View Full Version : How to find phpBB passwords.
Ollydv
05-10-2006, 03:50 PM
I am an Admin of a phpBB forum, and one of the users keeps spamming and creating mulitple account, so I wanna find his password because he said before he uses the same password on all forums he's registered with.
Could someone help? Thanks. :)
Ezekiel
05-10-2006, 04:23 PM
I am an Admin of a phpBB forum, and one of the users keeps spamming and creating mulitple account, so I wanna find his password because he said before he uses the same password on all forums he's registered with.
Could someone help? Thanks. :)
There are two ways I could think of to do this, for all of this you *have* to have access to the server and the database the forum uses, if you use something like invisionfree then this will NOT be possible:
Custom modification of the login script used for the forum, edit it so it writes all passwords to a file, then simply wait for him to log in, view password in text file, etc.
Get the database everything is stored in, and use something like cain to decrypt the encrypted password. Of course, you have to know what type of encryption has been used, and it takes over 4 hours with longer passwords.
Ezekiel
05-10-2006, 04:58 PM
Mike and Mods, I recieved your PM (Mike*0* check your inbox), but please excuse this post as I honestly think the site in my signature can be of help here. Mike*0*, please PM me back when you get the chance.
Ollydv,
The site in my signature specializes in helping with these kind of things, please check them out.
Thanks,
Ryan
Be that as it may, as the admin of the forum he has a *lot* more ways to get the password. He can modify anything on the forum, and access it's database. An outside "service" can't do anything, apart from social engineering involving keyloggers, etc, or exploiting if the forum is vulnerable. So in this context, my comments stand, he is the only way he is going to get the password, involving someone else wastes his priveleges as the admin, which make it a lot easier.
jade21875
05-10-2006, 09:00 PM
Is there any kind of way to find more info on a person after I found their IP number their internet provider and what state they live in. I have the domain info but I know they won't give me info . please contact me at jade2*875@hotmail.com Thanks
BoredBoardAdmin
08-26-2007, 11:55 PM
I am an Admin of a phpBB forum, and one of the users keeps spamming and creating mulitple account, so I wanna find his password because he said before he uses the same password on all forums he's registered with.
Could someone help? Thanks. :)
Interesting question, and as far as I am aware, revealing the actual text of the users password is not possible. But.. there is more than one way to skin a cat.
It IS possible to access someones account, if you have admin access, and you CAN do it without the person ever knowing you have done it. It is also possible to see which accounts are using the same password, even when you cannot read the actual text of the password.
Some may not like me giving this info out, but then by my telling this, I am going to reveal just how easily an admin can access your account. The admin using this technique can access your account, read your private messages, edit your profile, and do anything else that the account user can do. It is possible ONLY if you have admin access to the ***rd. Personally, I see nothing wrong with the owner of a ***rd knowing who the people on his ***rd are, and what they are doing. I do not want anyone sending links to kiddie porn or conducting drug deals on my ***rd. While it is unethical to read peoples PM's just as a matter of curiosity, I have no qualms about accessing their account if I think something illegal may be going on. Anyone who DOES conduct such activity on a ***rd, and thinks their stuff is *00% protected is only kidding themselves.
I am not sure if all website hosts have control panels like mine, but I think it is likely that they are all pretty similar.
From your admin conjtrol panel, there should be a selection along the lines of "Host manager". When you click on that, the submenu should offer a selection like "Databases Admin". On my ***rd, this then takes you to a login screen for PHP Admin of Databases.
This should take you to a screen which lists all the available tables... such as...
phpbb_auth_access
phpbb_banlist
phpbb_catagories
... and so on.
The table you are looking for is probably named "phpbb_users".
Once I select that table, a screen opens with a list of various fields associated with user accounts. In this list, I check the box next to "user_id" and "user_password".. then click the "Browse" button. This brings up a listing of all users, and it shows their passwords in hash (encrypted) form. The list may look something like this..
John_doe 474f*c5e4e*2cc*5d2**d85*ae64ef7b
BS_User 565gH7H2jkr8ww7*8G*5d2**d85*aW22
Now.. in comparing accounts, it is a simple matter to scroll thru the user listings and see which accounts are using the same password. Whether it is possible or not for different words to come up with the same exact hash coding, it is VERY unlikely that two people, on the same ***rd but using different text passwords, will come up with the same hash coding. Better chance that you will get hit by lightening twice while on your way to cash in your winning lotto ticket.
Now for the trickier part... accessing account without the person knowing. The simple way to access a persons account is to simply reset their password to a password you know. However, since you do not know the original text password, switching the password back to what the user is familiar with when you finish is problematic. And of course, if you are unable to switch the password back, the user will know something is wrong the first time they try to log on and their old password does not work.
The way to get around this is to create a dummy account.Lets say that in the above listing, John_doe is the target. The account named BS_USER is a dummy account I create on my site. The reason I create a dummy account is so that I will have a known password that is converted into hash form. When I created BS_User.. the original text password was "unlock**80".
I then log onto the PHP database admin page and bring up the listing of users and passwords as described above. I then copy the hash coded password for John_Doe to a notepad. I also copy the hash coded password for BS_User to the notepad as well. THIS IS VERY IMPORTANT!!! IF YOU DO NOT HAVE THE ORIGINAL HASH CODING FOR John_Doe, then you will not be able to restore his password after you are finished!!!
I now click on the edit button for John_Doe's account. I paste the hash coded password for BS_USer into John_Doe's account and save.
Now, I go to the forum login, and use John_Doe's login name and the password that was assigned to BS_User, which in this example is unlock**80. You can then login to John_Doe's account.
In order that the user is unaware that his account has been accessed, once you logout of his forum account, you go back into the Database Admin, bring up the user listing as before, and paste John_Doe's original hash coding back into his account. His password is now restored to what he is familiar with.
sucre
08-27-2007, 12:47 AM
want to kmow how to setup the yahoo homepage !!!!!!!!!!
Ezekiel
08-27-2007, 07:00 AM
post
Or, you could copy the user's password hash and swap it into your own authenticated PHPBB2 cookie, as well as modifying other details such as the user ID (change it to theirs) that I imagine is stored in the cookie.
I think its name is 'phpbb2mysqldata' or something like that.
Powered by vBulletin® Version 4.1.8 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.