Hacker Tutorials

Hacker Ethics

Here is an article passed around by "highly ethical" paysite hackers. We have literally hundreds of hackers' articles and tutorials collected in The Clean Sweep Zone. You'll be interested in the hackers' followup comments to this article as well... but we need to protect our information sources. You'll need to be inside the Zone to read the rest.

Ethics and advice on handling exploits and passwordfiles.

In this short text, I will NOT cover the different tools and techniques need in order to find, use and utilize password files, but rather try to share my experience in handling the files (and exploits) themselves, the issue you face and power you hold, having gotten your greddy little hands a password file.

So.... you got your hands on your first password file ever, and a whole new word lies ahead of you. I remember the first time I ever cracked a site... in the days where the only cracking tools were wwwhack and webcracker in it's first release. No multithreaded cracking here, it was one bot, one try at a time, but automated... WOW. First site I cracked, what a great feeling.... first passwordfile I found, an amazing feeling!!!

Whether your first encounter with a password file was because someone gave it too you or better yet, you found it yourself, there are several things you should give some serious thought when deciding how to handle passfiles.

If you have a pure passwordfile, it can often contain all paying members to a site. (as some sites use more than one billing company, you can sometimes find "only" the part of the total passfile that relates to one of the billling companies. Sometimes you also find logfiles that contain both current and old/dead passwords).

If you do have a pure pwfile of only existing members, you in some way hold some power over the future of these paying members willingness to resume their memberships and also over the bandwidth to the site in question.

Posting/sharing passes from passwordfiles

It is here you should decide how you will handle the password from the pwfile. I remember when I had decrypted my first pwfile... I felt like telling it and showing it to the world... or at least all the crackers I knew and post alll the passes at a request board or password dump. This feeling lasted about 5 minuttes... then I started thinking... about what I had witnessed earlier in my "carrier" as a cracker and part of the cracking community.

Talking to people about exploiting and passfiles one discover that some people post all the passes in a passfile at password dumps, request boards or IRC listbots because they think it will show everybody how cool they are.

For sure it will make requesters happy because they get passes and can go jerk off without worrying or thinking that once the passes are made public alot of people will use the same passes and with the security of sites today, many of them will discover multiple users of the same passes and kill the pass or change it.

You might even impress some of the other new guys starting out in exploiting and decryption, but I can garantee you that you will NOT impress nor get the respect of your mentors and fellow crackers that have been around the community longer than you have. Posting all passes from a password file in public will generally result in a couple of things:

1. Passes will die quickly (just think how long the passes from the Zima list, or the other IRC bot lists lasts...)
2. You will alert other exploiters that the site has a hole and thereby spread the knowledge of the file beeing avaiable and so the passes will die faster as more people get the file and maybe start spreading it.

Webmasters can read too (surpriced?) and the more active ones even visits request boards and password dumps, and how do you think they will react seeing the entire password file postet in public? They will often kill all the passes and issue new passes to the members and often close the security hole that allowed you to get the file in the first place and thereby ruin that hole for fellow exploiters that might have discovered the hole long before you did.

Another scenario is that because you posted all the passwords from a passfile for one small/medium site (typically amateur or private sites) the webmaster will be forced to close down the site. Either because the members cancel their membership becasue they recieve a mail saying that the sites security system has discovered that the password has been used by multiple people/IP addresses and has cancelled the pass or changed it.

Or because the webmaster/siteowner can't pay for the increased bandwidth caused by the fact that now suddenly a lot of people are using the same passwords and stealing the bandwidth which the site has to pay for.

I have seen and heard about fairly good and popular sites that went out of business because of this, and then what good is the passfile (it can of course be used as combo on similar sites).

Or if it a site you like, you won't be able to get to view the porn you like so much.

So I hope you get the picture... posting complete password files is NOT recommended and generally a very stupid thing to do.

Then some would say, ok - then I just post half of them or 75 % of them, and here is were your own judgement, and hopefully common sense, comes in. Generally posting more than 20 or 20 passes from a password file to one site in public is borderline in my opinion. But if you are so lucky to find a huge password file, I'm talking +5000 or even +10.000 members or more (yes they do exist, hehe) then it would be ok. But posting 50 passes from a 100 members pwfile is not good.... beginning to get the picture?

Of course, I am not one to tell you how to act and how you should handle the passfiles you get your hands on, but this is just to share my own experiences and opinions.

I have seen a lot of security holes beeing closed and a lot of passfile beeing "killed" because people posted the hole file wanting to show off, not using their head or not knowing that this could happen. So I'm just trying to help us all by this small text :)

Sharing exploits / password files

Once you really start getting into exploiting and get more and more password files, you should also start to think about if you want to share your files and/or exploits with your friends, mentor(s) or fellow crackers.

If you find an exploit that you don't think anyone else has found and want the file and exploit to last long, the obvious way is not to share it with anyone. But you will (hopefully) often have fellow crackers that you consider your friends and who might have helped you out with exploiting, and might even been lucky enough to have a mentor that showed you the ropes.

It is natural to feel gratefull and obligated towards these people and you might decide to share stuff with one or two of them. And if it people you trust and tell them not to share or tell anyone else what you give or show them, you can mostly feel safe that things won't be spread out.

If you are lucky to be part of a group of crackers/exploiters (there are many out there) it is usually a common thing to share what you find with other members of the group. Give some and get some back.

There are pros and cons to this kind of sharing and people will have different opinions about it, and that's how it should be. But the more things are shared, the more people will now about it and use it and often tell others, so in time holes will get closed quicker and files will get killed faster.

Sharing ideas and thoughts about exploiting with your friends and fellow exploiters can be a very giving and productive thing to do. It can help both parties out and be fun to work on "projects" together. Usually you will only do this with people you trust and who you think have the skills needed. Often skill and experience go hand-in-hand so a highly skilled exploiter will also know how to handle information about exploits, security holes and pwfiles with care and consideration.

Finishing off, I would just like to stress again that it is not up to me to tell people what to do or how to behave. This text was merely ment as sharing of my own experiences and opinions, and my advice to people new to exploiting and password files.

Followup Comments from Other Hackers

The followup comments are as enlightening as the article itself. We need to protect our information sources - hackers can read too! Please join us in The Clean Sweep Zone. You'll see those comments, and find literally hundreds of other paysite hackers' articles and tutorials.