Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ACCESSDIVER TUTORIAL AccessDiver as a Web Site integrity tester. It can be downloaded from http://accessdiver.com/downloads.htm. There you can also find patches for Windows XP service pack two. AccessDiver works by allowing the user to retrieve proxies and test them for speed and confidentiality (anonymity). One can then use these proxies to connect to a web site anonymously while testing/cracking. These proxies are placed in a list. There is also a list of username and password combinations placed in a list used by AccessDiver. One places a link to the desired members page that one wants to test/crack in the search/server field. Once all the detailed specifications are chosen, like word size control (the min. and max. of the username and password). The start button is clicked. AccessDiver then connects, through an anonymous proxy, to the website to hide your IP address then places the first combination in the list into the username and password fields of the member’s page that it is trying to test/crack. The process is repeated over and over again until it finds a working username and password. Nevertheless, the settings allow the program to stop after one working combo or as many as one likes or until the whole word list is exhausted. The working usernames and passwords are then saved to another file for reference. AccessDiver is a hybrid cracker. It has many features for testing the integrity of your websites. Many of these features can also be adjusted to the user’s needs and preferences. It contains tools for creating wordlist, manipulating wordlists, getting proxies and testing those proxies. You can change the characteristics of the usernames and passwords. An example would be amelabe becomes AMELABE. You can randomize the lists of usernames and passwords so that each username is paired with a different password. On the other hand, you can use only one username in the search and try it with every password in a list. Getting Started 1. After installation click the desktop shortcut 2. THE FIRST TIME (ONLY) you start up AccessDiver you will receive an error message. The .INF file will be created at shutdown and will not show the next time AccessDiver is started. o "error image" o Click OK to continue o You should see: 1. Click the Splash Screen to remove it: To permanently remove: Settings Tab -- Extras Tab -- at bottom uncheck "Show Info Box ...". 2. 3. Click "My Skills" Then Click "EXPERT" to open all the features/abilities: AccessDiver should now look like this: Initial Settings 1. The "Search tab" is a search engine - not a very good one. 2. The "Dictionary Tab" is used for creating and using wordlists. *We will come back to this tab* 3. The "History Tab" shows: o o o o 4. Weak Logins found (self-explanatory) Sever failures found (self-explanatory) List of URLs used (self-explanatory) Snapshots (never used) The "Settings Tab" --> "Access Tab" o o Place a check make in: "Let a BOT retry ..." "Always force a security check" "Use GET method to do standard testing" Leave the rest of the settings as they are. These are extra features that you can set and use when needed. 5. The "Proxy Tab" is used for finding and using proxies to hide your IP address making you / your PC anonymous. o *We will come back to this tab* 6. The "Exploiter Tab" is used to find known exploits. o *Not Applicable for this tutorial.* 7. The "Extra Tools Tab" has: o A Net Kit used for sending PING packets and a DNS resolver. o A file splitter / merger o A HTTP Debugger 8. The "Socks Tab" (I've never used) 9. The Auto Pilot Tab" -- Here you can load a list of pages to crack and the attributes for each page. o *Not Applicable for this tutorial.* Using Proxies for anonymity 1. Click the "Proxy" Tab and the "MyList" Tab 2. Check the "Use WEB proxies" box. *We wont use this on a closed network* 3. Check the "Rotate proxies..." box and place a 1 in the text box "...logins to try ...". *we will come back to what these settings are.* 4. Now click the "WEB proxy leecher" Tab. 1. Click the Folder icon to open a list of websites to leech "anonymous proxies". *Navigate to the AccessDiver folder select proxyLeechlist.txt * 2. Shows the sites to be leeched 3. Click the "Start leeching" button 4. Shows the leeching status and ultimately how many proxies leeched for each site. 5. Shows all the proxies found i.e. 165.34.76.10:8080 6. Click add the proxies in.. then click "...Proxy Analyzer" this will load all the proxies into the proxy analyzer and will open that tab automatically. 5. For this lab or to open a list of proxies gotten from another source. Click the tabs Proxy and Proxy analyzer: 0. Click the folder icon to open a list of proxies to test. *Navigate to the AccessDiver folder and select the file proxylist.txt* 1. Shows the server address and the port number. 2. check "auto-deletion of bad ..." 3. check "auto refresh..." 4. check "auto delete proxies based on the proxy level..." (based on their anonymity) 5. Proxy judge / anonymity checking sites 6. Level of anonymity to auto delete. These levels (4,5) wont last as anonymous very long. Right click on a proxy address. Select remove duplicates, and remove FBI and army proxies 7. Click the "Speed / Accuracy tester". This will take some time to run. 8. When finished click the "Confidentiality tester" button. This will take much time also. 9. Shows whether the proxy is valid / exists. 10. Shows the level of anonymity. 11. Shows the delay / speed of the proxy. How much of a delay between connecting to the proxy. 12. If you want, you can highlight a proxy address the click this explorer button. This will make windows explorer connect through the proxy selected. 13. Right click on a proxy address. We want to remove unwanted proxies. Click "delete bad results and timeouts", and "Delete everything non-operational and not anonymous". 14. Right click the select "select all" to highlight all the proxies left. 15. right click then select "add select proxies in your proxy list" -- this will automatically open the "My List" tab 16. "Rotate proxies 1 logins to try before swapping" --> this tries one username and password for each proxy then switches username password and proxy. This will keep accounts from being lock out. 17. Shows the proxy addresses and the ports being used. 18. Uncheck "use WEB proxies" for this lab or on a closed network. Creating and Using a Wordlist 1. Select the "Dictionary" tab. 2. The "Manager" tab is a wordlist manager 3. The "Generator" tab is a word generator. It allows for the use of macros. I suggest using a word list manipulator like Raptor ("the Swiss-knife of wordlist manipulators"). 4. The "WEB Word leecher" tab is a username and password web leecher. It searches and leeches usernames and passwords from websites just like the WEB proxy leecher. Google search "passwords" to find websites to leech usernames and passwords from. 5. The "Currently used" tab is where we can open a combo list i.e username:password format file. Or, a username only and a password only file. There are advantages to loading as username and/or password only files. This would depend on different options that are not covered in this tutorial. 6. We will use the currently used / default wordlist. 7. Now go to run a password integrity test. Start A Standard Login Password Integrity Test 1. First you have know the url of the web page that you want to test/crack. For this lab we will use (removed). Copy and paste the link into the text box labeled server: 2. Also very important is if the login is a pop-up or a .html page. The page created for this lab is of the pop-up type. Requiring a username and password. 3. Pop-up logins use the "Standard" test button and .html logins use, naturally, the "HTML" test button. 4. Click the "Settings" tab and the "Search" tab. Here you can set the minimum and maximum characters in your search if you know them. You can also set some other options here. Like why to load a username only and password only files. 5. Now click the "Standard" button. This will start the testing process. 6. Set the test speed 7. Shows the username and password tried. 8. Shows the response received - "401 not authorized" tells us that the username and password are incorrect. 9. Shows the proxy used for the test. 10. Shows the weak login when found. These will also be saved in the "History" tab. 11. There are many more options and features that are not covered in this tutorial. Presentation time-constraints and keeping it simple are the contributing factors.