I'm looking for the location of the account "username" in this line of code, I got the password in those last brackets "test".
{"id":10,"jsonrpc":"2.0","method":"call","params":["database_api","get_accounts",[["test"]]]}
Anyone could help on this one?
@Good-karma?
get_accountsaccepts an array of usernames and returns account states.Where you've entered 'test' is where the username goes, not the password (no password is needed for this call)
That's what I intercept from the login page.
I'll try to bruteforce my mum's account with Burp. She gave me several passwords.
Trying to find a way for the password's entry then. Is it feasible?
What goes for "ID" then? I got 10 here but other times different values.
In this picture below they entered the name of the account for "ID".
You're using the wrong tools for this job, you can't just point burp proxy at this with a list of passwords. The "password" never gets sent to the server, all encryption/decryption is done locally in the browser and your browser sends out signed transactions. There's no traditional login api on a central server for you to brute force. You could've just tried the list of passwords in the browser manually by now :P
@centerlink is correct, this method accepts an array of account names. I also just wanted to direct you to the correct (and soon to be updated for hive) documentation:
https://developers.hive.io/apidefinitions/#condenser_api.get_accounts
Any idea for how to intercept the good values on the login page to bruteforce an account?
Looks easy on Burp docs but I'm not getting the "username=" and "password=" values...
One way is to sign a transaction and broadcast it using the broadcast API. I do not recommend that method because brute forcing would literally take 1,000 trillion years.
Is there a specific account you want to attack?
Yes my mum's account cuz she forgot the password but gave me a list of passwords to try bruteforcing it.
Not familiar with the way you proposed. I'll check that out tomorrow!
Basically I want username and password values to enter them in Burp and it does the job for me.
I see. Good luck with that. But there is (ideally) no API endpoint that accepts username/password. It’s all about cryptography, which means each client signs and broadcasts their data and never reveals their secret.
Tho a hacker that has access to your Bitcoin/etc... wallet.dat can brutforce your qt password if you have one...