How to Get your Own ComboList – Complete Hacking Guide
The programs we will be using for this “get your own combolist guide” are:
1) SQLi Dumper
3) Dork Generators by N3rox and JohnDoe
4) Sentry MBA
5) Gather Proxy
6) Online Reverse Hash Tool
7) Sandboxie (You can get if from Here because i don’t have it included in the .zip file)
DISCLAIMER: IN THIS GUIDE I AM USING SANDBOXIE TO OPEN THE PROGRAMS FOR MAXIMUM SECURITY. I HIGHLY RECOMMEND USING SANDBOXIE TOO OR A VIRTUALBOX/RDP. I AM NOT RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOU FROM THESE PROGRAMS. MOST OF THE ANTIVIRUSES WILL FLAG THE FILES AS VIRUS AND DAMN RIGHT THEY ARE, MOST OF CRACKED PROGRAMS ARE FULL OF VIRUSES. JUST ADD AN EXCEPTION AND ALWAYS RUN IN SANDBOXIE/VB/RDP. DOWNLOAD AT YOUR OWN RISK.
Use this for Educational Purposes Only!
Just for a heads-up:
Sandboxie will frequently pop-up a window and ask to recover files for future use. Just recover each one for them. Don’t forget to clean your Sandboxie contents from time to time. You will also need to have .Net Framework 3.5 and 4 installed on your machine for the programs to work correctly. Search Google how to get them.
To open the programs, Right Click > Run Sandboxed.
The default Sandboxie location should be this. So you can know where the text files created from the programs are stored.
CHAPTER ONE: Making the dorks.
Dorks are used in SQLi to create a list of URL’s where we can analyze and find which ones can be exploited. So, let’s learn how we can create our own dorks, shall we?
Firstly, open the two dork generators by N3rox and JohnDoe, as well as the Notepad++.
Go to the dork generator by JohnDoe and click the letter D, as shown in the image below, until the boxes are clean. If they are already clean, skip this step.
Now go to the Grabber tab and press Load.
Load the url text i included in the zip file. (The program interface sucks, sorry for that, its JohnDoe to blame)
Wait for the program to complete loading.
Copy the Page types p.2 contents.
Go to Notepad++ and make two new files.
Paste in the contents of the box we copied just a second ago.
Go to Search > Replace.
Press the “Space” button on the first box and “Backspace” on the second box, so we can remove all the spaces from the lines. Click Replace All.
Now, search all the lines and remove any weird marks, until there are only words like “example=”.
Now go to Page Types box in JohnDoe’s generator and copy all the contents, and paste them in the second file you created in Notepad++, search all the lines and delete all the bad types until there are only good ones left. Just like we did before, we keep only the good lines. If you didn’t understand what “bad types” meant, just write down the same page types as mine.
Now go to the N3rox’s generator and write down some words in the first box on the left, for example “steam, money, LoL, bf1… etc” and separate them in their own lines. Also, copy and paste the clean page types and page types p.2 we made a while ago from Notepad++ to N3rox generator, in their own boxes, as shown in the image below. Click Generate. (i used translated page types p2 and keywords to German, so i had German dorks. Use any language you like, the best and most common is English. I will also show you how to translate them in a few steps below.)
The dorks file should be in the folder where you placed the n3rox generator. If it isn’t there, check the Sandboxie folder, like i showed you a few steps above. Congratulations, you just made your own dorks and you didn’t even pay for them.
If you want to make dorks in other languages so you can get accounts of that nationality, go to the Translator tab in JohnDoe’s generator and write your keywords in the Name of Pages tab, select the language, press Translate and wait for the process to finish. After that, you can copy the translated contents and paste them in N3rox’s generator.
So, what we did basically was generate the Page Format and Page Types from the URL’s and we used them to make new dorks. We cleaned them and we also translated them so they are even better. We used JohnDoe’s generator to generate the Page Formats and Page Types, and we used N3rox’s dork generator to generate the dorks, with those Page Formats and Page Types. You can also import your own URL’s after finishing with SQLi Dumper, as i will show you later on, so you can generate more Page Formats and Page Types. This is the hardest part of all the process of account cracking and it’s not even that hard lol. What you need is some imagination for the keywords and that’s all the fuss. Let’s move on to the next chapter.
<strong style=””><font color=”#ff9933″>CHAPTER TWO: Making the combo lists.</font></strong>
Now is the time to use the dorks we made, to make our combolist. We will be using SQLi Dumper to make some good combos so we can test them later on. Let’s begin.
Open SQLi Dumper and make sure it looks exactly as the image below.
Now, open your dorks text file with Notepad++ and copy your dorks. (Don’t copy more than 15k because your SQLi Dumper will crash 100%). Now click Start Scanner and wait until you have about 10-20k URL’s. If your SQLi dumper does not get any URL’s, make sure you have it unblocked from your firewall and antivirus and restart the program. If it still doesn’t load any URL’s, load the ones i gave you in the .zip file by clicking the Import button, and press Start Scanner. If it still doesn’t work, then GG. See you in a while, after you get some URL’s. After you see it has about 10-20k Valid Added, press the Cancel button. It doesn’t stop at 100%, that’s why we have to do it manually, based on the Valid URL’s added.
If the valid added stay the same number after 15 mins, click cancel. If you Loaded 20k dorks and you got 1k URL’s after 3012831280441279410274 days, you have bad dorks.
Now go to the Exploitables tab and press Start Exploiter. Use as many threads as you want, i use about 30.
After it has completed exploiting, (you can see if a process has completed by looking at the bottom of the SQLi Dumper, it says Exploited thread done, exploitable detexted: X. If you dont see such message, then you need to wait until it’s done. ) it should look like this. (keep in mind that antivirus messages may pop up, saying that a webpage was blocked. Thats ok, nothing to worry about.)
Go to the Injectables tab and press Start Analizer. I use about 30 threads again. Wait for the process to complete. Note that your SQLi Dumper may crash during any of these processes. If it does so, just recover the files in Sandboxie and reopen the program and continue from where you were left.
After the Analyzing process is complete, your Dumper should look like something like this.
Click the Method tab, until we have all the Unions sorted from the Errors.
Click The [+] box in the bottom left corner of the dumper.
Check 2 boxes out of 4. Write in what you want your combolists to be about. I used username and password because i want my combolists to be of usernames and passwords. You can also have 1 box checked. You can also write in anything you want, such as email and password, name and lastname, credit card name and credit card number, etc
. Also make sure Current DB is checked and Collumns as default.
Select all the Unions with the SHIFT button and click Start. A new window will pop-up. Wait for the process to finish. Don’t close this window. EVER.
Scroll down until you find a database with a good number of Username or Password rows. If both Username and Password have the same number, its perfect. If you only see Username or Password, its ok too, but the database may not have good combos. Its all about luck here. Select a database with more than 5k rows.
After you found what database you want to crack, select the URL’s name and click Go to Dumper > Dumper Form.
This is the time where you need to guess. Click on a column you think the combolists will be at and press Get Columns.
I found mine, so now i click on what i want to dump. In this case i only want to dump usernames and passwords. Check on anything you want to dump and press Dump Data. If you had a large number of rows, this is gonna take a while to complete. Also, if the Dumper crashes here, i feel sorry for you son, you cant do something about that, you need to restart dumping the data from the beginning.
As you can see, i got very shit combos. If you get bad combos too, press X which is under Schema tab and search for a new URL.
After you dumped your data, press Export data. A new window will pop up, just make sure it is as mine. Press start when you are done.
Click save and find the text document you just saved. Check the Sandboxie location if you cant find where you saved it. Open the text file and remove the first lines until you only have your combos in there.
If your passwords are not encrypted, you can skip chapter three and you can go straight to chapter four
. If your passwords have a weird format like mine, we need to find out which type of Hash it is and we need to dehash it.
Dumping data from a database is all about luck.
If your SQLi Dumper keeps crashing, you can dump databases with SQLMap, that never crashes (i cannot post how to do it because SQLMap keeps updating and the commands keep changing all the time. You can search on google or youtube how to install SQLMap and how to use it. I am currently using it on Kali Linux 2016 on VMWare Workstation 12).
You will either get good combos or you will get shit. Just never give up, and always keep trying. You can also save your Trashed URL’s to generate new combos with JohnDoe’s generator.
CHAPTER THREE: Dehashing the passwords from a combolist.
Open ORHT ad click Ok. If you have opened ORHT and you cant find the window or you minimized it accidentally, you can find it in the tray menu.
Click Main Menu > Start From File, and load the Combo you dumped. My hash encyption was MD5, so i have checked MD5 as Hash Type on the window.
Make sure your ORHT looks like mine. Click OK and after some time, a message will pop up saying how many hashes were decrypted. Click OK again.
Go to Main Menu > Save to File and make sure your OHRT looks exactly as mine. Click Ok and wait for the process to finish. A message will pop up that will say success. Click OK and save your DEHASHED combolists.
Basically thats it, if you dumped 100k combos, its most likely that 30% of it to be dehashed, but that’s on luck again.
CHAPTER FOUR: Checking the combos.
Before we start checking the combos with sentry, we need some proxies.
Make a new text document and name it proxies. Then open Gather Proxy and go to the Advance tab and change the settings same to mine.
Go to Gather Proxy tab and press Start and wait for the program to finish. After its done, press SHIFT to select all combos and copy and paste them in your proxies text document.
Open Sentry MBA and go to Settings > General > Load Settings from Snap Shot and load the config of the site you want to check your combos. In my case, i will be using the NA League of Legends server because my database was from a site from the US
. In the .zip file i have all the League of Legends configs. If you dont want to check your combos for league or if you your combolist is email and password (email:pass) form, you can find all the configs you need here from Nulled. I will not be posting them here.
Go to Lists > Proxylist > Clear List and then Load the proxies from the text document you made earlier.
Go to Lists > Wordlist and press clear combo if the upper left box is not clear. Press Open a Combolist and choose the combolist we dehashed a while ago.
Go to Progression, set the bots to a high number (i go for about 90-110), click Start and Click start one more time.
Wait for the program to finish, when all combos were checked as we can see from the bottom of the window, we can click Stop. Press SHIFT and select all the contents from the Hits tab and right click and save them to clipboard. Make a new text document and paste them there. Congratulations, you have your ready combos that work for that specific website/game, etc… In my occasion it was for League of Legends.
So here is the results:
The whole process is similar to the oil process. We take all the shit we can find and we filter it to a good result. If you read carefully this whole tutorial, you have now learned to:
1) Make your OWN dorks.
2) Dump your OWN data.
3) Make some good out of it.
As a team of expert hackers and carders who have been on the market for over 10 years, we are fully available for great money making ventures. You can reach us by
EMAIL: [email protected]