Comments on: Episode 13 – Website Hacking – XSS

By: Patchy

Patchy — Fri, 02 Jan 2009 00:37:07 +0000

http://infinityexists.com/downloads/cookie

By: demonicspawn

demonicspawn — Thu, 01 Jan 2009 15:02:15 +0000

sup dude…i contacted u on youtube …but i need some help over here…can u give me the cookie catcher php file dude???plz …cuz i get a error on line 4….

i mean the original file!!

By: Scotted

Scotted — Mon, 08 Dec 2008 09:36:19 +0000

A BIG THANKS TO PATCHY !!!! THANK YOU A MILLION TIMES, it has worked and now I am able to sleep

By: Scotted

Scotted — Wed, 03 Dec 2008 07:54:24 +0000

This is what I thought too until I have tried to reinject my own cookie from another computer in my network with the same IP address and the website still does not recognize me

By: Patchy

Patchy — Mon, 01 Dec 2008 21:53:29 +0000

@Scotted: Most likely the cookies are based on the user’s IP Address. In that situation you are better off trying the XSS Tunnel attack.
@Hackncrack: That is a great question. That feature should definitely be added to password crackers!

By: hackncrack

hackncrack — Mon, 01 Dec 2008 17:53:44 +0000

wait, so why arent there any programs for cracking passwords that will do the double encryption for you? its the same process as a normal brute force or dictionary attack? it just has to encrypt it twice? or am i getting the process wrong?

ex: first word in dictionary is “apple” so all the computer has to do is:

apple
–hash to md5–
1f3870be274f6c49b3e31a0c6728957f
–hash to md5 again–
ae6d32585ecc4d33cb8cd68a047d8434
–compares ^ to extracted hash–

By: Scotted

Scotted — Sun, 30 Nov 2008 04:56:00 +0000

Hey Patchy, really nice video…
But do you have any ideas why reinjecting a stolen cookie doesnt work , I mean the website doesn’t identify me at all and if I try to reinject my own cookie (grabbed from the same computer I signed in ) works ?

By: joemama

joemama — Mon, 14 Apr 2008 23:55:31 +0000

i need help using t35 and uploading the cookie cathcer someone please help

By: aj atkinson

aj atkinson — Wed, 30 Jan 2008 21:55:05 +0000

so you mean that basically they are hashed 2 times??? That’s wild. I have always wondered what algorithm most cookies were encoded with, myspace, hotmail, etc. I have always tried to use cain or mdcrack to decode my own cookies just for the hell of it and never could. That is probabbly why LOL

By: Patchy

Patchy — Tue, 20 Nov 2007 22:02:45 +0000

Well it is possible… The cookie password in wordpress is the md5 hash of the md5 hash of your password, so it would be very hard to crack.