Zenn
Cross-Language Interoperability Expert
LEVEL 1
300 XP
[+] box in the bottom left corner of the dumper.
Step 9:
Check 2 boxes out of 4. Write in what you want your combolists to be about. I used username and passw
ord because i want my combolists to be of usernames and passwords. You can also have 1 box checked.
You can also write in anything you want, such as email and password, name and lastname, credit card n
ame and credit card number, etc
. Also make sure Current DB is checked and Collumns as default.
Step 10:
Select all the Unions with the SHIFT button and click Start. A new window will pop-up. Wait for the proces
s to finish. Don’t close this window. EVER.
Step 11:
Scroll down until you find a database with a good number of Username or Password rows. If both Userna
me and Password have the same number, its perfect. If you only see Username or Password, its ok too, b
ut the database may not have good combos. Its all about luck here. Select a database with more than 5k r
ows.
Step 12:
After you found what database you want to crack, select the URL’s name and click Go to Dumper > Du
mper Form.
Step 13:
This is the time where you need to guess. Click on a column you think the combolists will be at and press
Get Columns.
Step 14:
I found mine, so now i click on what i want to dump. In this case i only want to dump usernames and pass
words. Check on anything you want to dump and press Dump Data. If you had a large number of rows, thi
s is gonna take a while to complete. Also, if the Dumper crashes here, i feel sorry for you son, you cant do
something about that, you need to restart dumping the data from the beginning.
Step 15:
As you can see, i got very shit combos. If you get bad combos too, press X which is under Schema tab an
d search for a new URL.
Step 16:
After you dumped your data, press Export data. A new window will pop up, just make sure it is as mine. Pr
ess start when you are done.
Step 17:
Click save and find the text document you just saved. Check the Sandboxie location if you cant find where
you saved it. Open the text file and remove the first lines until you only have your combos in there.
If your passwords are not encrypted, you can skip chapter three and you can go straight to chapter four
. If your passwords have a weird format like mine, we need to find out which type of Hash it is and we nee
d to dehash it.
Dumping data from a database is all about luck.
If your SQLi Dumper keeps crashing, you can dump databases with SQLMap, that never crashes (i canno
t post how to do it because SQLMap keeps updating and the commands keep changing all the time. You
can search on google or youtube how to install SQLMap and how to use it. I am currently using it on Kali
Linux 2016 on VMWare Workstation 12).
You will either get good combos or you will get shit. Just never give up, and always keep trying. You can a
lso save your Trashed URL’s to generate new combos with JohnDoe’s generator.
CHAPTER THREE: Dehashing the passwords from a combolist.
Step 1:
Open ORHT ad click Ok. If you have opened ORHT and you cant find the window or you minimized it acci
dentally, you can find it in the tray menu.
Step 2:
Click Main Menu > Start From File, and load the Combo you dumped. My hash encyption was MD5, so
i have checked MD5 as Hash Type on the window.
Step 3:
Make sure your ORHT looks like mine. Click OK and after some time, a message will pop up saying how
many hashes were decrypted. Click OK again.
Step 4:
Go to Main Menu > Save to File and make sure your OHRT looks exactly as mine. Click Ok and wait fo
r the process to finish. A message will pop up that will say sucess. Click OK and save your DEHASHED c
ombolists.
ck again.
Basically thats it, if you dumped 100k combos, its most likely that 30% of it to be dehashed, but thats on lu
CHAPTER FOUR: Checking the combos.
Before we start checking the combos with sentry, we need some proxies.
Step 1:
Make a new text document and name it proxies. Then open Gather Proxy and go to the Advance tab and
change the settings same to mine.
Step 2:
Go to Gather Proxy tab and press Start and wait for the program to finish. After its done, press SHIFT to s
elect all combos and copy and paste them in your proxies text document.
Step 3:
Open Sentry MBA and go to Settings > General > Load Settings from Snap Shot and load the config
of the site you want to check your combos. In my case, i will be using the NA League of Legends server b
ecause my database was from a site from the US
. In the .zip file i have all the League of Legends configs. If you dont want to check your combos for leagu
e or if you your combolist is email and password (email:pass) form, you can find all the configs you need h
ere from Nulled. I will not be posting them here.
Step 4:
er.
Go to Lists > Proxylist > Clear List and then Load the proxies from the text document you made earli
Step 5:
Go to Lists > Wordlist and press clear combo if the upper left box is not clear. Press Open a Combolist
and choose the combolist we dehashed a while ago.
Step 6:
re time.
Go to Progression, set the bots to a high number (i go for about 90-110), click Start and Click start one mo
Step 7:
Wait for the program to finish, when all combos were checked as we can see from the bottom of the wind
ow, we can click Stop. Press SHIFT and select all the contents from the Hits tab and right click and save t
hem to clipboard. Make a new text document and paste them there. Congratulations, you have your ready
combos that work for that specific website/game, etc… In my occasion it was for League of Legends.
So here is the results:
The whole process is similar to the oil process. We take all the shit we can find and we filter it to a good re
sult. If you read carefully this whole tutorial, you have now learned to:
Make your OWN dorks
Dump our OWN data
Make some good out of it.
Step 9:
Check 2 boxes out of 4. Write in what you want your combolists to be about. I used username and passw
ord because i want my combolists to be of usernames and passwords. You can also have 1 box checked.
You can also write in anything you want, such as email and password, name and lastname, credit card n
ame and credit card number, etc
. Also make sure Current DB is checked and Collumns as default.
Step 10:
Select all the Unions with the SHIFT button and click Start. A new window will pop-up. Wait for the proces
s to finish. Don’t close this window. EVER.
Step 11:
Scroll down until you find a database with a good number of Username or Password rows. If both Userna
me and Password have the same number, its perfect. If you only see Username or Password, its ok too, b
ut the database may not have good combos. Its all about luck here. Select a database with more than 5k r
ows.
Step 12:
After you found what database you want to crack, select the URL’s name and click Go to Dumper > Du
mper Form.
Step 13:
This is the time where you need to guess. Click on a column you think the combolists will be at and press
Get Columns.
Step 14:
I found mine, so now i click on what i want to dump. In this case i only want to dump usernames and pass
words. Check on anything you want to dump and press Dump Data. If you had a large number of rows, thi
s is gonna take a while to complete. Also, if the Dumper crashes here, i feel sorry for you son, you cant do
something about that, you need to restart dumping the data from the beginning.
Step 15:
As you can see, i got very shit combos. If you get bad combos too, press X which is under Schema tab an
d search for a new URL.
Step 16:
After you dumped your data, press Export data. A new window will pop up, just make sure it is as mine. Pr
ess start when you are done.
Step 17:
Click save and find the text document you just saved. Check the Sandboxie location if you cant find where
you saved it. Open the text file and remove the first lines until you only have your combos in there.
If your passwords are not encrypted, you can skip chapter three and you can go straight to chapter four
. If your passwords have a weird format like mine, we need to find out which type of Hash it is and we nee
d to dehash it.
Dumping data from a database is all about luck.
If your SQLi Dumper keeps crashing, you can dump databases with SQLMap, that never crashes (i canno
t post how to do it because SQLMap keeps updating and the commands keep changing all the time. You
can search on google or youtube how to install SQLMap and how to use it. I am currently using it on Kali
Linux 2016 on VMWare Workstation 12).
You will either get good combos or you will get shit. Just never give up, and always keep trying. You can a
lso save your Trashed URL’s to generate new combos with JohnDoe’s generator.
CHAPTER THREE: Dehashing the passwords from a combolist.
Step 1:
Open ORHT ad click Ok. If you have opened ORHT and you cant find the window or you minimized it acci
dentally, you can find it in the tray menu.
Step 2:
Click Main Menu > Start From File, and load the Combo you dumped. My hash encyption was MD5, so
i have checked MD5 as Hash Type on the window.
Step 3:
Make sure your ORHT looks like mine. Click OK and after some time, a message will pop up saying how
many hashes were decrypted. Click OK again.
Step 4:
Go to Main Menu > Save to File and make sure your OHRT looks exactly as mine. Click Ok and wait fo
r the process to finish. A message will pop up that will say sucess. Click OK and save your DEHASHED c
ombolists.
ck again.
Basically thats it, if you dumped 100k combos, its most likely that 30% of it to be dehashed, but thats on lu
CHAPTER FOUR: Checking the combos.
Before we start checking the combos with sentry, we need some proxies.
Step 1:
Make a new text document and name it proxies. Then open Gather Proxy and go to the Advance tab and
change the settings same to mine.
Step 2:
Go to Gather Proxy tab and press Start and wait for the program to finish. After its done, press SHIFT to s
elect all combos and copy and paste them in your proxies text document.
Step 3:
Open Sentry MBA and go to Settings > General > Load Settings from Snap Shot and load the config
of the site you want to check your combos. In my case, i will be using the NA League of Legends server b
ecause my database was from a site from the US
. In the .zip file i have all the League of Legends configs. If you dont want to check your combos for leagu
e or if you your combolist is email and password (email:pass) form, you can find all the configs you need h
ere from Nulled. I will not be posting them here.
Step 4:
er.
Go to Lists > Proxylist > Clear List and then Load the proxies from the text document you made earli
Step 5:
Go to Lists > Wordlist and press clear combo if the upper left box is not clear. Press Open a Combolist
and choose the combolist we dehashed a while ago.
Step 6:
re time.
Go to Progression, set the bots to a high number (i go for about 90-110), click Start and Click start one mo
Step 7:
Wait for the program to finish, when all combos were checked as we can see from the bottom of the wind
ow, we can click Stop. Press SHIFT and select all the contents from the Hits tab and right click and save t
hem to clipboard. Make a new text document and paste them there. Congratulations, you have your ready
combos that work for that specific website/game, etc… In my occasion it was for League of Legends.
So here is the results:
The whole process is similar to the oil process. We take all the shit we can find and we filter it to a good re
sult. If you read carefully this whole tutorial, you have now learned to:
Make your OWN dorks
Dump our OWN data
Make some good out of it.