Hey guys. How are you all? Im not looking to be spoonfed how to get passwords from forums, Im more into learning than just getting scammed or told im a n00b. Becuase im not asking you for some "miracle" program or lie that will only hurt me. Yes, I have Googled but I can't find any relevant topics related to this other than on this forum (which haven't helped that much).
==
Any help will be greatly appreciated but im not looking to be flammed so if thats your intentions, don't waste my time.

Thanks.

Google search for invisionfree forum vulnerabilities. Try to trick the person/people into giving you their passwords via spoofed email.

Thank you for replying Moon. I read on this very forum that there are "tools" for getting keystrokes and passwords, I don't remember that well what else was on there, it was called elitec0ders. However, I've tried to download them and I get notified via my firewall, antivirus, and spyware finder that the downloads are basically trojans. Is this normal and is it safe to download these? (Sorry for being off topic, just curious)

Thank you for replying Moon. I read on this very forum that there are "tools" for getting keystrokes and passwords, I don't remember that well what else was on there, it was called elitec0ders. However, I've tried to download them and I get notified via my firewall, antivirus, and spyware finder that the downloads are basically trojans. Is this normal and is it safe to download these? (Sorry for being off topic, just curious)

Yes, it's probably safe to download them. Most antivirus packages detect both malicious software and the harmless (to you) programs used to create malicious software -- it sounds like you downloaded the latter. Setup tools for RATs or keyloggers can sometimes be Trojans that instead install themselves on your own computer, but I suppose it depends on whether you trust the source. You may have to disable your antivirus software to run any of them though.

You mentioned elitec0ders.net -- I would advise against using their software because on this forum I've heard many people complaining that it doesn't work at all.

Thank you for replying Mike, You were the one who gave that link, I was wondering who it was, (I read a simular post on invisionfree hacking were you posted that link). Anyways Im open to learning, I hear that keyloggers can be used, some can even be made undetectable but I don't know myself. Any ideas?

Most keyloggers you find on the Internet aren't undetectable, mostly because they can be found on the Internet. You'd either have to make your own (pretty hard) or hope that one you use is undetectable. Then you have the problem of getting the victim to donwload/run it.

Im guessing you would have to be really deceptive in order to get someone to click a download link with a keylogger in it right? Alot of keyloggers are placed on sites like Kazaa and LimeWire to randomly target people, however this isn't something random, it's targeted at a specific person and forum. I guess there aren't any real ways to get an admin password or hack into the cp without having scripts or whatever. I had one, but my friend couldn't host it on his webserver and since I don't have one, well meh.

Im guessing you would have to be really deceptive in order to get someone to click a download link with a keylogger in it right? Alot of keyloggers are placed on sites like Kazaa and LimeWire to randomly target people, however this isn't something random, it's targeted at a specific person and forum.

You're right; it is easy for attackers to spread malicious software to the masses (their strategy is to target hundreds or thousands of people in the hope that a small percentage will end up installing their software), but to target one individual is something that takes more than just brute force.

Try to think back to whenever you last installed some unknown software from someone -- you probably either trusted the source or were tempted by something it had to offer.

For an attacker to spread software to specific people, he would need creativity and the ability to gain that person's trust. The software would also need to be not detected by antivirus programs.

To gain trust, social engineering and email spoofing would be just two methods an attacker would use.


I guess there aren't any real ways to get an admin password or hack into the cp without having scripts or whatever.

Some websites installl forums then forget to apply the latest updates and security fixes. These websites are then at risk of attackers exploiting their forum through the vulnerabilities that have been discovered since the forum was installed.

InvisionFree however is not one of these websites. They use the same forum software across all their servers and upgrade regularly, so they are unlikely to be vulnerable in any way that has been publicly documented.


I had one, but my friend couldn't host it on his webserver and since I don't have one, well meh.

What kind of script is it? You don't need a web server to run most scripts -- Perl scripts can be executed on your own computer if you have Perl, and likewise for PHP if you have a web server installed on your computer with PHP installed (or you have the command-line version of PHP).

Im not sure of the specifics of the script becuase my friend was the one who knew about all the ********* stuff, however I do know it was downloaded off milw0rm if thats any conselation.

He told me the script allowed the user to change the admin password, meaning you could in theory do that, then log in with the new details and the user couldn't get back in, since he doesn't know the new* password.

Yeah, I'm guessing it's a Perl script then, because most vulnerabilities are written in Perl. I'd s***est Googling a program called ActivePerl.

Once I download Active Perl how would I use it with the script. Im still a novice as far as using scripts and such.

http://milw0rm.com/exploits/26*6 << Thats the one I mean, I just searched through my chat logs and found this. He told me at the time to save it as a pl and host it on a webserver. :?

Once I download Active Perl how would I use it with the script. Im still a novice as far as using scripts and such.

This tutorial looks good for beginners:

http://perl.about.com/od/gettingstartedwithperl/a/testperl_2.htm


http://milw0rm.com/exploits/26*6 << Thats the one I mean, I just searched through my chat logs and found this. He told me at the time to save it as a pl

The script you linked to is in fact a PHP script -- these can be used as I described earlier:


You don't need a web server to run most scripts -- Perl scripts can be executed on your own computer if you have Perl, and likewise for PHP if you have a web server installed on your computer with PHP installed (or you have the command-line version of PHP).



and host it on a webserver. :?

Perl scripts are easily (and preferably) executed on your own computer if you are on a Unix-like OS with Perl (or have ActivePerl for Windows), but PHP scripts are mostly made to be used on web servers (although you can get the command-line PHP). In this case, if someone wanted to run that script you linked to, they would have to get some PHP hosting or install their own web server with PHP.

Some additional comments about that script:


Affects Invision Power Borard 2.0.0 to 2.*.7

I believe the latest IPB version is 2.0 and this is what InvisionFree are probably running, so this script would probably be useless to someone who wanted to exploit an InvisionFree forum.


This works if:

"Debug Level" is set to *
or
Enable SQL Debug Mode is turned on

In General Configuration of the forum software.

This says the script can only exploit ***rds that have settings that are not default. Most forums use the default settings; a service like InvisionFree most definitely does not have any sort of debug mode on (this would be a security risk in itself), so the script would probably not be useful to someone who wanted to steal InvisionFree passwords.

This still doesn't rule out social engineering, monitoring software or many more methods for someone who wanted to steal forum passwords.

Moniter what? If the script won't work for exploiting an invisionfree ***rd, you s***ested other methods, im interested in what those are, considering I've tried keylogging, exploits and false invisionfree emails, but it's a little hard to convince someone to do something unless it looks real or such. Thanks for replying Mike.

Moniter what?

By "monitoring software" I was referring to programs like remote administration tools that monitor users' keystrokes, take screenshots; things like that. Keyloggers can be classed under this category, although they only perform one of the functions I listed.


If the script won't work for exploiting an invisionfree ***rd, you s***ested other methods, im interested in what those are, considering I've tried keylogging, exploits and false invisionfree emails, but it's a little hard to convince someone to do something unless it looks real or such. Thanks for replying Mike.

I was referring to other methods that require the attacker to either be near to the user (things like packet sniffing) know the user and have the user's trust (things like getting them to install remove administration tools) or be able to gain the user's trust (things like email scams). It would take forever to list all the different methods an attacker could use to steal forum admin passwords, and I'm certainly no expert.

Do you know of any good keyloggers out there that could do such a thing? (thanks for replying)

Do you know of any good keyloggers out there that could do such a thing? (thanks for replying)

This isn't really my area of knowledge; I'm more of a programmer than a user and try to keep everything legal (thus haven't had the need to monitor anyone's computer). Perhaps people in the 'Viruses and Trojans' section can help:

http://www.all-nettools.com/forum/forumdisplay.php?f=4

:o hello, i was reading a few posts form other people wondering how to hack peoples myspace. i was interested myself, you see, i've always been interested in the idea of software programming, html codes and such. ive always had to rely on other peoples codes to "pimp" out my myspace. i kinda want to learn how to do that myself and possibly learn to get better. Im the worst noobie ever, i know.

:o hello, i was reading a few posts form other people wondering how to hack peoples myspace. i was interested myself, you see, i've always been interested in the idea of software programming, html codes and such. ive always had to rely on other peoples codes to "pimp" out my myspace. i kinda want to learn how to do that myself and possibly learn to get better. Im the worst noobie ever, i know.

The best place to learn about websites is from those who set the standards:

www.w*schools.com

They actually have a great tutorial on that site for learning SQL. But I digress, if keylogging takes trust to gain someone's ***rd password, then I suppose if the person hates you already, you won't have a good chance of getting into their account right?
--
In any case if keylogging requires trust, then what other methods are there that can obtain invisionfree or just general ***rd passwords? I know crackers won't work most of the time since they are almost always viruses (in themselves). And Keylogging had a low chance of working for me (anyway). SQL Injections are obviously another route, and so is spoofing fake invision emails, but are there other ways, I hear Brute Force could be used, but all of these methods (im still learning). So what are your thoughts Mike, Moon, anyone?

I really hate to have to bump this but I figure it's better than making a new topic on the same issue. The person who I was trying to exploit their forums have moved back to an invisionfree setup from a paid for invision ***rd. I have learned alot since then but I still would like some help. The main area I need help on is, I'm on this guys forum using a masked ip, but from there, what am I supposed to do? I mean it's not like I can just liftup the mother***rd and reprogram it, I don't really know where to start or even the exploits that could be implemented.
--
Like I said before I apologize if this is no good since I bumped it. Please tell me and I will delete my post if I can.