|
|
|