d-motzer
commented
4 years ago the service it uses to send invites and the bots name is Launchpass
Closed d-motzer closed 3 years ago
d-motzer
commented
4 years ago the service it uses to send invites and the bots name is Launchpass
dynamicdiscord
commented
3 years ago You cannot obtain the token of someone else's bot. Feel free to attempt it but it is not possible. Try making your own bot and running it.
Ximaz
commented
3 years ago This is not an issue related to the code itself, please, close it. Thanks.
AstroOrbis
commented
3 years ago I believe there is a way. Isn't the start of all tokens the ID in base64? Then the password, also in Base64? You could attempt to get the most used passwords from SecLists, then encrypt them all, and make a simple python script to merge all of them, then test them one by one, deleting the tokens that are invalid. Just an idea :)
dynamicdiscord
commented
3 years ago doesn't work like that. bot tokens are completely separate from user accounts / passwords and the tokens are randomly generated 59-60 character phrases. The bot tokens are similar to User Tokens, except they act more as private keys.
On Fri, Apr 16, 2021 at 7:16 AM AstroOrbis @.***> wrote:
I believe there is a way. Isn't the start of all tokens the ID in base64? Then the password, also in Base64? You could attempt to get the most used passwords from SecLists, then encrypt them all, and make a simple python script to merge all of them, then test them one by one, deleting the tokens that are invalid. Just an idea :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/REVENGE977/Discord-Bots-Hack/issues/21#issuecomment-821209198, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4ABBSPDBWR6JATS7GDTJBBDVANCNFSM4R3GDKBA .
Ximaz
commented
3 years ago No I think AstroOrbis is right about the account informations in the token. At least, for a user account. It might be a hash generated from the email, password, timestamp of the account creation and finally the ID of the account : ID.HASH(TIMESTAMP.INFO_DATA) That's what I'm thinking. But for a bot, it couldn't be the same thing because they don't have emails or this kind of thing. Excepted if it's based on the owner's one. And then, when you click regen for th etoken, it takes the new timestamp to change the hash. Or if it's a Bcrypt/Argon's one, no need to update timestamp, there is many hash for the same string.
The point is, you can't guess this part of the token. Basicly, yes, the token starts by the account's ID encoded in Base64, but about the nex tpart of the string, we don't really know.
dynamicdiscord
commented
3 years ago I can log straight into bot accounts and act as if it's a user account, and they have no bound email and password. You can't claim the account either, as with a noneregistered account.
On Fri, Apr 16, 2021 at 3:16 PM Quatrecentquatre @.***> wrote:
No I think AstroOrbis is right about the account informations in the token. At least, for a user account. It might be a hash generated from the email, password, timestamp of the account creation and finally the ID of the account : ID.HASH(TIMESTAMP.INFO_DATA) That's what I'm thinking. But for a bot, it couldn't be the same thing because they don't have emails or this kind of thing. Excepted if it's based on the owner's one. And then, when you click regen for th etoken, it takes the new timestamp to change the hash. Or if it's a Bcrypt/Argon's one, no need to update timestamp, there is many hash for the same string.
The point is, you can't guess this part of the token. Basicly, yes, the token starts by the account's ID encoded in Base64, but about the nex tpart of the string, we don't really know.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/REVENGE977/Discord-Bots-Hack/issues/21#issuecomment-821609284, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4EOVKTTTRV4OTGG6HLTJCZLRANCNFSM4R3GDKBA .
Ximaz
commented
3 years ago Yeah, I didn't meant bot's account owns emails and passwords. What I meant is that a part of their token might be calculated from the owner's account.
I can log straight into bot accounts and act as if it's a user account, and they have no bound email and password. You can't claim the account either, as with a noneregistered account. … On Fri, Apr 16, 2021 at 3:16 PM Quatrecentquatre @.***> wrote: No I think AstroOrbis is right about the account informations in the token. At least, for a user account. It might be a hash generated from the email, password, timestamp of the account creation and finally the ID of the account : ID.HASH(TIMESTAMP.INFO_DATA) That's what I'm thinking. But for a bot, it couldn't be the same thing because they don't have emails or this kind of thing. Excepted if it's based on the owner's one. And then, when you click regen for th etoken, it takes the new timestamp to change the hash. Or if it's a Bcrypt/Argon's one, no need to update timestamp, there is many hash for the same string. The point is, you can't guess this part of the token. Basicly, yes, the token starts by the account's ID encoded in Base64, but about the nex tpart of the string, we don't really know. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#21 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4EOVKTTTRV4OTGG6HLTJCZLRANCNFSM4R3GDKBA .
AstroOrbis
commented
3 years ago Random question: Would it be possible to get every single token possible (About 16 billion last time I checked, not sure what that file size would be, but if its 5 TB or under it's fine for me), make a botnet script to attempt to find all the valid ones and save them to another file (keep the original for new accounts), then try to log in, grab the user ID of the account, and if it's the same as the one you're looking for it just prints it back?
dynamicdiscord
commented
3 years ago Probably, although it would take a painstakingly long amount of time (up to years) unless you had thousands of computers working on it, by then, though, it might be classified as a ddos attack.
On Thu, Apr 22, 2021 at 5:19 AM AstroOrbis @.***> wrote:
Random question: Would it be possible to get every single token possible (About 16 billion last time I checked, not sure what that file size would be, but if its 5 TB or under it's fine for me), make a botnet script to attempt to find all the valid ones and save them to another file (keep the original for new accounts), then try to log in, grab the user ID of the account, and if it's the same as the one you're looking for it just prints it back?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/REVENGE977/Discord-Bots-Hack/issues/21#issuecomment-824789787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4DWZTEFHPQY6C26HULTKAH6HANCNFSM4R3GDKBA .
AstroOrbis
commented
3 years ago Distributed computing maybe?
dynamicdiscord
commented
3 years ago I've seen some incredible things with Folding@Home, although this probably wouldn't be a priority for them as it's kind of invasion of privacy // similar. They managed to find a single string out of 2^64 possibilities
On Thu, Apr 22, 2021 at 10:00 AM AstroOrbis @.***> wrote:
Distributed computing maybe?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/REVENGE977/Discord-Bots-Hack/issues/21#issuecomment-825025600, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4C2SDECWCC7JESZOCTTKBI4BANCNFSM4R3GDKBA .
AstroOrbis
commented
3 years ago Imagine this. A botnet with over 3 million people on it. All from high-end PCs to iPhones. Would it be possible? Theoretically?
dynamicdiscord
commented
3 years ago Yeah! It would be similar to the bitcoin mining scenario. Depending on how much process power the devices have, we could theoretically crack every single one in half a year.
Keep in mind, people can refresh / change their tokens as well.
On Thu, Apr 22, 2021 at 9:14 PM AstroOrbis @.***> wrote:
Imagine this. A botnet with over 3 million people on it. All from high-end PCs to iPhones. Would it be possible? Theoretically?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/REVENGE977/Discord-Bots-Hack/issues/21#issuecomment-825372841, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOF6R4A26BMNYIVTGSRXCB3TKDX3BANCNFSM4R3GDKBA .
AstroOrbis
commented
3 years ago But then we would already have it. We could split the workload into groups... for example, all tokens starting with A in one group, B with another... then sub groups... yeah this is getting out of hand kek
Ximaz
commented
3 years ago Random question: Would it be possible to get every single token possible (About 16 billion last time I checked, not sure what that file size would be, but if its 5 TB or under it's fine for me), make a botnet script to attempt to find all the valid ones and save them to another file (keep the original for new accounts), then try to log in, grab the user ID of the account, and if it's the same as the one you're looking for it just
According to my maths, it should be a file of 11.3Mo max. I say max because some tokens are 24+6+27 chars (not MFA's one) and 3+1+84 chars (MFA's one). I assumed all tokens would be MFA.
mfa_token_size = len(f"mfa.{'A'*84}")*8 # MFA Token size encoded in bytes
size_o = mfa_token_size*16_000_000
size_mo = size_o*(10**-6)
print(size_mo)
11264It might be higher if you want to put a separator like a comma, or else.
AstroOrbis
commented
3 years ago so the entire file would be 11 megabytes?
AstroOrbis
commented
3 years ago for every single possible token?
Ximaz
commented
3 years ago for every single possible token?
Theorically, yes. If all tokens are MFA. Because they are wider than other. They are 84 + 1 + 3 chars. So, it would be a less because not everyone enabled 2FA.
AstroOrbis
commented
3 years ago How long would it take to compile a list?
AstroOrbis
commented
3 years ago Making a program that runs through them to check valid ones, we can just use a python script that grabs each line, and checks the discord login API to see if its valid
AstroOrbis
commented
3 years ago I've seen some incredible things with Folding@Home, although this probably wouldn't be a priority for them as it's kind of invasion of privacy // similar. They managed to find a single string out of 2^64 possibilities …
We don’t need to find 1 string, we need every string possible.
AstroOrbis
commented
3 years ago 
Hello. I am trying to get into a private discord. A bot is in that server and it sends invites out in an email after you paid to get in. I have an old invite, but i am now removed from this server.
Where can i get a token to use this hack?