Have you ever sat there and wondered how people are cracking accounts? Maybe you aren’t very technical and you think they must be master hackers or have some insider information. Or perhaps some other magical powers are at play.
Well actually it’s very simple. Stick around and I will tell you the secrets of account cracking and other related details.
Disclaimer: Performing attacks, penetration testing or credential stuffing on sites you do not own (or do not have explicit permission to test) is illegal. I do not condone these actions and do not take any responsibility for any actions you take. This post is purely for educational and informative purposes.
Introduction to Account Cracking
Account cracking is a serious issue for many websites and online services. It has been around forever but the problem is only getting worse.
People are able to gain free access to the ever increasing digital services like Netflix, Hulu or premium adult sites like Brazzers. To stream high quality full movies for free, relatively safely, without the risk or hassle of trying to find a torrent or other illegal methods.
They may even go as far as cracking Amazon accounts or other services for personal purchases. Or game accounts, to sell in-game currency for real money. A much riskier but more profiting option for criminals.
Types Of Cracking
There are multiple ways accounts are stolen but I am only going to be talking about the most common (credential stuffing). Firstly I will give you a quick overview of two different types:
– Credential Stuffing uses lists of previously known users and passwords obtained from leaked databases. This enables the attacker to get a high rate of successful hits in a relatively short time. Due to the accounts having a high probability of working if they are registered with the targeted site.
So for major sites where the majority of the population uses them, this is very successful.
– Brute Forcing is more about trying every possible combination of characters for a specifc account. It is possible to speed up the search if you know some details of the password. Or by using a list of most common passwords.
Theoretically if you had a correct account, you could always get the password. However in reality this method is rarely used outside of targeted attacks due to the enormous amount of time (Literally millions of years) it would take to try every combination.
Credential Stuffing Tools
There are many tools and tricks to perform effective credential stuffing. These are all easily found available online for free, which makes it incredibly easy for anyone without much technical know-how to illegally obtain accounts.
Account Lists
Over the years many websites have had their databases hacked. Revealing their users account information, email addresses, passwords and other personal details. Some of these databases are sold privately to other hackers. Many are also leaked publicly on the internet.
All it takes is a quick search for leaked databases and you can find hundreds of millions of username and password combinations of real accounts. Ready for would-be credential stuffers to try on their website of choice.
As many people use the same username and password on multiple websites, this is the reason this method is highly effective and such a big problem.
Proxies
You know when you forget your password, you try multiple times and it locks you out? This is one of the protections against credential stuffing.
The successful crackers are able to try hundreds of accounts per second. Bypassing these blocks by using proxy lists to cycle through IP’s. Since the login attempts are coming from thousands of different IP addresses instead of a single address, they are not flagged.
There are many free proxies available online, however most are shared, slow and stop working quickly. You can also find services online selling private proxy lists for a small price.
The bigger and better quality the proxy list, the faster the account cracking becomes. With less blocks and more account combinations checked.
The tools to use them
There have been many different tools in the past. Like the old school Brutus by Hoobie.net (historical archive), Access Diver and THC Hydra. To the more recent tools like Sentry MBA, BlackBullet and the increasingly popular OpenBullet. The latter of which will be discussed in this article.
These tools are able to take the account lists (more commonly called wordlists) and with little configuration try every account on the target website. Letting you know which accounts are working (successful hits) and which are not.
The Magic OpenBullet
Let me stress again that cracking accounts is illegal and you should not do it. OpenBullet was created as a legitimate pentesting suite for use only on sites you own or have strict permission to perform on.
OpenBullet which can be found freely available on their GitHub page openbullet/openbullet. Is able to take multiple wordlists, proxy lists and configs. Then test the target with each account combination, cycling through proxy lists to evade detection.
OpenBullet Configs
If you have some understanding of HTTP requests it becomes very easy to make your own custom configs using the Stack Viewer. Which is almost like a drag and drop to create request chains. Sending the login request, checking the response for an error/success message, and even sending more requests to grab account information on profile pages once logged in.
If you have more experience you can even write the configs in LoliScript. A custom, fairly easy to understand language. Allowing you to better understand the process of the config.
There are many OpenBullet configs and tutorials available for free and for sale in forums online. Making it a popular choice even for those with no experience of cracking or coding.
The dreaded CAPTCHA
A popular way to stop credential stuffing is using CAPTCHA’s. Forcing the user to click the fire hydrants, click the traffic lights, or enter the letters.
However this can even be automated. In the OpenBullet settings you will find the settings for Captchas. Allowing you to easily integrate many Captcha services listed in the tool. Whereby you pay for them to solve the Captcha. This then continues with the login attempts without having to ever click a single traffic light.
More OpenBullet Configs
In the future I will make a more detailed guide on creating your own OpenBullet configs. If you are interested in learning more about that then be sure to check the latest articles. Where you will find all non porn account posts.
So now you know
So now you know it isn’t wizardry and you don’t need years of coding experience. Anyone can do it, that is why credential stuffing is such a big problem.
There are many criminals making a lot of money cracking accounts and selling or using them. Pretending to be elite master hackers and the saviors of the poor. When in reality they just use other peoples tools, other peoples configs, stealing other peoples accounts with little effort and don’t even know the most basic things. Then they cry so hard when people take anything from them. It’s so brain-dead pathetic it’s funny ๐