Hello Cracking.org This tutorial will help you make your first config for sites that use form logins. I am making the assumption that you have a basic understanding of some concepts and procedures needed to be a successful cracker. Concepts such as creating your own combo lists, gathering proxies and using VPNs for your own safety. If you don't know how to create an A+++ combo list or gather fresh proxies, no config in the world will enable you to be a successful cracker. The tools: Sentry Web debugging tool - HttpFox is what I will use for the purposes of this tutorial Step One: Analyzing Your Target For the purposes of this tutorial, we will be using a site called gamejolt.com. It's login page has a basic form for login, a basic form for registering and a basic form for searching. Clicking the login button on the main gamejolt.com page sends us to the user authentication page, gamejolt.com/auth/login/. This is the address we will use for our site URL. It is also important to note that not only is the login information important here, but also the information for registration. Trying different username and passwords will help narrow down the range of our combos. Note any abnormalities on the registration information that pertain to password or username lengths, the absence or need of special characters, anything that will help narrow our range. Throwing 100s of thousands of combos at login pages is just a waste of time and energy and most often an exercise in futility. Lets turn on our HTTPFox, send a username and password to the target and analyze our results. As you can see in the picture, I've labeled the 4 pieces of information that are important for your consideration: 1. Anytime you send information in a basic form, it will be sent using the POST method. Knowing that your method is a POST and NOT A GET will help you select the right data line to analyze. 2. The URL listed here is our ACTION URL. It is the URL that we send our POST DATA too. 3. This is the tab where our POST DATA is listed, as shown below. 4. This is where the basic cookie information is listed. Having a basic understanding of this information and where to find it will enable us to make successful config in Sentry and avoid a lot of mistakes. Lets open up Sentry and start to fill in the basic information for this site. Step Two: Creating the basic config As you can see in the above picture, we have 3 areas of interest. 1. This section is our list of tabs for negotiating to different places on our config. We are in the General tab. 2. This is where we place our site URL. 3. This is where we configure the basic user and password information, information we garnered through use of the registration form. Most often the only things you may need to change are the lengths of a password or username. Many sites have minimum standards such as nothing lower than 6 characters. Now lets navigate to the HTTP Header tab 1. This is the HTTP Header tab. It is the tab where we will input all the information that was acquired with HTTPFox. 2. This section labeled as #2 will never need to be changed for basic forms. It is only for advanced users. 3. This is where we select the type of method used to send information. As previously mentioned, any form information will be sent by the POST method, which is represented as MW. 4. This button will take us to the Master Wizard, where we will fill in all the important POST information for our config. Even though this may be your first config made using Sentry, I think it's a good idea to get in the habit of trying to analyze as much information about your target as possible. This will make it easy to debug them and also to configure sites that aren't as easy as a basic site. I will give you a step by step instruction of what to do on the Wizard page for a basic config. Understanding these basics and how the information is transferred from your computer to the target and back to you will help with more difficult sites. 1. The first step we need to do is change the debug mode. This will open a second window. We want to select the Form+TCP debug. Now press the Analyze Login Page button. Sentry will send a GET request to our site URL and get the COOKIE information as well as the source code from the site URL. You will see this information scroll before you in the window. Sentry then examines this source code looking for form actions and the fields associated with them. On the http://gamejolt.com/auth/login/ page, there are 3 different forms, one for searching(form field #1), one for login(form field #2) and one for registration(form field #3). Sentry knows that we are only interested in the form fields necessary for login. As such it will take each separate field from this login form and put the information into the Authentication Stage(green 3 on our picture). What is important here for us to do is compare this information that Sentry has put in the Authentication stage with the information we have in our HTTPFox POST Data tab. As you can see in the POST Data tab, we sent 4 pieces on information to the target site. Sentry has analyzed this form and put the 4 pieces of information in the Authentication Stage and they are identical to those in HTTPFox. This is what we would expect so we can move on. 2. This is where out cookie information is. 95% of the time it is necessary to check the Refresh Cookie box. This will tell Sentry to get a new cookie for each combo it tries. 3. Authentication Stage where we input the POST Data and Action URL. 4. Our debug window. Click the Use Data bottom at the bottom. All of the basic POST Data information for the config has been entered. Now we need to naviagte to the Fake Settings Tab,skipping the proxy tab. 1. Fake Settings tab. 2. This is the only box you need to worry about on this section. Because we will be using source keys for our config, it is necessary to check this box. If you don't understand the difference between HEADER keys and SOURCE keys, check out this thread for a brief explanation. Now lets navigate to the Keywords tab, our final step in the creation of our config. 1. Keywords Tab 2. The Global Key Phrases are keys used by Sentry to help us ban bad proxies. AS you become more experienced you may find it helpful to add to this list to help Sentry differentiate between bad proxies and other keys. 3. This is the section where we would add success and failure keys for headers only. For this tutorial, we are concentrating on SOURCE keys only, so ignore anything marked for HEADERS. 4. This box is where we will tell Sentry that the information we are getting back from our target site means that it is a failed combo. As you can see in the box I labeled #6, when you input a bad username or password, the target site sends this information back to Sentry in the SOURCE information. Lets take another look at how the data goes from Sentry to the target site and back to Sentry: a) Sentry sends a GET to target site requesting COOKIE information and SOURCE data Sentry receives a HEADER with cookie information and the SOURCE data with everything you would see on the webpage. c) Sentry sends our POST Data to the target site d) Sentry receives another HEADER with information and a SOURCE with everything you would see on the webpage. Maybe this webpage is a success and we get in or in our case as noted in box 6, a failure. So for this box, we want to input the exact code that the target site sends back to us when we have a failed attempt at logining in. It does not have to be the complete sentence BUT it does have to be unique to this webpage where we have our failed login. If you were to put a piece of SOURCE data that appeared on the success page as well, Sentry would never be able to tell the difference between bad combos and good ones. A FK(failure Key) such as "The username/password combination you entered was invalid." would work well for this webpage. 5. This is where we would input a SK(success key) indicating that the combo we tried worked. Most of the time when we create a new config, we will not have access to a SK. We will talk about this a bit later in the tutorial. 6. SOURCE code indicating we had a failed login attempt. Highlight this code, right click your web browser and select View Selection Source. Transfer a unique part of this code to the FK(failure key) box. Now our config is complete but the process is not done yet. Return to the General tab and click the Save Settings to Snap Shot. Next we need to debug the config and make sure it is working as intended. Navigate to the Tools Section and select the HTTP Debugger. Step Three: Debugging Our Config As you can see in the picture, I have labeled 5 areas of interest for us. 1. HTTP Debugger tab in the Tools Section. This will act exactly like a browser would but will not translate the code into the text and pictures that you would normally see on a webpage. It will help you to understand the flow of information and help you see and correct any problems so that the config works in a proper fashion. 2. Make sure that Site URL here is the same address of the target site you wish to debug in your config. 3. Checking this box means that Sentry will load a snap shot of the Site URL listed and run it. 4. Under the settings tab, fill in the box for username and password. Nothing else is needed for basic debugging. 5. Press this button to tell Sentry to start the config. You can watch how the information is passed from Sentry to the target site and back to Sentry. If you have done everything correctly you will receive a message like the following: <-----Bot Status: Failure Source Keyword Match -> Found Key [lock">The username/password combination you entered was invalid.] - Source Length: 16403-----> If you have made any mistakes, you will need to scroll through the information in the debugging window and try to find where it is that Sentry is having issues. More than likely for the most basic of form sites, the error will be either in the Fake Settings Tab, where you have forgotten to check the Follow Redirects box or you have not put in a proper FK(failure key). Step Four: Success at Last Now that we have completed our config, properly debugged it and made sure it is working as intended, we only need to go to the Progression tab and hit the start button. As you may remember, when we were putting in the information for Keywords, we purposely left the SK(success key) portion empty. With a properly running config, anytime that Sentry receives a webpage that doesn't contain the FK(failure key) it will send these to the tab marked as To Check. This is where we will find combos that have worked properly and from these combos we will be able to get a properly working SK(success key).