HAcking Guide – Get your own ComboLists
The programs we will be using are:
1) SQLi Dumper
2) Notepad++
3) Dork Generators by N3rox and JohnDoe
4) Sentry MBA
5) Gather Proxy
6) Online Reverse Hash Tool
7) Sandboxie (You can get if from Here because i don’t have it included in the .zip file)
DISCLAIMER: IN THIS GUIDE I AM USING SANDBOXIE TO OPEN THE PROGRAMS FOR MAXIMUM SECURITY. I HIGHLY RECOMMEND USING SANDBOXIE TOO OR A VIRTUALBOX/RDP. I AM NOT RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOU FROM THESE PROGRAMS. MOST OF THE ANTIVIRUSES WILL FLAG THE FILES AS VIRUS AND DAMN RIGHT THEY ARE, MOST OF CRACKED PROGRAMS ARE FULL OF VIRUSES. JUST ADD AN EXCEPTION AND ALWAYS RUN IN SANDBOXIE/VB/RDP. DOWNLOAD AT YOUR OWN RISK.
Use this for Educational Purposes Only!
DOWNLOAD
https://drop.me/oXKrOy
Just for a heads-up:
Sandboxie will frequently pop-up a window and ask to recover files for future use. Just recover each one for them. Don’t forget to clean your Sandboxie contents from time to time. You will also need to have .Net Framework 3.5 and 4 installed on your machine for the programs to work correctly. Search Google how to get them.
To open the programs, Right Click > Run Sandboxed.
http://prntscr.com/hasprk
The default Sandboxie location should be this. So you can know where the text files created from the programs are stored.
http://prntscr.com/hasqf2
CHAPTER ONE: Making the dorks.
Dorks are used in SQLi to create a list of URL’s where we can analyze and find which ones can be exploited. So, let’s learn how we can create our own dorks, shall we?
Firstly, open the two dork generators by N3rox and JohnDoe, as well as the Notepad++.
Step 1:
Go to the dork generator by JohnDoe and click the letter D, as shown in the image below, until the boxes are clean. If they are already clean, skip this step.
http://prntscr.com/hassnr
Step 2:
Now go to the Grabber tab and press Load.
http://prntscr.com/hassz3
Step 3:
Load the url text i included in the zip file. (The program interface sucks, sorry for that, its JohnDoe to blame)
http://prntscr.com/hasth2
Step 4:
Wait for the program to complete loading.
http://prntscr.com/hatrff
Step 5:
Copy the Page types p.2 contents.
http://prntscr.com/hatrmb
Step 6:
Go to Notepad++ and make two new files.
http://prntscr.com/hats4c
Step 7:
Paste in the contents of the box we copied just a second ago.
http://prntscr.com/hatsen
Step 8:
Go to Search > Replace.
http://prntscr.com/hau0ic
Step 9:
Press the “Space” button on the first box and “Backspace” on the second box, so we can remove all the spaces from the lines. Click Replace All.
http://prntscr.com/hau0q3
Step 10:
Now, search all the lines and remove any weird marks, until there are only words like “example=”.
http://prntscr.com/hau118
Step 11:
Now go to Page Types box in JohnDoe’s generator and copy all the contents, and paste them in the second file you created in Notepad++, search all the lines and delete all the bad types until there are only good ones left. Just like we did before, we keep only the good lines. If you didn’t understand what “bad types” meant, just write down the same page types as mine.
http://prntscr.com/hau1h0
http://prntscr.com/hau1pn
Step 12:
Now go to the N3rox’s generator and write down some words in the first box on the left, for example “steam, money, LoL, bf1… etc” and separate them in their own lines. Also, copy and paste the clean page types and page types p.2 we made a while ago from Notepad++ to N3rox generator, in their own boxes, as shown in the image below. Click Generate. (i used translated page types p2 and keywords to German, so i had German dorks. Use any language you like, the best and most common is English. I will also show you how to translate them in a few steps below.)
http://prntscr.com/hau22c
Step 13:
The dorks file should be in the folder where you placed the n3rox generator. If it isn’t there, check the Sandboxie folder, like i showed you a few steps above. Congratulations, you just made your own dorks and you didn’t even pay for them.
http://prntscr.com/hau2cz
Step 14:
If you want to make dorks in other languages so you can get accounts of that nationality, go to the Translator tab in JohnDoe’s generator and write your keywords in the Name of Pages tab, select the language, press Translate and wait for the process to finish. After that, you can copy the translated contents and paste them in N3rox’s generator.
http://prntscr.com/hau3cc
http://prntscr.com/hau3m6
So, what we did basically was generate the Page Format and Page Types from the URL’s and we used them to make new dorks. We cleaned them and we also translated them so they are even better. We used JohnDoe’s generator to generate the Page Formats and Page Types, and we used N3rox’s dork generator to generate the dorks, with those Page Formats and Page Types. You can also import your own URL’s after finishing with SQLi Dumper, as i will show you later on, so you can generate more Page Formats and Page Types. This is the hardest part of all the process of account cracking and it’s not even that hard lol. What you need is some imagination for the keywords and that’s all the fuss. Let’s move on to the next chapter.
<strong style=””><font color=”#ff9933″>CHAPTER TWO: Making the combo lists.</font></strong>
Now is the time to use the dorks we made, to make our combolist. We will be using SQLi Dumper to make some good combos so we can test them later on. Let’s begin.
Step 1:
Open SQLi Dumper and make sure it looks exactly as the image below.
http://prntscr.com/hau69o
Step 2:
Now, open your dorks text file with Notepad++ and copy your dorks. (Don’t copy more than 15k because your SQLi Dumper will crash 100%). Now click Start Scanner and wait until you have about 10-20k URL’s. If your SQLi dumper does not get any URL’s, make sure you have it unblocked from your firewall and antivirus and restart the program. If it still doesn’t load any URL’s, load the ones i gave you in the .zip file by clicking the Import button, and press Start Scanner. If it still doesn’t work, then GG. See you in a while, after you get some URL’s. After you see it has about 10-20k Valid Added, press the Cancel button. It doesn’t stop at 100%, that’s why we have to do it manually, based on the Valid URL’s added.
If the valid added stay the same number after 15 mins, click cancel. If you Loaded 20k dorks and you got 1k URL’s after 3012831280441279410274 days, you have bad dorks.
http://prntscr.com/hau6q7
Step 3:
Now go to the Exploitables tab and press Start Exploiter. Use as many threads as you want, i use about 30.
http://prntscr.com/hau71l
Step 4:
After it has completed exploiting, (you can see if a process has completed by looking at the bottom of the SQLi Dumper, it says Exploited thread done, exploitable detexted: X. If you dont see such message, then you need to wait until it’s done. ) it should look like this. (keep in mind that antivirus messages may pop up, saying that a webpage was blocked. Thats ok, nothing to worry about.)
http://prntscr.com/hau7g1
Step 5:
Go to the Injectables tab and press Start Analizer. I use about 30 threads again. Wait for the process to complete. Note that your SQLi Dumper may crash during any of these processes. If it does so, just recover the files in Sandboxie and reopen the program and continue from where you were left.
http://prntscr.com/hau7p4
Step 6:
After the Analyzing process is complete, your Dumper should look like something like this.
http://prntscr.com/hau82n
Step 7:
Click the Method tab, until we have all the Unions sorted from the Errors.
http://prntscr.com/hau8fm
Step 8:
Click The [+] box in the bottom left corner of the dumper.
http://prntscr.com/hau8qh
Step 9:
Check 2 boxes out of 4. Write in what you want your combolists to be about. I used username and password because i want my combolists to be of usernames and passwords. You can also have 1 box checked. You can also write in anything you want, such as email and password, name and lastname, credit card name and credit card number, etc
. Also make sure Current DB is checked and Collumns as default.
http://prntscr.com/hau90t
Step 10:
Select all the Unions with the SHIFT button and click Start. A new window will pop-up. Wait for the process to finish. Don’t close this window. EVER.
http://prntscr.com/hau99t
Step 11:
Scroll down until you find a database with a good number of Username or Password rows. If both Username and Password have the same number, its perfect. If you only see Username or Password, its ok too, but the database may not have good combos. Its all about luck here. Select a database with more than 5k rows.
http://prntscr.com/hau9p7
Step 12:
After you found what database you want to crack, select the URL’s name and click Go to Dumper > Dumper Form.
http://prntscr.com/hau9yg
Step 13:
This is the time where you need to guess. Click on a column you think the combolists will be at and press Get Columns.
http://prntscr.com/haua70
Step 14:
I found mine, so now i click on what i want to dump. In this case i only want to dump usernames and passwords. Check on anything you want to dump and press Dump Data. If you had a large number of rows, this is gonna take a while to complete. Also, if the Dumper crashes here, i feel sorry for you son, you cant do something about that, you need to restart dumping the data from the beginning.
http://prntscr.com/hauafm
Step 15:
As you can see, i got very shit combos. If you get bad combos too, press X which is under Schema tab and search for a new URL.
http://prntscr.com/hauay2
Step 16:
After you dumped your data, press Export data. A new window will pop up, just make sure it is as mine. Press start when you are done.
http://prntscr.com/haub5l
Step 17:
Click save and find the text document you just saved. Check the Sandboxie location if you cant find where you saved it. Open the text file and remove the first lines until you only have your combos in there.
If your passwords are not encrypted, you can skip chapter three and you can go straight to chapter four
. If your passwords have a weird format like mine, we need to find out which type of Hash it is and we need to dehash it.
http://prntscr.com/haubhk
Dumping data from a database is all about luck.
If your SQLi Dumper keeps crashing, you can dump databases with SQLMap, that never crashes (i cannot post how to do it because SQLMap keeps updating and the commands keep changing all the time. You can search on google or youtube how to install SQLMap and how to use it. I am currently using it on Kali Linux 2016 on VMWare Workstation 12).
You will either get good combos or you will get shit. Just never give up, and always keep trying. You can also save your Trashed URL’s to generate new combos with JohnDoe’s generator.
http://prntscr.com/haubu0
CHAPTER THREE: Dehashing the passwords from a combolist.
Step 1:
Open ORHT ad click Ok. If you have opened ORHT and you cant find the window or you minimized it accidentally, you can find it in the tray menu.
http://prntscr.com/hauf3e
Step 2:
Click Main Menu > Start From File, and load the Combo you dumped. My hash encyption was MD5, so i have checked MD5 as Hash Type on the window.
http://prntscr.com/haufcc
Step 3:
Make sure your ORHT looks like mine. Click OK and after some time, a message will pop up saying how many hashes were decrypted. Click OK again.
http://prntscr.com/haufmy
Step 4:
Go to Main Menu > Save to File and make sure your OHRT looks exactly as mine. Click Ok and wait for the process to finish. A message will pop up that will say success. Click OK and save your DEHASHED combolists.
http://prntscr.com/haufzk
http://prntscr.com/haugob
Basically thats it, if you dumped 100k combos, its most likely that 30% of it to be dehashed, but thats on luck again.
CHAPTER FOUR: Checking the combos.
Before we start checking the combos with sentry, we need some proxies.
Step 1:
Make a new text document and name it proxies. Then open Gather Proxy and go to the Advance tab and change the settings same to mine.
http://prntscr.com/havn2b
Step 2:
Go to Gather Proxy tab and press Start and wait for the program to finish. After its done, press SHIFT to select all combos and copy and paste them in your proxies text document.
http://prntscr.com/havn9v
Step 3:
Open Sentry MBA and go to Settings > General > Load Settings from Snap Shot and load the config of the site you want to check your combos. In my case, i will be using the NA League of Legends server because my database was from a site from the US
. In the .zip file i have all the League of Legends configs. If you dont want to check your combos for league or if you your combolist is email and password (email:pass) form, you can find all the configs you need here from Nulled. I will not be posting them here.
http://prntscr.com/havnjy
http://prntscr.com/havnr2
Step 4:
Go to Lists > Proxylist > Clear List and then Load the proxies from the text document you made earlier.
http://prntscr.com/havo2g
http://prntscr.com/havobm
Step 5:
Go to Lists > Wordlist and press clear combo if the upper left box is not clear. Press Open a Combolist and choose the combolist we dehashed a while ago.
http://prntscr.com/havoon
http://prntscr.com/havozn
Step 6:
Go to Progression, set the bots to a high number (i go for about 90-110), click Start and Click start one more time.
http://prntscr.com/havpb3
http://prntscr.com/havphu
Step 7:
Wait for the program to finish, when all combos were checked as we can see from the bottom of the window, we can click Stop. Press SHIFT and select all the contents from the Hits tab and right click and save them to clipboard. Make a new text document and paste them there. Congratulations, you have your ready combos that work for that specific website/game, etc… In my occasion it was for League of Legends.
http://prntscr.com/havpu2
http://prntscr.com/havpyw
So here is the results:
http://prntscr.com/havq8f
The whole process is similar to the oil process. We take all the shit we can find and we filter it to a good result. If you read carefully this whole tutorial, you have now learned to:
1) Make your OWN dorks.
2) Dump your OWN data.
3) Make some good out of it.