[Tutorial] Sentry MBA, Basic Guide

[ASERHaerheadrherherh]

Because evidently the 141 bots viewing this subforum aren't contributing ... and I'm sick of people asking even simple things, like "What's a combolists?" Don't even get me started on "make me config pls" or "got config for uplay/origin/netflix," clearly they aren't paying. I'm creating this guide, so hopefully we call can deal with less clutter and spam, and hopefully assholes actually learn something about sentry before getting all into 'cracking' for the money. You can't just load configs and say you know how to crack, hell probably half the people cracking don't even know what a HTTP request is. So, that's all there is to it, basic guide (I will update over the days as I get more free time), please thanks if this guide helped you, thank you very much!

Cracking Glossary
Sentry MBA:: One cracking program
Snipr: Another cracking program
Combolists: Huge text files with thousands upon millions of leaked login credentials. We throw these against login servers to check if they're valid.
Configurations/Configs: Configuration files for Sentry MBA (a credential stuffing program). Specifically tuned to bruteforce the website, often contains captures (will be explained later) and special tricks to circumvent ip bans and other security measures.
Proxies: They change the ip address, so your banned ip isn't banned anymore. Useful for getting around websites which quickly ban and blacklist IP addresses, thus preventing them from sending login attempts. Proxies change your IP address so the website thinks you're legit and allows some more attempts through.
Keywords: Keywords from response or source to determine whether credentials are valid or not.
Captures: Specific information gleaned from website source after logging in, such as premium currency, subscription, length of subscription, personal information, etc.


Section 1: The basics of credential stuffing
Now you may be asking me, what does cracking actually mean? Well, cracking is wrongly worded, because we're not actually cracking a specific lock, but actually using someone's stolen key to check every damn house in the neighborhood to see if the key opens any of them. Literally, that's all credential stuffing is. Now, in our case the keys are compromised login information from compromised websites (usually hacked or SQLI dumped), which are in turn thrown at other websites really, really rapidly to see if any are valid. If they're valid, well, we sell them for good moneys.

Y'all better learn about HTTP requests before you proceed any further, I'm serious. Although we will mostly only be going through POST requests which most websites use for login, it's good to learn about how HTTP requests work in general. In shortened terms, this is what most login POST requests do:
- They request login into a website, "Hey, I want to login, my username is XXX and my password is YYY."
- The server authenticates the request, is the login information valid?
- If the information is valid, it returns some unique information declaring the information is valid, usually in the form of a token or cookie or something like that, and redirects the user to the account page (or the bot, in our case).
- If the information is invalid, it returns some other information. No worries, we just throw that one aside and test the next set of credentials. And the next one. Don't underestimate the power of cracking, some configs I'm using can chuck a few hundred credentials per second; some can even support thousands of attempts per second. Don't feel so safe now, right?

So, when our request is authenticated, our software records which credentials are valid and which aren't, and records them in some file which we can then extract credentials from and sell for money. That's about all there is to credential stuffing in general, next we'll go in-depth on some ways websites attempt to thwart credential stuffing, and how some crackers and configurations have bypassed these security measures.

WIP, will be updated tomorrow, stay tuned and please thanks if you enjoyed! Feel free to DM me with any inquiries or for assistance, also please don't DM me with obvious leeching (hey, can I hab config/proxy) or anything which can easily be searched online. Thanks!

[Callie]

Amazing guide so far,
However please note I don't think you can edit posts.
So, you're just gonna have to reply to this with the next parts.

What id like to see:
How to actually find combos yourself rather than leeching it from others

Btw for anyone wondering, this guy knows his stuff.
He's a great cracker, have done business with him

[LinkinParkPT]

I agree. Awsome intro to the tutorial.
And yes teaching how to make combos yourself rather then leeching them would be quite nice. Howerver in the beggining I understand that leeching them is much more easier.
Can't wait for the next part

[ASERHaerheadrherherh]

I agree. Awsome intro to the tutorial.
And yes teaching how to make combos yourself rather then leeching them would be quite nice. Howerver in the beggining I understand that leeching them is much more easier.
Can't wait for the next part

Sadly, I'm not too great with SQLI dumping, and honestly with the number of malware-infested SQLI dumpers going around, I don't want to be held liable if anyone gets infected. I would highly suggest just buying combos from other people if you don't know what you're doing.

[Magnus1935]

tHANKS FOR THE GUIDE, VERY HELPFUL

[rammelpopje]

Good guide, hope to see more content.
I'm new in the world of cracking and i seems u know alot about it.
Maybe when u got some time u can teach me more about it ?

I would be very thankfull

[ASERHaerheadrherherh]

Good guide, hope to see more content.
I'm new in the world of cracking and i seems u know alot about it.
Maybe when u got some time u can teach me more about it ?

I would be very thankfull

Sure, add me on skype (dmed)
EDIT: I guess you can't get DMs, dm me for my skype

[G24w]

nice dude!

[ASERHaerheadrherherh]

nice dude!

hey look it's fucking you from that other forum owo

[G24w]

hahahaha

[insiware]

Good contribution

[oncagey]

thanks for this. simple and easy