Configuring Apex 0.

91
This tutorial will teach you how to configure Apex 0.91 by Buddah to crack a site of your choice. This may seem a daunting task at first to some but with this guide I aim to show that it is infact a fairly simple task. Although at first glance you might think this is long and complicated its really not Ive just broken it down into lots of small simple steps so its easy to follow.

Tools Required.

Apex 0.91 by Buddah Mozilla Firefox web browser HttpFox Notepad (optional)

Site Types.
Its important to know what kind of site you can crack with Apex. Apex can be used to crack a site which uses a basic Form login, it cant be used to crack sites which use the following login/encryption methods. SSL FTP HTTP Authorization (cPanel, pr0n sites, private HTTP directories, etc) CAPTCHA protection

Lets Get Started.

The best way to learn I find is by demonstration so well walk step by step through making a config for megaupload.com.

Step 1. Download and install Mozilla Firefox here. Download and install HttpFox which is a free Firefox Addon it can be found here.

Step 2. Open Firefox and navigate to http://www.megaupload.com/?c=login You will require a valid username and password in order to retrieve the information needed to create your config. Fortunately with Megaupload you can create a free account if you dont have a valid username and password to use. If this option isnt available on the site you want to make a config for you will have to find a valid username and pass from another source. Input your user and pass information into the login boxes but do not log in yet.

Step 3. Open HttpFox you do this by right clicking with your mouse on the HttpFox icon located in the bottom right hand corner of FireFox and selecting Open In Own Window.

Click the Start button.

Step 4. Now click the Login button on Megaupload. Once logged in click Stop on HttpFox. You will see in the top box a list of items, scroll to the one which shows the login url in this case http://www.megaupload.com/?c=login. It will normally be first in the list but just double check, left click on it with your mouse and you will see it will display information in the bottom two boxes. These are your Request Headers and Response Headers.

Step 5. Select the POST Data tab on HttpFox. Select the Raw option. This shows you the post string copy and paste this into Notepad. Using Notepad is optional I like to use it because I find it helpful to have everything on one page for easy comparison and editing.

Step 6. Go back to the Headers tab and copy and paste the Request Header and Response Header info into Notepad, simply right click on each box and choose Copy All Rows.

Step 7. Ok we now have all the info needed for a valid login we now need to find the info for an invalid login. Logout of Megaupload and click Clear on HttpFox. Go back to the Megaupload login page again but this time put a username and password that you know is bad into the input boxes do not log in yet. Click Start on HttpFox. Now click Login on Megaupload, once its finished trying the login click stop on HttpFox. Follow the same procedure as before and find the login page in the top list and click on it.

We only need the Response Header info this time, copy and paste it into Notepad.

Step 8. You should now have a Notepad file that looks like this.

This is all we need to create our config for Megaupload.

Step 9. Were almost there we just need to input our info into Apex 0.91 and test it. So Lets open Apex 0.91

Click on Login Editor.

Step 10. Now Login Editor is open click on the New button.

Lets start filling in the information now.

Step 11. Login Title This is the name we want to give our config well call it MegaUpload.com Put that into the box on the editor. Request Type Here you can choose between GET and POST methods In this case we want POST so click on the dropdown arrow on the box and select POST. Host this is the url of the site which we want to crack You will find the host url in the Notepad file we made earlier in the (Request-Line) section. If the host has www. Before the url you must use it. In this case its www.megaupload.com Put that in the box Get Page We can leave this blank as we are making a config using POST. Post Page This is the page on the site where we login. We only need the page extension not the entire url, you can find this in the Notpad file in the (Request-Line) in this case its /?c=login Put that into the box

 Post String This is the data that Apex sends to the site which contains the username and pass. Ok heres where we need to do a bit of editing. Remember our Post Data from HttpFox ? thats what we need to edit. This is what we have login=1&redir=1&username=buiten&password=binnen Notice it contains the username and pass which I used to get the valid login data with HttpFox. Well we need to edit those so Apex can send different user and pass info which we have in our cracking wordlist. Where the username is you need to change that to [user] and where the password is you need to change that to [pass] So our post string will look like this. login=1&redir=1&username=[user]&password=[pass] Put that into the Post string box.

 Cracked String this is the response data that Apex checks for and if it finds logs the attempt as a crack. Back to our Notepad file for our response headers for both valid and invalid logins. Valid(Status-Line)
Date HTTP/1.1 302 Found

Fri, 23 Jul 2010 09:48:03 GMT

Server Apache Set-Cookie user=17f24ea973e1daa647c0819cf3d7774a; expires=Thu, 18-Apr-2013 09:48:03 GMT; path=/; domain=.megaupload.com Location http://www.megaupload.com/ Vary Accept-Encoding gzip

Content-Encoding Content-Length 5965 Keep-Alive Connection Content-Type

timeout=15, max=100 Keep-Alive text/html HTTP/1.1 200 OK

Invalid(Status-Line)
Date

Fri, 23 Jul 2010 09:40:36 GMT

Server Apache Vary Accept-Encoding gzip

Content-Encoding Content-Length 5896 Keep-Alive Connection Content-Type

timeout=15, max=100 Keep-Alive text/html

We need to compare thse two responses and find a response that is only found in the valid login response, in this case we will go with Set-Cookie: user=.

 Invalid String This is the response data that Apex checks for and if it finds logs the attempt as invalid We need to compare our valid and invalid response headers again and this time find a line that is specific to an invalid attempt, in this case we will use HTTP/1.1 200 OK.

Banned String Data that Apex can check for in the response and if it finds will attempt the login with a different proxy.

Megaupload is ok so we can leave this blank but if you want to check then a good way is to try loging into the site a number of times with a bad username and password.

Cookie Name says it all this is cookie data that Apex can send if needed.

Megaupload doesnt require this, most sites dont just leave it blank. Use Proxies Option to use proxies or not. We need proxies for Megaupload so select from the dropdown box. Use Emails For sites that require an email address to login. Megaupload just uses a username and password so select no from the dropdown box.

Step 12. We now have all our info in Apex and now we just need to test it. In the top right hand corner of the login editor you will se an area named testing with a username and password input box. Place your valid username in the username box and your valid password in the password box and click the Test button.

If all is ok then it should return status as cracked.

To be sure everything is fine we finally need to test with an invalid user and pass.

The status should come back as invalid, if it has were done and we just need to save our config. Click on save you should see this.

We just need to add a key for our config just a short name as the box says Im going to name this MU.com. Click OK and thats it thats our config done.