discrete account stealing, semi guide.

[fatalmind]

Ok I Ran across a thread in here about stealing guild master accounts and such, which would work assuming you could deceive them well enough or they were just stupid. I had thrown up a way to get the username and pass without having to do anything suspicious like join a guild then log into their site for the email and shit. that's not the best thing to do if you happen to scam someone with some resources. They'll figure it was one of the newest members, and then earch the ip log for the site and will probably narrow it down to yours.

So here is a copy of my reply in there for others to take a look through and learn something from it. it's not like it's hard, it's just a little time consuming til you get the hang of it.


1. dl and install your favorite packet sniffer.

2. shut down every program(use process mgr if you have to some apps run to the net in the background)

3. run and bind the sniffer to your computer.

4. now boot up wow and logon

5. pause sniffing, and search the packets for your username/password. once you've found that, the packet's target IP is the LogonIP
(yeah i know you can just ping the logon.worldofwarcraft.com and get the IP, but this is getting you used to sifting through data)

*** On an official wow server, the chat is relayed over to a seperate server to keep the realm running as smooth as possible.

6. start sniffing again and type a random message in any channel (not /say).

7. stop sniffing and search the packets for your message. the packet's target is the CHATIP this time.

*** Ok now we're getting somewhere, we've got the IPs we need for reference the only thing missing is our victim's IP

8. go back into wow and find your victim, a pimped out 70 in s4 gear, a guild master, what ever. bind the sniffer to the CHATIP and send your victim a /w message, with an uncommon word, or modified word, like fooking. it will stand out of thousands of packets since no one ever says it. once you've sent your message stop sniffing, and search the packets for your message again. Although this time you will have 2 copies of your message, 1 going from your comp to the chat server, and 1 going from the chat server to your victim. find both, and copy the victims IP

9. Now we're done, all we have to do now is bind a sniffer to the victims IP and let it sit. you need them to logon to wow again.
*** This could take a day or more, since not every plays wow every single day. But if you're victim is a raid or bg whore
*** it shouldn't take long since they tend to be in and out of game all day long.

10. Lastly you stop the bind, and search the packets of data for the LOGONIP inside those packets is shit like the handshake, lock/key, etc. and the victim's username and password.

11. The reason why I prefer this method as to trying to scam people via email and such is that you don't have to leave a trail, no IP left on a forum, nobody knows the character name(don't want to get wow banned :P) It makes it so they're kinda screwed.

[fatalmind]

50 views and no replies ... even if you think this tutorial sucks please tell me why

[seatownclown]

this is a very loose tutorial I am trying trying it out with the packet sniffing program wireshark, but am very confused which program do you use and has this been successful yet?

[timetodie187]

Looks good just dont know if it would work =P

[killerdevil]

which program are you using?

[Verye]

Are you saying you can use a program to get someone's username and password just by making them say a phrase in-game?

[Sevrin]

Even if said method does in fact work, i know that my ip address changes frequently, so you would have to be lucky, but i don't think this works.

Because if this method worked, you would think more people would know about it, lol.

[fatalmind]

true, except the key fact of it falls into simple logic and common sense. common sense isn't common. why is your IP changing frequently (and what do you mean by that, every day, week, month?), assuming you're using cable internet, you're connected all the time, unless you shut your router off after you're done, which most people never do. Your IP won't change unless you reset your router, refresh your tcip/ip settings, or your ISP reboots for an update of somesort (or crashes).

It's pretty safe to assume people aren't playing wow on dial up which would give you a new IP every time you connect. And dsl isn't too common for gamers. which can give you a new IP at random. It's fairly safe to assume that people's IPs are going to stay the same for atleast a month. Mine hasn't changed in 6 months.

I'm using a TCP sniffer that's in net tools 4. For those of you not familiar with it, it's a great collection of apps none need to be installed. here's a list of the "most important tools" it comes with, there are more:


IP Address Scanner, IP Calculator, IP Converter, Port
Listener, Port Scanner, Ping, NetStat (2 ways), Trace
Route (2 ways), TCP/IP Configuration, Online - Offline
Checker, Resolve Host & IP, Time Sync, Whois & MX Lookup,
Connect0r, Connection Analysator and prtotector, Net
Sender, E-mail seeker, Net Pager, Active and Passive port
scanner, Spoofer, Hack Trapper, HTTP flooder (DoS), Mass
Website Visiter, Advanced Port Scanner, Trojan Hunter
(Multi IP), Port Connecter Tool, Advanced Spoofer,
Advanced Anonymous E-mailer, Simple Anonymous E-mailer,
Anonymous E-mailer with Attachment Support, Mass E-mailer,
E-mail Bomber, E-mail Spoofer, Simple Port Scanner (fast),
Advanced Netstat Monitoring, X Pinger, Web Page Scanner,
Fast Port Scanner, Deep Port Scanner, Fastest Host Scanner
(UDP), Get Header, Open Port Scanner, Multi Port Scanner,
HTTP scanner (Open port 80 subnet scanner), Multi Ping for
Cisco Routers, TCP Packet Sniffer, UDP flooder, Resolve
and Ping, Multi IP ping, File Dependency Sniffer,
EXE-joiner (bind 2 files), Encrypter, Advanced Encryption,
File Difference Engine, File Comparasion, Mass File
Renamer, Add Bytes to EXE, Variable Encryption, Simple
File Encryption, ASCII to Binary (and Binary to ASCII),
Enigma, Password Unmasker, Credit Card Number Validate and
generate, Create Local HTTP Server, eXtreme UDP Flooder,
Web Server Scanner, Force Reboot, Webpage Info Seeker,
Bouncer, Advanced Packet Sniffer, IRC server creater,
Connection Tester, Fake Mail Sender, Bandwidth Monitor,
Remote Desktop Protocol Scanner, MX Query, Messenger
Packet Sniffer, API Spy, DHCP Restart, File Merger, E-mail
Extractor (crawler / harvester bot), Open FTP Scanner,
IP String COllecter, Range Net Send, CPU Monitor, Web
Server (possibility to send anonymous E-mails without
input of SMTP), Advanced System Lockup, Port Connect -
Listen Tool, Internet MAC Address Scanner, Connection
Manager / Monitor, Direct Peer Connecter (Send/Receive
Files + Chat), Mouse Record/Play (Macro Tool),
Steganographer (Hiding data in pictures), File Shredder,
Local Access Enumerater, WEP/WPA Key Generator, URL
Encoder, Create Virtual Drives, COM Detect and Test,
Easy and Fast Screenshot Maker (also Web Hex ColorPicker),
Force Application Termination (against Viruses and
Spyware).




one of my favorites is the mouse/keyboard recorder. It's best used for dps boss fights, since the scenario is the same, you're not being attacked, you just pump out damage. I record just before 98% hp is reached, i click the wow button on the taskbar, so it will do it for me next time. once it pops up I do my best to crank out as much dps as I can evenly, I don't want to run out of mana/rage/wtvr. when it's done I tab back and hit stop. I save it as BOSS_name so the next time I can tab to net tools, boot up the player, hit play, and do something else for 5-10 minutes.




Now back to the subject of sniffing. YES it's possible. The downside is that most packet sniffers, example ethereal, don't convert the hex data it's receiving into ascii. you can fix this 1 of 2 ways, 1 sucks trying to find it , the others just kinda sucks. There are a few home made packet sniffers floating around that don't show the hex data, it converts it into ascii and then displays the packet content, I see them mostly on the dc++ network oddly enough (I used to write private clients/op clients/bot clients).

If you can find one that does that you're all set, it will save a ton of time, and makes going through packets with ctrl+f much easier and quicker. The other solution, if you can't find a sniffer that converts for you, you need to use an online hex to ascii converter, one that can take in a lot of text at once, 1mb at a time (most, if you're filtering your packets properly you shouldn't get more than that unless you're sitting on it for a day or so. unless you filter out all the IPs for say a logon server IP ), convert it, then search for what you're looking for.


The sniffer in net tools 4 will show you the raw data, which I would dump into a txt after I filtered out all of the unwanted IPs. convert it on [Only registered and activated users can see links. ]

***********
SCREENSHOT: (of net tools 4 in mini mode) http://img503.imageshack.us/img503/4...minipicdx9.jpg
***********

Keep in mind this isn't just for WoW, you can use this method for a lot of net programs, games, servers, websites. just takes a little time and patience. And if you run into encrypted packets, there are plenty of sites out there that host all sorts of encryption/decryption for just about anything, heck if you put a little time into it I'm sure you'll find something like this ...


code past this line (c++)
*****************************



/* Round 3 */
HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */

/* Round 4 */
II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */


........................ end of snippet 1


........................ start of snippet 2


inline void MD5::HH(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x,
uint4 s, uint4 ac){
a += H(b, c, d) + x + ac;
a = rotate_left (a, s) +b;
}

inline void MD5::II(uint4& a, uint4 b, uint4 c, uint4 d, uint4 x,
uint4 s, uint4 ac){
a += I(b, c, d) + x + ac;
a = rotate_left (a, s) +b;
}

*************************************************

yes that was parts of md5.


This wasn't meant to be a noob guide. this was meant to be a guideline for everyone, mainly how you can go about getting wow accounts without leaving a trace to get yourself caught. And how to get other things. but mostly just to open people's eyes as to how things can be achieved.

[Silentgnomez]

Well this sounds very impresive.
I already repped you, but could you also write a more noobie guide for people like me?
What to fill in where etc?
No reason why, but just a clear and step by step guide.

Thanks if you do so. If not, still thanks

[fatalmind]

well with most sniffers all you need to put in would be source IP, (where the data is coming from) and the destination IP (where it's going) so If I was trying to find the logon serverIP (and I couldn't get the IP via ping on us.logon.worldofwarcraft.com I would put my IP as the sourceIP and leave the destination blank. That will show me all the packets leaving my computer during the "sniff". once I get the logon server IP I can enter that into the destination IP and sniff again while logging into WoW. and I will have captured all the data sent from my computer to their server.


there really isn't much you need to fill out. some let you choose between tcp and udp sniffing

For those who don't know (posting the def on wikipedia)
The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite. TCP provides reliable, in-order delivery of a stream of bytes, making it suitable for applications like file transfer and e-mail. It is so important in the Internet protocol suite that sometimes the entire suite is referred to as "TCP/IP." TCP manages a large fraction of the individual conversations between Internet hosts, for example between web servers and web clients. It is also responsible for controlling the size and rate at which messages are exchanged between the server and the client.



User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP is sometimes called the Universal Datagram Protocol. The protocol was designed by David P. Reed in 1980.

UDP does not guarantee reliability or ordering in the way that TCP does. Datagrams may arrive out of order, appear duplicated, or go missing without notice. Avoiding the overhead of checking whether every packet actually arrived makes UDP faster and more efficient, for applications that do not need guaranteed delivery. Time-sensitive applications often use UDP because dropped packets are preferable to delayed packets. UDP's stateless nature is also useful for servers that answer small queries from huge numbers of clients. Unlike TCP, UDP is compatible with packet broadcast (sending to all on local network) and multicasting (send to all subscribers).

Common network applications that use UDP include: the Domain Name System (DNS), streaming media applications such as IPTV, Voice over IP (VoIP), Trivial File Transfer Protocol (TFTP) and online games.

[Sealteams]

So the point of this is to find the GM or normal player's IP?

Edit: Then once you have their IP you can use the packet sniffer to monitor what info they are sending to the logon servers, which will be their username and password? I'm vary vary confuzed.

[-ßlink-]

im going to try this out. i dont believe this would work. if it does, blizzard fails. they need to like hash the pwords.

[Sealteams]

So, I was right in the above post. Get their IP and sniff whatever they type in...

Thats a shitload of info to go through though.
I'm trying right now anyway.

[fatalmind]

The last account I stole with this method was 2.3.x don't remember the #. (it was returned) They may hash their passwords now. unless it's a custom hash which it could be it's either md5 hash, tiger hash or a mod of either. and they can all be found online. A hash can be broken, it takes time, like everything else.

wow example, change your username and password to 123 abc. you now know the predefined text that is going to be sent. you can get the logon IP by pinging the us/eu.logon.worldofwarcraft.com address. now you can filter out all the other packets being sent out of your computer. The ones you are left with are WoW sending and receiving data from the server. (if you can figure out the handshake/key/lock process, it MAY be possible to make fake retail clients. I'm not possitive I don't know if it receives the usr/pass and sends a check to the site's database, or weather the site just sends queries to the server account table.) Weed out packets that are clearly not account info, even if it's encrypted, the useless packets will be bloated in comparison. the user and password should be seperated by a space or $. so 123$abc there may or may not be commands in the packet as well.

Example:

$MyINFO $ALL <username> <password>$ $<flag(WoW/BC flag)>$<e-mail>$<UserIP>$

since we know the username and password is a predefined size, you would look for $xyz$ $<xyz>$ some fore of those outer brackets surrounding 2 sets of 3 characters. if it's not encrypted it will be your user and pass in text which you would have already noticed lol.

Or it's going to be 2 sets of 3 random ascii symbols.


copy the first set of characters or 2 from the start of that packet. and search the entire stack of packets you have for that same strip of code. if you find nothing else, then you're ok.

when you are searching through your victims logon packets, search for the same string of code, and you should have the packet with the account info.

save it to notepad or something.

now go and seat you username and password to abcdefg-xyz for each. there are 26 letters. so you sniff your new set of logon packets, and search teh stack for the strip of code again. once fond the place where the 2 sets of 3 between $$ or <> should be 26 characters between each. copy and paste them both into notepad, 1 over the other. and compare each place. you are checking to see if the characters are the same or different. if it's the same then it means it does certain things to certain letters. if they are different then it's a linked into a seeded random function, which changes itself by the time of the internal clock, making it as close to random as a computer can. if that's the case your're ****ed unless you're gonna try to figure out how to reverse engineer s.rand() (it can be done)

but if the 2 sets of characters were the same from the abcd-xyz user and pass, then you can save the first set of characters, and delete the other line.

remove the <> or $$ from the ends you should be left with just the 26 encrypted letters.

now paste your victims logon packet 3 lines under it. 1 for use 2 for space.

bump the top line down 1, and write abcdefg ... over it. now you can look at the alpha letter, and look down to see what it is after it's encrypted. now look at the victims logon info below, and decode it by hand. should only take 5 minutes or so, maybe less, if it's short.

[Silentgnomez]

Very, very interesting. I aint doing much right atm. I am only able to see my own Username ( trying with my own account) but no password.

Could I maybe ask which programs you use?