I recently read an article describing how to get usernames and corresponding passwords with the help of google and decided to blog it here. It was an incomplete article as the author had himself removed many details regarding cracking of passwords maybe because Google didn't allow him to post that. So i will also be providing links rather than explaining it here.
There are many ways to search for vulnerable sites with google. I'll show you here how to get username and password from sites that use FrontPage extentions. Microsoft FrontPage Extensions creates a service.pwd file inside the _vti_pvt directory in the HTTP server's document root. This file contains user names and passwords that could be remotely retrieved by an attacker. The good news is that Google indexes this kind of files, so they are very easy to search for. The bad news is that the passwords are encrypted, but wait, this is not really a bad news :-) because you can crack them if you are patient and you have the will. If you want to become a hacker, you have to be patient and you have to have the will. Please note: I'm not telling you to hack sites, this stuff is just for learning. So if you want to do illegal things, you should know that jail is a possibility.
So lets go to the details:
inurl:(service | authors | administrators | users) ext:pwd "# -FrontPage-"
In the Google result page click any link, you should see some thing like this:
There are many ways to search for vulnerable sites with google. I'll show you here how to get username and password from sites that use FrontPage extentions. Microsoft FrontPage Extensions creates a service.pwd file inside the _vti_pvt directory in the HTTP server's document root. This file contains user names and passwords that could be remotely retrieved by an attacker. The good news is that Google indexes this kind of files, so they are very easy to search for. The bad news is that the passwords are encrypted, but wait, this is not really a bad news :-) because you can crack them if you are patient and you have the will. If you want to become a hacker, you have to be patient and you have to have the will. Please note: I'm not telling you to hack sites, this stuff is just for learning. So if you want to do illegal things, you should know that jail is a possibility.
So lets go to the details:
- Some administrators change the name of service.pwd file to authors.pwd or administrators.pwd or users.pwd or some thing else. So to get the biggest chance to retreive this file we will add an "inurl" condition to our search string in Google like this: inurl:(service | authors | administrators | users)
- The file extension is "pwd" and we are not interested to get other extensions, so we will add an "ext" condition to the search string in Google like this: ext:pwd
- The first line in the file service.pwd is "# -FrontPage-". So we will search for this string with Google.
inurl:(service | authors | administrators | users) ext:pwd "# -FrontPage-"
In the Google result page click any link, you should see some thing like this:
# -FrontPage-
destinydee:JSQos95l7SW9A
Here, there is a user with his encrypted password. The user is destinydee, his encrypted password is
JSQos95l7SW9A.
Now, we need to decrypt the password. For that, I suggest you to go through the following links.
destinydee:JSQos95l7SW9A
Here, there is a user with his encrypted password. The user is destinydee, his encrypted password is
JSQos95l7SW9A.
Now, we need to decrypt the password. For that, I suggest you to go through the following links.
10 comments:
forconimatias34@mail.com
matias12345
Phone
Sheyi
joeln8002@gmail.com
maldonadomartin800@gmail.com
Shalehabdullah@gmail.com
Pliss open open my account
rami2006fer321@gmail.com
samuelrdz12q@gmail.com
Post a Comment