Hacker
Professional
- Messages
- 1,044
- Reaction score
- 811
- Points
- 113
Part 1.
I launched Brup Suit and configured it.
During active analysis, I found 2 targeted vulnerabilities on one of the sites. XSS and SQL injection
I found a vulnerability in the scanned rezalt, it turned out to be a good online store that sells clothes in South America.
I decided to go through the database and found fullz, in the amount of 12428 rows - the market value is 3000-4000$.
The point is that payment is made on the site and without redirecting to payment services, that is, all cards are stored in the store's database. The number of saved cards is 4847. The market value is $ 14,500 at retail. Wholesale for the sale of approximately $ 8000-10000.
You can also add a sniffer there
- the number of orders per day is approximately 20-30, that is, 20-30 cards will fall to my admin panel, and this is$ 60-80 per day.
But the admin can see this snif - and delete it, and thus "my online store" will be lost.
There is an option to sell this shop by first draining the database with maps and fullkami. The market value of such a hole is $7,000 - $ 10,000.
I did the following: wholesale sold fullki fo r$3,500. I filled in all the cards for implementation, and the entire batch turned out to be$8000. I also sold the hole for $ 8,450.
Total: 19.950$
Plus, over the previous week, I earned$ 13,000 in other niches.
Total for 2 weeks: 33.500$
I write a dictionary for beginners:
DB - a database.
Full info is personal data.
A redirect is a redirect.
Shop-store.
A sniffer is a device used to intercept and analyze network traffic.
Part 2.
Today we will highlight the topic of traffic, in principle, I have been working on it recently.
Draining traffic from websites is one of the most profitable topics. The bottom line is that we redirect users to their own links from hacked sites. Which gives us the opportunity to earn money from the users of the site that we fucked.
So, I slammed 8 sites with recipes and several women's blogs that modern housewives love so much and slipped my php redirect code to the affiliate program into the site code. For a few days, passive income was 35-40 bucks a day, from 8 sites comes out 280-340$ The affiliate programs themselves lived with me for about 6-8 days in total, some sites are more - some are less. In total, this brought me $ 2628 of passive income
+2628$
At the time of passive earnings, I discovered a large site, merged the database and disassembled it according to the old scheme. Soaps with passwords in one pile, phones in another. Payment on it was through a stick, so there were no cards on it. I sold the email databases to a spammer I know, and this product is worth its weight in gold for them.
+ 300$
Then I didn't bother and sold the same database, only not for spam, but for a PayPal receipt. Again, I turned to a friend who specializes in PayPal accounts.
He checks this database and will have working PayPal accounts. The bottom line is that selling a database in two hands in this way does not affect the performance of two comers, as a spammer and a PayPal.
+ 200 $
Next, the same resource. I turned to a friend who specializes in the bot, this is of course fierce, but.. He buys downloads for his bundle.
I don't want to tell you the details in this report, but I will say that I pushed the shell and redirected traffic to its bundle. This is a web dashboard for managing traffic. Which allows you to easily and easily redirect users of that site to wherever your heart desires. This method brought me $ 4865 in a week
The search for this resource took me about 3-4 days at the time of passive earnings, when traffic to affiliate programs was pouring in. Next, I agreed on the passage of traffic and setup and negotiations took me another day. A total of 5 days. The resource lived exactly one week, thus:
+4865 $
In this week, when I had a drain on the bundle and a drain on the database, a friend approached me with a request to merge the resource database under the order, the goal was precisely user emails. I don't usually take on custom projects, but a friend asked for help in this matter. I took it upon myself that everything I found was mine, except for the soap bases.
The promotion of the resource took me a week, I really had to tinker, but I still got to the database. I was paid $ 4000 for the order, by the way, in the database, I also found customer scans and ssn+dob. This is quite a valuable product, but the customer only needed emails. I didn't touch the emails, there was a database of emails of 487827 lines, which is pretty bad.. Scans, ssn, dob were smaller, 11534 pcs. Retail price is $ 1, I tinkered with the search for a customer to buy and sold in bulk for $ 0.4 per piece.
In addition to ssn, dob and scans, there was also other information in the form of a medical history, but I did not bother with them.
+4613 $
+4000 $
One of the interesting features of working with orders for hacking sites is getting pretty good victims, for hacking which you are also guaranteed to get paid. Well, data - there is data that you can also work with after completing the order. Thus, spot hacking under the order turns from 1k from the customer to 3-4k hard earned.
- Strait with affiliate programs: $2628
- Strait per bundle: $4865
- Email sales to spammers and pagers: $500
- Custom Hacking: $4000
- Sale of scans, ssn, dob: $4613
Total: $16,606
And now the most interesting thing is that in the current month I kept my main funds on the blockchain in bitcoins. Pay attention to the quotes of the exchange rate, I specifically covered up the balance in dollars, you can calculate)
The main factor is that any information that you have removed - it is still needed by someone.
Part 3.
Today I would like to pay a little bit of your attention to the next report on the hack topic.
In general, in this area, the main thing is to have the intention to conquer new tasks, no matter how difficult they are, after overcoming any difficulty, count +1 in skill.
Opening any resource we have on hand a huge number of emails with passwords, it would seem, nothing like that, 95% of the opened sites store a bunch of emails with passwords from accounts, and even the option to sell the database to spammers, this will not bring huge funds, yes, but you can mint the database on related services, money seems to be nothing, but again, you can do much better. And even cooler, this is a selection from these corporate mail databases, and there is a novelty.
Another proof that in the right hands any data is valuable, whether it is an email database or a database of prostitutes, remember, any information is valuable. As they say, for any product-there is a buyer. Exactly the same scheme applies here. At the selection of corporate emails, I came up with a completely brilliant idea, over breakfast
And so, I present you a working case.
You are required to: Skill on draining, contacts for sale.
The scheme turns out to be the following: those that have shared access are removed from the entire soap box database, for example: yahoo, gmail, hotmail, aol, etc. The rest of the heap was sent for checking access to... SSH well, on the definition of SMTP. As an enthusiast, I asked a fellow coder to write 2 brutes, in fact checkers, to connect, as is already clear, to SSH and SMTP. Yes, yes, I know about hydra and medusa. Only the task was to process a large amount of data, and brute on your computer as it is not ice, then the system was configured to drain good shares to the central server.
First of all, they were sent to check for smtp brut:
Data for the SMTP brutus
SMTP brutus working against the background of its code
In parallel, we ran almost the same data, only with a check for SSH access
Data for the SSH brutus
How SSH brutus works against the background of its code
As a result, almost 1kk accs were sent to the check per day, which were extracted by all available and inaccessible methods. Code was also written for the conveyor processing of sites for dorks, which is currently under development.
The beauty of corporate emails is that they can store a large number of sites on their servers, and often come across online stores with a good flow of customers. A grabber is embedded in the payment code and drains user payment invoices to our server.
And here we are already lucky, but we are very active and do not stand still, so each account was checked out on smtp in catch-up, they were ready for mailing when they would start spamming them. I did not spam myself, I am not interested in this niche, but this data was useful to someone who bought these accesses from me)
Ssh servers with good traffic are rooted and taken under full control.
Then we conduct an analysis. We look at what kind of server it is in general, what is there, most often these are hosting sites. i.e. we get access to sites that hold hosting. now we need to root.
We root accordingly through the exploit.
On the site exploit-db.com we are looking for an exploit for the server core to increase privileges.
We've been messing around, and then we look at what kind of sites and what we can get from them.
Profit comes mainly from online stores with payment by card, and it does not matter through the merchant or through the site, if the payment goes through the merch, then the phishing page of the merch is written, if through the site, then it's easier, the data from the form is simply sent to us, and the site works normally.
Accordingly, if the payment is made on the site itself, everything is made much easier and more convenient.
8 suitable SSH were extracted, each one contained from 300 to 1500 cards in the database, I sold them at a wholesale price + every day I have new card arrivals on the server, until the ssh die, that is, until the admin burns them down) From the countries on the cards were Only USA.
As a result of working with brutus for ssh, it brought $ 14,000, but I sold the SMTP acc database for $ 1,500/B]
Of course, one source of income is always not enough.
Total: roughly out 15500-16000 + it is worth paying attention to the bitcoin exchange rate, which jumped quite well during the month, respectively, I will cover up the figures in $, count for yourself how much now)
