Let’s Start Hacking: How to Hack a Paysite, Part 2
So you want to hack a paysite. Where do you start? With a password file! If you can’t find one on your own, visit one of the hackers’ boards and you’ll find ’em posted.
Not so long ago – perhaps two years ago – a lot of paysites allowed their security files (.htaccess and .htpasswd) to be visible in a browser. If you knew where to look, there it was! Fortunately most server admins have closed up this hole.
On the other hand… this trend seems to be reversing. More and more people have decided to save some money, and become their own server admins. There are more and more one-man hosting companies with great prices – but no security expertise. There are “web appliances” that will configure your server for you. By all means go the cheap route. The hackers will love you for it!
Meanwhile, though, you have a password file. This is a list of all members of your paysite. The usernames are in plain text (john, jacob, jingle, heimer, and so on). The passwords are encrypted (/Cphz8p6Emb3A, ooxdAVLkmR6/Y, auWXZ/088ALTQ, etc.). That makes them safe, right? Wrong!
Password Guessing
Here’s how it works. Suppose you have the username:password listed like this:
john:ooxdAVLkmR6/Y
All we need to do is guess the password and try it. What Morris did fifteen years ago, is take the spellchecking dictionary right from the computer he was cracking, and run through the list of words as a guess. Often as not, he found a match! In the above case, try username john password john, and you’re in.
Enforce Your Password Policy
Here’s the question. How good is your password policy? Are your users required to choose a password at least 8 characters long, consisting of upper case letters and lower case letters and at least one digit and at least one punctuation character? Better yet, do you assign random passwords such as 8p6Emb3A ?
If you do not enforce a password policy, I can almost guarantee you that the majority of your users indulge in easy to guess passwords. They’ll use a name, a birth date, or the word Password just to be cute. If the hackers can find your password file, chances are they can guess most of your users’ passwords! Today’s cracking programs are extremely powerful, and word lists run to 2 gig or more.
A beginning cracker’s rule of thumb is to crack 50% of the available passwords. And, generally speaking, they can! How will it affect your site if 50% of your paying members get locked out because of password trading activity? Fortunately, the password traders have “ethics” and “rules.” They aren’t supposed to post more than ten or twenty passwords to your site at a time. They go on to explain that otherwise the site owner might notice, and close up the hole!
Your basic password problem is due to normal human nature. Most people will choose passwords that they can easily remember. The trouble is that if you can remember it, a cracker can guess it. The only solution is to require an extremely difficult to guess password. It does not matter whether you assign the password, or whether you allow the new member to make one up. What matters is whether a cracker can guess it within the next year or two.
How and when does the password get chosen when your surfer signs up as a member? Normally they go to the secure join page, take care of their billing info, and choose a username and password. Here’s where your password policy must be enforced! Who controls the policy at that point? Your secure transaction processor!
I cannot emphasize this enough: If your billing company is allowing members to create easy-to-guess passwords, your billing company is responsible for your hacking problem. It really is that simple!
To be fair, your billing company probably doesn’t know this. That’s because your billing company is run by nice people who don’t know how to hack a paysite. But the technique of guessing a password has been around longer than your billing company has been online, and I assure you it is the primary beginners’ technique in use today.
The Master Crackers Explain
I asked some of the master crackers on the Web, whether well chosen passwords are effectively uncrackable. Here are six typical answers. Read carefully, and you’ll see the crackers themselves are telling us how to put them out of business:
Hacker One. Nothing is uncrackable. It should take more time and you will need a little bit of luck, but if you use a good wordlist it could be done fast. But in most cases they choose not so clever passes. Also, extra characters like “=+*#$_” are really hard to crack.
Hacker Two. 95% of people use very dumb and obvious passes! Also in 99% of the cases there is a logical sequence in them which is not that hard to figure out. I’ve written a little tutorial for… and it will almost kill everything if done right!
If you do it my way you’ll get everything up to 8 in length. There is another more difficult trick to go beyond that, but there is not much use for it. Usually usernames are longer but passes are in 99% of the cases shorter. This is to make for a quick entry (I guess…).
Hacker Three. I agree with Hacker One. Nothing is uncrackable, but it may well be non brute-forcable, in that the only way to get access would be to view the passfile in plain text, because the passwords are so non-standard that no wordlist would be effective.
The best example of this is a well known AVS. For example,
user: ab98323432 pass: J54a7v6Q526eZThis password is clearly not guessable, or decryptable, nor brute-forcable by use of a wordlist, so the only way is to be able to view the password in its original plain text.
Hacker Four. It seems to me that no one has pointed out the obvious fact that almost all adult/porn sites don’t allow their customers to choose special characters in their usernames and passwords.
There are some sites that let the members choose their own username, and then randomly generate a pass for them using uppercase, lowercase and digits in a wonderful hard undecryptable way (good example here is cdgirls and avs like AB and deluxepass).
There are also sites that use 6-8 digits for both usernames and passes, but all-digit passes are reasonably easy to decrypt compared to a mix of uppercase, lowercase and digits. So the only way to get a chance of decrypting these kind of passes within a reasonable amount of time is to try and get clear text passes if these sites use MySQL or Oracle databases and gain access to these somehow.
Hacker Five. The main reason people pick simple passwords (eg. apple1) is so that they can remember them.
As Hacker Three mentioned there are a heap of sites (like AB) that generate their own passwords and send them to the user.
This creates its own problems though. Let’s say the guy whose normal pass is apple1 is named Dim Witt. Dim decides to join AB. He signs up and gets issued with DimWitt@hotmail.com:Aj4pIhDS4sMb
What’s the first thing he does? Write down the password because there is no way that he will remember it. He probably also keeps a couple of copies electronically. Now it may be harder for remote users to brute-force his password but not hard for anyone with direct access to his desk and or computer.
One of the other problems with issuing Dim with a password is that he’ll lose his scrap of paper and get kicked out of the site. This causes reverse workflows for the webmaster but they obviously think it’s better than someone else using the pass.
Hacker Six. The stuff that’s being discussed here only counts when trying to guess a pass. If you have access to a server, it doesn’t matter how “uncrackable” a pass is, because you can just see & save it. I’ve seen some servers that put their passfiles in directories like
\web\pass\UG3264--_##UIvc-H87y3shghGkuGFGKS-\.htpasswdThis is in no way to be found by brute force. But when you are there, what difference does it make?
Someone else said it before here, but I totally agree… With new protections finding their way onto the web, bruteforcing as we know it will become a thing of the past. So Sploiting is the way to go…
“Hacker Two” will crack passwords for you while you wait. Send him the password file and he’ll have dozens or hundreds (depending on the size of the file) of “kills” for you in mere minutes. Modern cracking tools are that powerful, and the crackers’ body of knowledge is that large.