The Arcive of Official vBulletin Modifications Site.

Loget · #1 10-27-2008, 08:26 AM

Does anyone know how to do this? I need this to detect multiple accounts. I want the password sent to a .txt files everytime a user logs in.

If anybody can help that would be great!

snakes1100 · #2 10-27-2008, 08:28 AM

Not possible, there is a hack in the mods section that uses cookies to detect multies, do a search for it.

Loget · #3 10-27-2008, 08:31 AM

Im pretty sure its possible since anyone can edit the code on the vbulletin files....

snakes1100 · #4 10-27-2008, 09:12 AM

ok, well edit away, vbulletin uses this, good luck.

$hash=MD5(MD5($password)+$salt)

Dismounted · #5 10-27-2008, 11:22 AM

The only way to "crack" a vBulletin password hash is to brute force it. And that will take a long, long time. Rainbow tables won't work as a random salt (unique to each user) is added.

Videx · #6 10-28-2008, 01:47 AM

How the heck would knowing someone's password enable you to detect multiple logins anyway? You mean for the people that are stupid enough to use the same password?

The mod you want is Multiple account login detector (AE Detector) .

punchbowl · #7 01-10-2009, 02:07 PM

If I get the md5 password and salt through mysql how can I return a plaintext password?

edit: impossible apparently

Rene Kriest · #8 01-10-2009, 04:03 PM

Quote:

Originally Posted by Videx

How the heck would knowing someone's password enable you to detect multiple logins anyway? You mean for the people that are stupid enough to use the same password?

The mod you want is Multiple account login detector (AE Detector) .

Dude, it is simple as it is: spamers need to take care of their PWs and believe that they are hidden to moderators and maybe admins. Cookies can be deleted anyway, IP changed as well - but change 10+ PWs?

I worked for a very large forum and the moment we accidentally had access to the plain PWs we had the ability to boot a large stack of forum spamers and idiots.

AE detector is useful but only if - if someone keeps his cookies and that is depending more on a wish than really a reliable forensic method.

And last but not least: you always have to take more than one aspect into consideration. Cookie detection is one thing, identical PW another. The more pieces you get together the better. I wouldn't rely solemly on AE detector and on PW alone - but together they rock.

Bellardia · #9 01-10-2009, 05:27 PM

A password is even easier to abuse than a cookie.
The spammer only needs one per account, and rarely has to log in more than once, thus it could create a totally random PW and it wouldn't make a difference.

If you really insist on doing this you could add an extra hidden field in the login form, on form submit (this.value=getElementsById(vb_login_password).val ue). Then modify the login page to store that field.

I won't really help you further because it's not a good idea. You're willing to jeopardize your sites security to try and find spammers that use the same password. Might as well just allow the 'random' salt to be a fixed value so the same passwords have the same hash.

Dismounted · #10 01-11-2009, 04:46 AM

Quote:

Originally Posted by punchbowl

If I get the md5 password and salt through mysql how can I return a plaintext password?

edit: impossible apparently

One of the joys of MD5/SHA/Whirlpool/etc. is that they are one-way hashes.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03941 seconds Memory Usage 2,245KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!