PDA

View Full Version : Social Engineering - using a forum



6079
09-08-2006, 07:09 PM
Hello. I've recently been looking at the phenomenom of hacking passwords from someone.

I'm aware of the phishing method, but was wondering if it could be even simpler than that. If all you need is the password of this person, you could set up a forum somewhere where you are the administrator. It shouldn't be too difficult to anonymously or however, intrigue this person to go to this forum to read something important about them or someone else they know.
They will sign up and likely you will have their main password now.

I know you guys are the experts so I wanted your opinion and if you knew of any independent message ***rds that allow you to see the passwords and such.

Ezekiel
09-09-2006, 05:25 AM
Hello. I've recently been looking at the phenomenom of hacking passwords from someone.

I'm aware of the phishing method, but was wondering if it could be even simpler than that. If all you need is the password of this person, you could set up a forum somewhere where you are the administrator. It shouldn't be too difficult to anonymously or however, intrigue this person to go to this forum to read something important about them or someone else they know.
They will sign up and likely you will have their main password now.


Yeah, this is a good method of stealing someone's password, providing they use the same password for everything and believe the trap.

What you would do is sign up a free hosting account, install a forum on it, make the forum register-only, and then edit the main login script so it writes passwords to a file before authenticating them. Then simply tell people to register. OR, you could do things normally, download the forum database, and then crack the hashes (takes a long time).

The problem is that a lot of people (I for one) use different passwords on almost every website they use.

But yeah, it is a dangerously easy way to steal passwords if they use their 'main' password on the forum. People overlook the risks of entering their password into an unknown site if it is a friendly vbulletin, IPB, or phpbb forum.

Note: This can't be done with invisionfree or any other forum-only service. You have to have real ftp access.



I know you guys are the experts so I wanted your opinion and if you knew of any independent message ***rds that allow you to see the passwords and such.

No forums are going to be pre-made to allow passwords to be viewed. But it would be easy to modify the script to write all passwords to a file - all it takes is a couple lines of php.

6079
09-09-2006, 07:32 PM
I did some searching. The VBulletin message ***rd has a mod someone made that allows the administrator to see the password. That is a fee based service, though.

So I found yabb.com. The first version simply allowed the admin to see all the passwords. I haven't got it entirely uploaded yet. The free web hosts are making it very difficult on me to use an FTP manager, although I'd never used one before this, I think they're making it worse.

I'm thinking you could make a mod that tells the user to use their .NET passport user and password. Though it's bullshit, once they register, it doesn't matter. You've got what you wanted.

Ezekiel
09-10-2006, 05:26 AM
I did some searching. The VBulletin message ***rd has a mod someone made that allows the administrator to see the password. That is a fee based service, though.

So I found yabb.com. The first version simply allowed the admin to see all the passwords. I haven't got it entirely uploaded yet. The free web hosts are making it very difficult on me to use an FTP manager, although I'd never used one before this, I think they're making it worse.

I'm thinking you could make a mod that tells the user to use their .NET passport user and password. Though it's bullshit, once they register, it doesn't matter. You've got what you wanted.

Why install a mod to do this? All you've got to do is add a few lines of code and usernames + passwords can be logged.

Also, you will need a php/perl/cgi host for forums to operate. Crappy hosts like freewebs are not good enough.

nozf3r4tu
09-12-2006, 06:21 PM
the idea of the forum is a good one,just install a link from the registration obligating registers to clink(download) a nice keylogger.
just my 2cents.

6079
09-13-2006, 10:45 PM
Why install a mod to do this? All you've got to do is add a few lines of code and usernames + passwords can be logged.

Also, you will need a php/perl/cgi host for forums to operate. Crappy hosts like freewebs are not good enough.

What would this code be or where could I find out how to write it?
It's just a simple yabb message ***rd. But I don't know how to do this yet.

6079
09-13-2006, 10:49 PM
Nevermind. The earlier version of this ***rd is so fucking weak. Just viewing the source code displays the password. Unbelievable.