PDA

View Full Version : Oh Shit I stumbled accross a working password cracker



radioactive_werewolf
06-02-2007, 08:54 AM
Skip to the end if you don't feel like reading. Most of this is just me rambling anyway but the last part is relevant

Earlier tonight I was checking out Fagex.net and I somehow stumbled accross a link that brought me to another website, and that website gave me a link to another, and anyway through a brief series of events I found myself on a password cracking forum with an entire subforum for Runescape passcracking. I had previously been under the impression that it was extremely impractical to crack runescape passwords. Sadly that is not the case.

I of course assumed that all of the passcrackers there were either viruses or at least bundled with a virus however upon downloading one of them to make sure of this I discovered that it was virus free. Upon discovering this I automatically assumed that it was too outdated to work or it was just another dimwitted scam and would ask for my username and password with some lame excuse as to why it needed it to work. It didn't ask for any information regarding my account(s) so I set it to the task of cracking my level 7 combat character that I have never used and will never use for anything. It worked.

Now knowing full well that there are working passcrackers for Runescape and that there are people on those forums that average as high as 1 or 2 accounts a day, I'm changing my passwords on my macros to something longer than 6 characters (my password on my main is 12 characters) and I suggest you all do the same if you're on the high scores. I figure anything more than 6 characters is pretty safe because A: the majority of passwords are composed of 6 lowercase letters, B: the number of possible passwords available with more than 6 characters is too damn high for anyone to even bother trying more than 6 in this instance, and C: umm it's almost 4 in the morning and I really thought that I had something to put for C but I guess I don't.

Start reading here

In summation to my long and rambling post don't use 6 character passwords and throw in some numbers otherwise you may be unfortunate enough to get your account stolen by some noob asshole with a pass cracker. The threat of pass crackers is still very much alive as I discovered earlier tonight.

Harled
06-02-2007, 09:26 AM
Passcrackers are just lame programs brute forcing.. Let me guess the lvl 7 accounts password was like "paper" or "sword" and then youre all amazed how it cracked the password. Those things just use a list of words to try as the password of the account and that is useless because barely nobody would be stupid enough to have retarded password that those things can crack, and if someone would have a retarded password nobody would want to crack it.. Just use a good password and those programs will never work to crack your pass.

Jason2gs
06-02-2007, 09:36 AM
Just use a good password and those programs will never work to crack your pass.

Did Wolf not just say that? :rolleyes:

Harled
06-02-2007, 09:53 AM
Yes he did. He was just too excited about that "working" passcracker so I had to say it again -.-

radioactive_werewolf
06-02-2007, 10:47 AM
Harled I'm well aware of how a pass cracker works. None of the Runescape passcrackers I encountered use bruteforce they use wordlists. I'm just mentioning this because judging from the other threads I've read on here there are those that are entirely dismissing password crackers as any sort of a realistic threat. The majority of people and thereby the majority of Runescape players use really shitty passwords such as their pet's name and so forth which would leave them wide open to a dictionary attack.

The actual cracking was completely unimpressive but the fact that it would work with runescape was somewhat surprising considering the large number of viruses and what not that are distributed under the guise of runescape cheats or "haxxor" tools.

Meanage
06-02-2007, 10:55 AM
Can you PM me a link to the site. Im curious

me_ntal
06-02-2007, 01:54 PM
Meanage i dont agree with your decision, but anyways the best thing to do is to use the password make in other scripts remember the more characters the longer it takes to brute force for example :
6 letter number combination password is
36 * 36 * 36 * 36 * 36 * 36 = 2176782336 passwords
8 letter
36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 = 6140942214464815497216

Mjordan
06-02-2007, 02:04 PM
Well I'm sad to say, but I used to be one of the main passcracker users at Fagex. The only way that people were getting their accounts cracked was because they used stupid passwords. Lol I remember one of the most popular was dragon.

We weren't causing too much of a problem, until the swarms of noobs came in and ruined it for everyone.

geerhedd
06-02-2007, 04:16 PM
srry ppl but password cracking?, please that is a kinda low way to get rs money. we are an autoing forum, (why steal from some 10 yr old who has worked very hard to get his player built up) just my personal opinion but this is wrong!!!

Mjordan
06-02-2007, 05:07 PM
srry ppl but password cracking?, please that is a kinda low way to get rs money. we are an autoing forum, (why steal from some 10 yr old who has worked very hard to get his player built up) just my personal opinion but this is wrong!!!

Did you even read any of this thread at all?? I'm almost certain that you didn't.

He is just warning people that there are still private crackers that work (which everyone should know) and to make their passwords better.

And there was never any cracking here AT ALL. The main site Was Fagex then it later branched off to other sites after the rush of noob crackers came in a forced Jagex to update and do something about it. I'm sure there are ways around Jagex's update that someone has figured out, but it is pretty much impossible for the average Joe that knows nothing to crack efficiently now since they won't let you log in every 5 tries or so now.

R0b0t1
06-02-2007, 08:09 PM
One meaning full word to password crackers: Proxy

wired16
06-02-2007, 09:11 PM
almost any passcracker would work for rs as long as you have enough proxies and the correct url

Mjordan
06-04-2007, 01:27 AM
Not as easy as you guys are saying it would be, trust me...

WinterDream
06-04-2007, 03:09 AM
One meaning full word to password crackers: ProxyProxys are easy to find...

Markus
06-04-2007, 04:52 AM
Proxys are easy to find...

Proxys don't work anymore, they now check some extra http headers to find your real ip.

radioactive_werewolf
06-04-2007, 05:46 AM
Proxys don't work anymore, they now check some extra http headers to find your real ip.
This is true. I suppose one could spoof said http headers somehow which would alleviate this problem if one were to have an interest in this sort of thing. I mean if some extra http headers give away your real ip address and there's no way of hiding it then what use is any proxy for privacy or anonymity?

Kayze
06-04-2007, 06:52 AM
Just use a complicated password and the pass cracker can never get your pass.

The pass cracker make use of wordlist and most of the words are from dictionary. Just don't get a password like apple, ball and cat. lol.

Even if it is only 6 character long, i would like to see how a pass cracker crack a pass like f40gc3.

radioactive_werewolf
06-04-2007, 08:51 AM
Just use a complicated password and the pass cracker can never get your pass.

The pass cracker make use of wordlist and most of the words are from dictionary. Just don't get a password like apple, ball and cat. lol.

Even if it is only 6 character long, i would like to see how a pass cracker crack a pass like f40gc3.
Never say never man. It's highly unlikely that anyone using a passcracker would ever get onto an account with a password like that but that's if they were using a dictionary attack. If they were bruteforcing it then yes they would eventually get that account. There are only 2,176,782,336 possible combinations for a 6 character password using only letters and numbers. It would however take them roughly 207 years of continuous trying to go through every possible combination. Likely they'd get lucky and get it much sooner than that but it would still take an impractical amount of time.

I recall at one point I figured the minimum amount of energy it would take to brute force my password that I have for an encrypted hard drive partition and while I don't recall exactly how much it was I do remember that it would be more than the yearly power output of the sun and longer than the universe has existed thus far.

GoF
06-04-2007, 09:15 AM
Even if it is only 6 character long, i would like to see how a pass cracker crack a pass like f40gc3.

It's just a matter of time.. Like if the cracker would use some advanced system that tries 100's of passwords per minute or so, it wouldn't really even take that long, specially if it wouldn't just use a wordlist to try passes from (would generate random passwords or use a system to try them in order).

script dump ur m0m
06-04-2007, 06:04 PM
My main Accounts passwords are curse words and numbers pertininent only to me and when people see me type it theyre like WTF
My old pass for my Computer class used to honesty be yarneyvlarneyyorginsnaven1435248243666543< A word i made up and my friends b day and Phone number.

I'll never be craked (I hope)

But every day i log off i put everything back in the bank with a nice little pin on it.
:)

But pass cracking noob accounts is very very mean.
I can see the drawl of cracking a lvl 100's...
But Stopping potential runescape community affecting players?
C'mon.
(Prolly a bit off topic and Woot? 100th post?)

Hugolord
06-04-2007, 06:08 PM
Meanage i dont agree with your decision, but anyways the best thing to do is to use the password make in other scripts remember the more characters the longer it takes to brute force for example :
6 letter number combination password is
36 * 36 * 36 * 36 * 36 * 36 = 2176782336 passwords
8 letter
36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 = 6140942214464815497216


why always 36?

Mjordan
06-05-2007, 01:05 PM
Most people never even used long pass lists. I always ran about 3 crackers at the same time with a pass list of about 20 common words, some being pencil, qwerty, and dragon. And I cracked 10 accounts per day easily. So you guys saying how long it would take to crack an account with those weird pass's are wrong. Thats not how we cracked at all, unless your focused on one account specifically.

Lalaji
06-05-2007, 02:04 PM
Give us an access to the link? Pls?

Mjordan
06-05-2007, 02:21 PM
Give us an access to the link? Pls?

You just want to crack accounts don't you.

radioactive_werewolf
06-05-2007, 03:11 PM
Most people never even used long pass lists. I always ran about 3 crackers at the same time with a pass list of about 20 common words, some being pencil, qwerty, and dragon. And I cracked 10 accounts per day easily. So you guys saying how long it would take to crack an account with those weird pass's are wrong. Thats not how we cracked at all, unless your focused on one account specifically.
Yeah trying the most common password on a huge amount of accounts is obviously the more efficient way of doing it. However I was just saying that if one wanted to they could just go through a huge number of possible combinations.

I know that we're not supposed to post anything that could aid a password cracker but if you actually look at the password list I have attached you'll agree with me that there's no way this is going to benefit anybody other than giving them a laugh. If an admin asks me to remove it then it's gone. Just please don't ban me for something that was only done for the purpose of entertainment and was in no way intended to encourage, aid, or promote password cracking.

Edit: There's no attachment because I'm going to check with an admin before I risk it. I'd really rather not get banned over something so stupid.

Mjordan
06-05-2007, 03:13 PM
Why would posting a pass list get you banned? It won't benefit anyone unless they have a cracker. And anyways it only takes a minute to make your own. I remember I used to use Bob's pass list.

radioactive_werewolf
06-05-2007, 03:31 PM
Why would posting a pass list get you banned? It won't benefit anyone unless they have a cracker. And anyways it only takes a minute to make your own. I remember I used to use Bob's pass list.
True but I don't know. Now that I checked the rules again just now....

Keylogging / Password Cracking: Any topic related to keylogging / password cracking, helping others creating / using / discussing / distributing password cracks or keyloggers is strictly prohibited.
This may already qualify as discussing password cracking and since if it does that'd be a ban for me I'd really rather not increase the liklihood of my being banned. Oh and by the way for those of you that have asked me for a link to a passcracking website or some such that's not gonna happen.

shaunthasheep
06-05-2007, 06:04 PM
hmmm... i remember passcracking.. worst thing i've ever got involved with, guy named Bootleg (i forgot 1 g or 2 g's, it does matter, there was 2 different bootlegs). He came to cruels.net with an idea for a passcracker, i got interested and made one in visual basic. I released it, it didn't work correctely, and some stupid idea popped in my brain to release the source, dam im retarted xD. Bunch of Geek-leechers got a hold of it, editing it, and calling it theres, me nor bootlegg ever got credit. Anyways, i now hate passcrackers, and still get annoying pm's once in a while about them, on the other hand, i think i helped jagex fix a security flaw in there login page =p

also

True but I don't know. Now that I checked the rules again just now....

This may already qualify as discussing password cracking and since if it does that'd be a ban for me I'd really rather not increase the liklihood of my being banned. Oh and by the way for those of you that have asked me for a link to a passcracking website or some such that's not gonna happen.

he said passlist, not cracker, it's ok to post, but i wouldn't try posting it, probally wouldn't be anyone interested in a pass list *i know i wouldn't need it for anything*.

and i also made a neopets cracker xD except there passwords are like myspace (number + letters), and i've only cracked 1 in total =p


why always 36?

because theres 36 letters + numbers possible (a-z, 0-9)

and i've seen people figure that it would take more then a lifetime to bruteforce an account trying a pass every second (the speed a passcracker would work without threads, plus proxys even makes it slower)

btw, dragon is the most common password in runescape.

radioactive_werewolf
06-05-2007, 06:17 PM
he said passlist, not cracker, it's ok to post, but i wouldn't try posting it, probally wouldn't be anyone interested in a pass list *i know i wouldn't need it for anything*.

Ah but you haven't seen the l33t sk1llz of the password list which I will now post here for all to enjoy. If anybody does actually end up using this with a passcracker then anyone that gets their account stolen due to this password list would deserve it a dozen times over. Behold all of the l33t b34uty of the hundreds of variations of pwn and own.

Vicious
06-06-2007, 07:13 AM
Behold all of the l33t b34uty of the hundreds of variations of pwn and own.
omg, I have to change my SRL password now. :p

I do have some autoing accounts I should change though. Thanks for the info!



btw, dragon is the most common password in runescape.
And thanks to Jagax's new "any sentence containing your password is bleeped out" update, it shouldn't be hard to find out who has that for a password. "Hey there, what's the quest I need to do so I can wear full rune?" (****** ******)

t0tum
06-06-2007, 02:33 PM
Password crackers for RS dont work.

Since the new login update, they also changed auth server.
Authentication server used to be the one with https form. This was very easy to crack using any old SSL supporting tools dating back to 5 or more years. All you had to do is auto craft request header and GET redirect url, or simply filter them out.

Now a days they introduced independent auth server, the server between where u request the header and destination to check for succes logins. This is why there is a delay between loggin in and arriving at destination.
There is no existing brute forcer to date that can manage that, this is coming from someone who been around yahoo names cracking;) .
The only possible way to brake that protection is to build something like IEembed into cracker, which will behave like IE and follows login procedure all the way through.

aran armath
06-07-2007, 03:16 PM
The threat is very much alive still, I admit that I am one of those people that use pass crackers on runescape as well as autoing. If your password is dragon, monkey, football, fcuker*, or fcukyou*. I suggest changing them to something more difficult and more random.

*you know what I mean

Mjordan
06-07-2007, 10:02 PM
The threat is very much alive still, I admit that I am one of those people that use pass crackers on runescape as well as autoing. If your password is dragon, monkey, football, fcuker*, or fcukyou*. I suggest changing them to something more difficult and more random.

*you know what I mean

Lol I remember using those passes very well. Dragon, monkey, money, qwerty, abc123, 123abc were just some of the most popular ones that I used in my 20 word list.

mamoth95
06-25-2007, 03:38 PM
seriously this thread is jsut saying to not use crap pass words and the threat of passcrakers is still alive its not incoraging the use of pass crackers and i hope u dont post the link of were to get this pass craker cuz some noob will come along and use it but i agree if they actually use it to hack some one then that person probly did deserve it for having crap pass of corse my original pass when i first started playing was....password lol i was a idiot

Mjordan
06-26-2007, 01:57 AM
seriously this thread is jsut saying to not use crap pass words and the threat of passcrakers is still alive its not incoraging the use of pass crackers and i hope u dont post the link of were to get this pass craker cuz some noob will come along and use it but i agree if they actually use it to hack some one then that person probly did deserve it for having crap pass of corse my original pass when i first started playing was....password lol i was a idiotThis thread has been inactive for quite a while now...

And yes, I remember I cracked quite a few with their pass being password lol.

monkeyskater1993
06-05-2008, 11:45 AM
I always thought the whole idea of rs cracking would be uniquely hard, its not something i think is right, but back in the day i use to crack yahoo rares(some may know what that was) and it ran on many things that i just thought weren't compatible with rs, and if proxy do still work, they are indeed hard to find, so in my opinion, any type of id cracking would end because of the reliance on proxy, unless one is lucky enough to come along a list of proxy that always work, like i had back in the day:D but yea, rs cracking is wrong, o and a really common password is stuff like playstation playstation2, Xbox, and names, so i suggest not using any name for you password, something like a memoral date mixed up with a word you are fond of is easy to remember and hard to crack so thats what i recommend:)
common names= john, ryan(incredibly common somehow)
(sorry if alot of this was mentioned before, didnt take time to read the entire thread, just wanna help and give some tips) gl guys

Zyt3x
06-05-2008, 12:15 PM
That was a giant gravedig...

Hobbit
06-05-2008, 12:32 PM
06-02-2007, 01:54 AM

Closed