Access Diving:
The method I use is called a brute-force security attack. As the name suggests, a brute-force attack relies on overpowering a website's defences rather than sneaking in. The program we will be using is called Access Diver. This program uses a list of proxy servers to attempt to log-in to private areas with a long list of user names and passwords. With a fast, functioning server and a good list of proxies, we should be able to attempt more than 100000 combinations of log-ins and passwords per hour.
Vulnerability:
Before we begin, it's worth identifying the type of website that is vulnerable t o a brute-force attack. The website must be;
•Big; - this is crucial. Access diving won't work to get you into a private area with only a few members; because we are trying to randomly guess a correct log-in, the more logins there are, the better out chances.
•Protected by standard, non-HTML security - this means a website that, when you attempt to access a private area, asks you to fill in your details in a security window (see below). Access diver claims to support HTML attacks, but I for one have never been able to get them to work. If someone else can, please respond in this thread, but this tutorial will only cover non-HTML attacks.
Access Diver only works for websites with this type of security
•Administered by lazy fools - when access diving, we'll be using a list of proxy servers, so that we remain anonymous and an automatic IP block isn't erected to prevent us trying to log-in. However, we will be using each proxy thousands of times. A good, diligent Administrator should ensure that any IP trying to log-in more than a few times a day is blocked. However, standard security systems employed by most websites do not do this (luckily for us). However, be aware that with some websites, even if they fulfil the previous two criteria, will not be vulnerable. We must accept this and move on.
Software:
The latest version of Access Diver can be found *here* . MAKE SURE TO DOWNLOAD THE FULL RELEASE WITHOUT ANY BUNDLE, unless you happen to like adware. Don't worry; the non-bundled release is clean.
Download and install version 4.170. If you are an XP user, you will also need the *Windows XP security Fix* which will adjust the security setting of XP to allow access diver to work. I don't personally understand the mechanics of this, but I assure you it is necessary, and safe (in so far as it didn't fuck up my machine =P).
The first time you run Access Diver, make sure to set it to "Expert" mode by pressing F4.
Setting up Access Diver:
Here we come to the nitty gritty; Access Diver is a great program, but it's success will depend entirely on two factors; your proxy list, and your word list.
The Proxy List
As the name suggest, this is a list of proxy servers that Access Diver will use. NEVER RUN ACCESS DIVER WITHOUT TESTED, ANONYMOUS PROXIES - if the website receives hundreds of log--in requests from your IP, they can e-mail your ISP and get you disconnected, or even pursue you criminally. Don't risk it.
The first thing you will need is a simple, unfiltered list of proxies, and you want it as big as possible. Simply typing Proxy List into Google will give you hundreds of free lists. See Appendix I for proxy resources. Copy a list of proxies into a text file, and remember, you need as many as possible; about 10 000 is a good place to start.
Once you have your list, you need to import it into Access Diver;
Click on one entry and press "a" to select all. Right click and choose "remove duplicates". If you have a list of a proper size, this might take a few moments.
Now, once again select all the proxies. Make sure that none of the boxes are checked in the "Parameters" tab, and then press the "Speed/Accuracy Tester". Access diver will now check through all the proxies and work out which ones are operational. Once again, this will take quite some time with a properly long list.
Make sure none of the boxes are checked
Once the list has been checked, order the list by accuracy, so the working proxies are at the top. Now, if you want, you can re-check all the proxies that are timed out or not found, just to make sure they don't work. This step is optional, but often gets you a couple of hundred of extra proxies.
Once you've finished checking the list, select all, right click and press "Delete bad results and timeouts".
What you should have now is a list of several thousand working proxies. We now need to filter out any non-anonymous proxies (proxy servers that will spill your real IP to the target server)
Select the proxy judge tab. Right click as shown below and select "Verify all scripts".
Once finished, right click and select "Sort list be speed", and then select two or three working, fast scripts to use.
Once again select all your proxies, and then click on the "Confidentiality tester". Now leave Access Diver to check your proxies for anonymity.
Once finished, arrange your list by clicking on the "Anonymous" tab. Once again, you have the optional step of re-checking all the apparently non-anonymous proxies with different scripts. If you want to do this, go back to the Proxy judge tab and select one or two different scripts. Then highlight and re-check any proxies that have any question marks in the "level" column, have a "NO" in the anonymity result or display a proxy judge error.
Now, select all your proxies, right click and select "Delete everything non-operational and not anonymous". Then, go through your list and manually delete and proxy that has a question mark anywhere in the "Anonymous" column (e.g. Level=1?). Then right click and select "Find and remove FBI and US proxies from the list".
Delete all non-anonymous proxies
Ok, so now you should have a list of a few hundred working, anonymous and safe proxies. Save your list, then select all your proxies, right click and select "Update my LIST with selected proxies". BE SURE THAT THE "USE WEB PROXIES" BOX IS CHECKED IN THE "PROXIES" TAB
Word list
A word list is a list of possible user names and passwords in the format username:password. You can also use individual lists, one for user names and one for passwords.
A good word list contains commonly used words. Unlike the rest of life, size isn't everything here; a list of 500 000 username:passwords will take an age to get through, and if it's full of randomly generated character strings, your chances of finding a weak log-in aren't great. A better bet is to have a reasonably short wordlist, but one full of tried and tested username:passwords. I've included some of my own in Appendix II.
To load a wordlist in Access Diver, go to the "Currently Used" tab in the "Dictionary" section.
Load your username:password wordlist
And so to work;
Ok; you have your proxy list, you have your wordlist, you're home alone and all set up to go; now, let's identify, examine and crack your website.
For this walkthrough, we'll be using http://www.ideepthroat.com/ as our hypothetical target.
When we try to log-in to the member's section, we see;
Let's try to log in by clicking on the first link
Ok, so we now know that that first link is a gateway to the member's area, and we also know that this website uses non-form based security protocols. It's vulnerable.
So, we copy the link to the members area to clipboard.
Now, we need to see what else we can find out about this website. So, we go to "Join by Credit Card"
Note that user names and passwords must be over 6 characters
Here we have some very useful information; we now know that all user names and passwords are over 6 characters, don't contain special characters and are chosen by customers, so probably won't be randomly generated character strings.
Ok, so now we fire up Access Diver and paste the link into the target bar.
Now, we go to "Settings" and firstly make sure that the following boxes are checked;
then, we go to "Search", we activate "Word size control" and we set Access Diver to ignore any user names or passwords that are less than 6 characters long.
OK; we have our proxy and word lists loaded, our settings are correct, we've identified the target and analyzed it; now let's Access Dive
The Attack;
Press the "Standard" attack button next to the server bar.
We now arrive at the Progression screen; you'll be seeing allot of this. Let's take it step by step;
• The bots bar - the bots bar determines how many simultaneous log-ins Access Diver attempts. How high you push this should be determined by how fast the server is, how fast your connection is, and how many working proxy servers you have. The higher the number of bots, the faster the attack, but you don't want to overload the server or the attack is useless. I recommend starting at about 15 and working slowly up.
• The Progress Window - this window shows you the username:password, response and proxy for every attempted log-in. Want you want to be seeing in this window is the response "401 - Authorization required". This means that the proxy servers are successfully attempting to log-in, and getting rejected because the password or username is wrong. If you don't get 401 responses, your attack is not being successful. Perhaps your proxies aren't working, perhaps the site has advanced protection, perhaps you've got the wrong URL for the member's area, but whatever it is, your attack isn't going to work. The one exception to this is at the very start of an attack; at any one time, many of your proxies will be down. This is ok; Access Diver should filter out the ones that aren't working. However, if the number of working proxies doesn't stabilise, something is wrong.
The rest is more or less self-explanatory. Any found log-ins will be displayed in the yellow box at the bottom. The green box shows how many of your proxies are working; as you can see, you can still achieve good access rates with only ten or twenty working proxies out of your list. Weak log-ins are saved in your "History".
Well, there are plenty of other more advanced functions in Access Diver, but hopefully this tutorial has given you enough information to get started. Let's just sum up what we've been through;
1) Load, check and analyze a list of proxy servers
2) Load a username:password wordlist
3) Find the URL of the member's area
4) Launch the attack
and that's all there is to it. Good Luck! =D
Appendix I
Proxy Resources: *eemaldasin lingi kui vőimaliku viite mittelubatud saidile :-)*
Appendix II
Wordlist Resources:
*eemaldasin lingi kui vőimaliku viite mittelubatud saidile :-)*
Disclaimer: Access Diver should only ever be used for security tests on your own servers. It should never be used to attempt to gain access to a server owned or paid for by another individual. Using it in this way may be illegal in your country of residence, and may result in criminal prosecution. All information in this thread is for educational purposes only, and should on no account be considered endorsed by the author, or by any server which links to this page.. All images are fake and used for illustrative purposes only. Stealing is wrong. Don't do it.
