website or game?

[zhangbob]

I already brought this topic up in the wrong area before (sorry), but I has a question.

I want to get an account password from a website, that shares usernames and passwords with their associated game.

Now I'm new to this (trying to get my focus on)

Should I go after trying to hack the game or the website?

After I know that I should be able to learn how to do it

[iMorg]

I dont understand. Is it like a portal login system that redirects you to the correct game once you sign in?

[zhangbob]

well im actually talking about Second life, theres is a game run by a 3rd party viewer, where you can log into the game and there is official website where you can log in to see how your account is doing and its stats, both use the same username and passwords

[Tsar]

So it's a game within a game?

And you want to steal passwords from the game?

Probably beyond your level, but depending on how secure the website is you could try either SQLi or a XSS.

[zhangbob]

oh lol no you get on the game from the viewer

the website you can access your account info kind of like WoW and blizzard.com

[theellimist]

If you can log into your account on the website then I am sure that that would be the way to go.

[zhangbob]

okay thanks so website it is. I just got an idea as well though

would something like this explained in 2007, still be viable with php today with IE9?
http://www.gnucitizen.org/blog/ie-pwns-secondlife/

for those who dont want to read the whole thing, basically would it still be possible to use php to make it so it steals their passwords (since the clients you use to log onto the actual game, save your username and password) just by going to your webpage?

like could you use the webpage you made they are visiting to essentially make them attempt a login to the point where it sends their information to your page

then even maybe use the encrypted hash of a password you got and forge a request to the (offical) authentication server?

If this is all possible then I would definately go this route instead of hacking the website

lastly is there a way to check if this is still possible other than learning and trying it out first hand?

[ande]

The secondlife protocol bug is fixed long time ago aint it?

Either way, as in any hacking situation. Go for the easiest target, if you are just doing it to get access anyway.

And, dont think of it as a game or a website. Its all servers and services. Website being one of the services.

Now, to get things clear. Is the secondlife thingy a browser plugin like flash or is it a executable you run on your computer and you login from there?

Either way, get an understaind og protocol fuzzing and manipulation. Find what type of info is being sent back and forth from you and the server and take it from there.

Really, I cant help you a whole lot more, you just have to know the basics of penetration testing.

[zhangbob]

the client is completely seperate from the IE or firefox its open source and can be user made. but yes thank you for for explaining that. I have a point of reference to start at now ~ <3