veroneczek
Database Wizard
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Because evidently the 141 bots viewing this subforum aren't contributing ... and I'm sick of people asking even simple things, like "What's a combolists?" Don't even get me started on "make me config pls" or "got config for uplay/origin/netflix," clearly they aren't paying. I'm creating this guide, so hopefully we call can deal with less clutter and spam, and hopefully assholes actually learn something about sentry before getting all into 'cracking' for the money. You can't just load configs and say you know how to crack, hell probably half the people cracking don't even know what a HTTP request is. So, that's all there is to it, basic guide (I will update over the days as I get more free time).
Cracking Glossary
Sentry MBA:: One cracking program
Snipr: Another cracking program
Combolists: Huge text files with thousands upon millions of leaked login credentials. We throw these against login servers to check if they're valid.
Configurations/Configs: Configuration files for Sentry MBA (a credential stuffing program). Specifically tuned to bruteforce the website, often contains captures (will be explained later) and special tricks to circumvent ip bans and other security measures.
Proxies: They change the ip address, so your banned ip isn't banned anymore. Useful for getting around websites which quickly ban and blacklist IP addresses, thus preventing them from sending login attempts. Proxies change your IP address so the website thinks you're legit and allows some more attempts through.
Keywords: Keywords from response or source to determine whether credentials are valid or not.
Captures: Specific information gleaned from website source after logging in, such as premium currency, subscription, length of subscription, personal information, etc.
Section 1: The basics of credential stuffing
Now you may be asking me, what does cracking actually mean? Well, cracking is wrongly worded, because we're not actually cracking a specific lock, but actually using someone's stolen key to check every damn house in the neighborhood to see if the key opens any of them. Literally, that's all credential stuffing is. Now, in our case the keys are compromised login information from compromised websites (usually hacked or SQLI dumped), which are in turn thrown at other websites really, really rapidly to see if any are valid. If they're valid, well, we sell them for good moneys.
Y'all better learn about HTTP requests before you proceed any further, I'm serious. Although we will mostly only be going through POST requests which most websites use for login, it's good to learn about how HTTP requests work in general. In shortened terms, this is what most login POST requests do:
- They request login into a website, "Hey, I want to login, my username is XXX and my password is YYY."
- The server authenticates the request, is the login information valid?
- If the information is valid, it returns some unique information declaring the information is valid, usually in the form of a token or cookie or something like that, and redirects the user to the account page (or the bot, in our case).
- If the information is invalid, it returns some other information. No worries, we just throw that one aside and test the next set of credentials. And the next one. Don't underestimate the power of cracking, some configs I'm using can chuck a few hundred credentials per second; some can even support thousands of attempts per second. Don't feel so safe now, right?
So, when our request is authenticated, our software records which credentials are valid and which aren't, and records them in some file which we can then extract credentials from and sell for money. That's about all there is to credential stuffing in general, next we'll go in-depth on some ways websites attempt to thwart credential stuffing, and how some crackers and configurations have bypassed these security measures.
Leaked from mpgh.
Cracking Glossary
Sentry MBA:: One cracking program
Snipr: Another cracking program
Combolists: Huge text files with thousands upon millions of leaked login credentials. We throw these against login servers to check if they're valid.
Configurations/Configs: Configuration files for Sentry MBA (a credential stuffing program). Specifically tuned to bruteforce the website, often contains captures (will be explained later) and special tricks to circumvent ip bans and other security measures.
Proxies: They change the ip address, so your banned ip isn't banned anymore. Useful for getting around websites which quickly ban and blacklist IP addresses, thus preventing them from sending login attempts. Proxies change your IP address so the website thinks you're legit and allows some more attempts through.
Keywords: Keywords from response or source to determine whether credentials are valid or not.
Captures: Specific information gleaned from website source after logging in, such as premium currency, subscription, length of subscription, personal information, etc.
Section 1: The basics of credential stuffing
Now you may be asking me, what does cracking actually mean? Well, cracking is wrongly worded, because we're not actually cracking a specific lock, but actually using someone's stolen key to check every damn house in the neighborhood to see if the key opens any of them. Literally, that's all credential stuffing is. Now, in our case the keys are compromised login information from compromised websites (usually hacked or SQLI dumped), which are in turn thrown at other websites really, really rapidly to see if any are valid. If they're valid, well, we sell them for good moneys.
Y'all better learn about HTTP requests before you proceed any further, I'm serious. Although we will mostly only be going through POST requests which most websites use for login, it's good to learn about how HTTP requests work in general. In shortened terms, this is what most login POST requests do:
- They request login into a website, "Hey, I want to login, my username is XXX and my password is YYY."
- The server authenticates the request, is the login information valid?
- If the information is valid, it returns some unique information declaring the information is valid, usually in the form of a token or cookie or something like that, and redirects the user to the account page (or the bot, in our case).
- If the information is invalid, it returns some other information. No worries, we just throw that one aside and test the next set of credentials. And the next one. Don't underestimate the power of cracking, some configs I'm using can chuck a few hundred credentials per second; some can even support thousands of attempts per second. Don't feel so safe now, right?
So, when our request is authenticated, our software records which credentials are valid and which aren't, and records them in some file which we can then extract credentials from and sell for money. That's about all there is to credential stuffing in general, next we'll go in-depth on some ways websites attempt to thwart credential stuffing, and how some crackers and configurations have bypassed these security measures.
Leaked from mpgh.