AOL Merlin Example -Gumby.net
You need three main tools to breach Merlin: an Internal account (possibly one that has been flagged with Merlin account access permissions), a SecurID (formerly Defender Key) device that has been specifically tuned for the Internal account you have access to, and the PegaREACH client software.
Ok, First things first.
An Internal Account. Of course, these are easy to come by, but are worthless for accessing Merlin without SecurID validation.
Which leads us to to our next subject... SecurID.
It's obvious many of you don't understand what SecurID is.
Rather than talk out your ass, the best thing you should do in this situation is educate yourselves. Google is your friend.
Now, there are alot of stupid ass kids out there who will try to convince you that they've somehow cracked the SecurID code generation process.
If you actually read this website and understood the simple explanation about how sID works, you would immediately see why all those joe n00bs who claimed they're able to crack sID are full of HORSE SHIT.
First of all... any kid who claims to have a 'list' of sID codes is full of shit for obvious reasons. These devices have heavily complex algorithms that generate new and totally UNPREDICTABLE sID codes every 60 seconds from a different & irreversable 'seed' number the device was initialized with before being given to the AOL employee. DUH.
Second of all, any kid who claims to have one of those devices and claims it works on 'any and all' sID protected internal sn that they 'cracked' is also full of shit. Every single one of these devices given out to AOL employees is UNIQUE - no two sID devices generate the same number at the same time.
For example, a sID device tuned for TOSMonitor's account will only work on TOSMonitor, it will not work on TOSAdvisor's account. This is because of the different 'seed' number that each device was initialized in synch with the particular account & AOL's sID server, before being given to the employee.
Which brings me to the third point. It is near impossible... i repeat, NEAR impossible to predict the unique numbers generated every 60 seconds by these devices. The reason why I say 'near' is because of course anything and everything is hackable - It's a question of how COMPLEX it is, and how CAPABLE you are.
BUT WAIT... there's something you have to understand - RSA Security, the company that makes these devices, are VERY REPUTABLE, EXPERIENCED, and RESOURCEFUL when it comes to this kind of thing.
RSA Security SPECIALIZES in security and encryption algorithms. They've thrown in millions of dollars and many years of serious research & development with serious brainpower at work devising the mathematical algorithm that generates the 6 digit SecurID code that you see on these devices every 60 secs, as well as foresight into all possible situations that could happen if someone wants to crack these devices (like opening them and anayzing the circuity & instruction code).
Think about it, their entire REPUTATION rides on this technology being impossible to crack. SecurID isn't just used to protect internal AOL accounts, it's also widely used to protect many, MANY things, and things far more serious like NATIONAL SECURITY. If these devices get cracked, believe me it would definitely cause a big storm. In other words, there's already way more capable and resourceful professionals out there at work trying to crack these sID devices rather than a bunch of highschool dropouts that never passed pre-algebra, and they would have cracked it before any of you could, and we wouldve heard about it in the news by now.
No kid on AIM has ever cracked the sID algorithm. If you want to believe that some average 15 year old pencil necked, zit faced kid that's more concerned about the number of characters their AOL/AIM screenname lacks than the size of their penis actually came in possession of one of these devices, opened it, and has the electronics talent to analyze the circuitry on these devices as well as the incredible mathematical & programming talent to understand the algorithm, and then traced back and figured out the initializing 'seed' number for the internal account they cracked, you are FUCKING KIDDING YOURSELF.
Now, clearly the next option is to resort to 'social engineering' tactics, or 'scamming' as a cluebie like Dr. Seduce likes to call it. You hear about clueless-as-fuck kids claiming they came up with clever ways to trick Mr. Internal Bob @ AOL.com into spilling the current sID code (unlikely) or downloading and running a 'trojan', so they can 'spy' and acquire the SecurID number being typed in with a screen capture or a keylogger.
What's wrong with this picture? Remember, the SecurID device generates a new, impossible to crack number every 60 seconds. Imagine for a sec - after entering the SecurID (which is recorded by the trojan), Mr. Internal Bob @ AOL.com has just signed on his internal AOL account, and is most likely going to stay on it well over the 60 second time frame that clueless-as-fuck AOL/AIM kiddie has before a new SecurID number is generated.
The only option joe n00b has, is to sign on before 60 secs is over, which of course is going to make Mr. Internal Bob @ AOL.com suspicious when he see the pop-up window that says 'Your AOL account has signed on from another location' before he gets bumped off, as only one person can sign on a screenname at a time.
And, there's no waiting out Mr. Internal Bob @ AOL.com to sign off so joe n00b can sign on later either, because the sID number will have changed by then. DOH.
So, summary... the ONLY WAY you are going to bypass SecurID and use a SecurID protected internal account with enough time to do anything useful is to actually HAVE THE DEVICE THAT WAS SET UP FOR THE SPECIFIC INTERNAL SN YOU'RE SIGNING ON, IN YOUR HANDS.
Okay, enough about SecurID... on to the last ingredient.... the PegaREACH client.
"Merlin" is really a nickname that AOL came up with themselves, to refer to the whole PegaWORKS/PegaREACH system.
PegaWORKS is the actual member account database server that holds all the AOL account information. PegaREACH is the client that connects to the PegaWORKS server, and allows the user to view account info.
One mistake alot of clueless fucks out there make when they lie about accessing Merlin, is that they didn't know PegaREACH is a stand alone program, seperate from the AOL client - the AOL client is NOT open or ran in order to connect to PegaWORKS. FDO is the html-like system that AOL uses to show window forms in the AOL client. CRIS was FDO accesible... Merlin is not FDO accesible AT ALL.
So, all those fake edited screenshots showing some kid accessing Merlin from the AOL or AIM client that you see floating around there are FUCKING BULL CRAP. Don't believe those lying fucks with edited screenshots of them accessing Merlin, they're the worst kind of scum in the hacker underground, fishing for undeserved respect.
So how would one hack Merlin?
First challenge would be to find an updated copy of the PegaREACH client. There was a leaked copy floating around on anti-aol sites awhile back in 2000, but knowing Pega Systems, I'm willing to bet that they've probably made patches and updates since and this old copy will no longer works.
Second challenge would be to find the hostnames/ip's and ports of the PegaWORKS server. This most likely will not be found by doing any sort of 'net work scanning' on AOL's network, due to a wicked FIREWALL that AOL has guarding their internal network from the outside world.
I would bet this hostname/ip and port would more likely be found off one of AOL's internal staff message boards, in a server maintenance report of some sort... unless AOL has finally got a clue that hacker kids do read such reports & use the info in them to their own benefit, as this has happened countless times in the past.
Which leads to the third challenge. And unfortunately for joe n00b, the PegaWORKS server is heavily protected by a firewall, and CANNOT be accessed DIRECTLY from outside the company's internal network.
Note the keyword 'DIRECTLY'. This simply means joe n00b CANNOT open the PegaREACH client on his computer at home, and send out a direct, or 'incoming' connection thru AOL's firewall to the PegaWORKS server and connect. This is because It will be BLOCKED at AOL's firewall.
PegaREACH ----connection---> ||FIREWALL|| PegaWORKS
But wait, there are indirect ways to get around a firewall. One way that's pretty well-known technique in the hacking world, and has actually been used to breach AOL's in-house firewall to access CRIS in the past, is the use of a TCP-based proxy server program that makes an 'outgoing' connection from the other side of a firewall TO your computer, (given the firewall allows outgoing tcp connections of some sort).
The real challenge with this method though, is...... how are you going to get a TCP-based proxy server program running on a computer that is on AOL's internal network behind the firewall, so it can send an 'outgoing' connection to your computer?
In the past (around 2000), some clever kids sent AOL internal employees emails with 'screensaver' attachments that were really a trojan that installed a TCP-based 'remote' proxy server on the AOL employees computers inside the network.
Once installed, the 'remote' proxy server sent an 'outgoing' connection through AOL's firewall, and connected to a second, 'local' proxy program these kids also ran on their computer at home.
Then, these kids opened their AOL client, and had the AOL client connect to this 'local' proxy server, which 'relayed' all packets to the 'remote' proxy server behind the firewall. The 'remote' proxy server then connected directly to AOL server and relayed the packets to the AOL server. So the effect was just like a real direct AOL connection from inside AOL's firewall.
Like this:
AOL Client--->LocalProxy<---||FIREWALL||---RemoteProxy---->AOL
But like I said, this happened around 2000 - AOL has learned from this experience and adapted. They train their employees to be wary of trojans and have adopted a policy against the downloading & installation of anything on their internal computers.
Also, this was before AOL's email system had virus/trojan scanning - nowadays AOL's email servers scan all email for suspicious attachments. So the overall point is, this method is still possible, but much much difficult to pull off nowadays compared to back then.
So what does all this mean? GOOD FUCKING LUCK if you want to try to break in Merlin from outside AOL's network nowadays, it would be the HACK OF THE FUCKING CENTURY. It's pretty much impossible, due to the firewall and especially the SecurID challenge.
If you don't believe me, maybe this will convince you - Google AOL+CRIS or AOL+Merlin. Look at all the results, all the news articles and pages about hacking AOL. There's a whole lot!
Then.... notice that they are all dated, numerous CRIS hacks between 1995 and early 2001. Then after 2001..... NOTHING!! Virtually NOTHING AT ALL after 2001, not a single report of AOL's customer database getting hacked. And 2000 is the year AOL decided to install Merlin.
Pretty amazing, considering all those years of AOL being famous for being the largest piece of swiss cheese in the universe. Perhaps they finally got their shit together this time around.
Also, after Merlin all those AOL hacking news web sites like inside-aol.com and observers.net, anti-aol.com died FAST, because there was no more AOL hacking news or anything happening to keep things interesting anymore. The AOL scene shrunk fast as well, all kids do anymore on AOL is run password crackers... no real action goes on anymore.
Yes, kids have hacked Merlin before with the leaked PegaREACH client. But all those hacks happened when Merlin was in the process of being installed and incomplete - those holes are no longer open.
I am not a skid and, you are skid because you are learning this.
PLEASE REP or vouches or fuck you
You need three main tools to breach Merlin: an Internal account (possibly one that has been flagged with Merlin account access permissions), a SecurID (formerly Defender Key) device that has been specifically tuned for the Internal account you have access to, and the PegaREACH client software.
Ok, First things first.
An Internal Account. Of course, these are easy to come by, but are worthless for accessing Merlin without SecurID validation.
Which leads us to to our next subject... SecurID.
It's obvious many of you don't understand what SecurID is.
Rather than talk out your ass, the best thing you should do in this situation is educate yourselves. Google is your friend.
Now, there are alot of stupid ass kids out there who will try to convince you that they've somehow cracked the SecurID code generation process.
If you actually read this website and understood the simple explanation about how sID works, you would immediately see why all those joe n00bs who claimed they're able to crack sID are full of HORSE SHIT.
First of all... any kid who claims to have a 'list' of sID codes is full of shit for obvious reasons. These devices have heavily complex algorithms that generate new and totally UNPREDICTABLE sID codes every 60 seconds from a different & irreversable 'seed' number the device was initialized with before being given to the AOL employee. DUH.
Second of all, any kid who claims to have one of those devices and claims it works on 'any and all' sID protected internal sn that they 'cracked' is also full of shit. Every single one of these devices given out to AOL employees is UNIQUE - no two sID devices generate the same number at the same time.
For example, a sID device tuned for TOSMonitor's account will only work on TOSMonitor, it will not work on TOSAdvisor's account. This is because of the different 'seed' number that each device was initialized in synch with the particular account & AOL's sID server, before being given to the employee.
Which brings me to the third point. It is near impossible... i repeat, NEAR impossible to predict the unique numbers generated every 60 seconds by these devices. The reason why I say 'near' is because of course anything and everything is hackable - It's a question of how COMPLEX it is, and how CAPABLE you are.
BUT WAIT... there's something you have to understand - RSA Security, the company that makes these devices, are VERY REPUTABLE, EXPERIENCED, and RESOURCEFUL when it comes to this kind of thing.
RSA Security SPECIALIZES in security and encryption algorithms. They've thrown in millions of dollars and many years of serious research & development with serious brainpower at work devising the mathematical algorithm that generates the 6 digit SecurID code that you see on these devices every 60 secs, as well as foresight into all possible situations that could happen if someone wants to crack these devices (like opening them and anayzing the circuity & instruction code).
Think about it, their entire REPUTATION rides on this technology being impossible to crack. SecurID isn't just used to protect internal AOL accounts, it's also widely used to protect many, MANY things, and things far more serious like NATIONAL SECURITY. If these devices get cracked, believe me it would definitely cause a big storm. In other words, there's already way more capable and resourceful professionals out there at work trying to crack these sID devices rather than a bunch of highschool dropouts that never passed pre-algebra, and they would have cracked it before any of you could, and we wouldve heard about it in the news by now.
No kid on AIM has ever cracked the sID algorithm. If you want to believe that some average 15 year old pencil necked, zit faced kid that's more concerned about the number of characters their AOL/AIM screenname lacks than the size of their penis actually came in possession of one of these devices, opened it, and has the electronics talent to analyze the circuitry on these devices as well as the incredible mathematical & programming talent to understand the algorithm, and then traced back and figured out the initializing 'seed' number for the internal account they cracked, you are FUCKING KIDDING YOURSELF.
Now, clearly the next option is to resort to 'social engineering' tactics, or 'scamming' as a cluebie like Dr. Seduce likes to call it. You hear about clueless-as-fuck kids claiming they came up with clever ways to trick Mr. Internal Bob @ AOL.com into spilling the current sID code (unlikely) or downloading and running a 'trojan', so they can 'spy' and acquire the SecurID number being typed in with a screen capture or a keylogger.
What's wrong with this picture? Remember, the SecurID device generates a new, impossible to crack number every 60 seconds. Imagine for a sec - after entering the SecurID (which is recorded by the trojan), Mr. Internal Bob @ AOL.com has just signed on his internal AOL account, and is most likely going to stay on it well over the 60 second time frame that clueless-as-fuck AOL/AIM kiddie has before a new SecurID number is generated.
The only option joe n00b has, is to sign on before 60 secs is over, which of course is going to make Mr. Internal Bob @ AOL.com suspicious when he see the pop-up window that says 'Your AOL account has signed on from another location' before he gets bumped off, as only one person can sign on a screenname at a time.
And, there's no waiting out Mr. Internal Bob @ AOL.com to sign off so joe n00b can sign on later either, because the sID number will have changed by then. DOH.
So, summary... the ONLY WAY you are going to bypass SecurID and use a SecurID protected internal account with enough time to do anything useful is to actually HAVE THE DEVICE THAT WAS SET UP FOR THE SPECIFIC INTERNAL SN YOU'RE SIGNING ON, IN YOUR HANDS.
Okay, enough about SecurID... on to the last ingredient.... the PegaREACH client.
"Merlin" is really a nickname that AOL came up with themselves, to refer to the whole PegaWORKS/PegaREACH system.
PegaWORKS is the actual member account database server that holds all the AOL account information. PegaREACH is the client that connects to the PegaWORKS server, and allows the user to view account info.
One mistake alot of clueless fucks out there make when they lie about accessing Merlin, is that they didn't know PegaREACH is a stand alone program, seperate from the AOL client - the AOL client is NOT open or ran in order to connect to PegaWORKS. FDO is the html-like system that AOL uses to show window forms in the AOL client. CRIS was FDO accesible... Merlin is not FDO accesible AT ALL.
So, all those fake edited screenshots showing some kid accessing Merlin from the AOL or AIM client that you see floating around there are FUCKING BULL CRAP. Don't believe those lying fucks with edited screenshots of them accessing Merlin, they're the worst kind of scum in the hacker underground, fishing for undeserved respect.
So how would one hack Merlin?
First challenge would be to find an updated copy of the PegaREACH client. There was a leaked copy floating around on anti-aol sites awhile back in 2000, but knowing Pega Systems, I'm willing to bet that they've probably made patches and updates since and this old copy will no longer works.
Second challenge would be to find the hostnames/ip's and ports of the PegaWORKS server. This most likely will not be found by doing any sort of 'net work scanning' on AOL's network, due to a wicked FIREWALL that AOL has guarding their internal network from the outside world.
I would bet this hostname/ip and port would more likely be found off one of AOL's internal staff message boards, in a server maintenance report of some sort... unless AOL has finally got a clue that hacker kids do read such reports & use the info in them to their own benefit, as this has happened countless times in the past.
Which leads to the third challenge. And unfortunately for joe n00b, the PegaWORKS server is heavily protected by a firewall, and CANNOT be accessed DIRECTLY from outside the company's internal network.
Note the keyword 'DIRECTLY'. This simply means joe n00b CANNOT open the PegaREACH client on his computer at home, and send out a direct, or 'incoming' connection thru AOL's firewall to the PegaWORKS server and connect. This is because It will be BLOCKED at AOL's firewall.
PegaREACH ----connection---> ||FIREWALL|| PegaWORKS
But wait, there are indirect ways to get around a firewall. One way that's pretty well-known technique in the hacking world, and has actually been used to breach AOL's in-house firewall to access CRIS in the past, is the use of a TCP-based proxy server program that makes an 'outgoing' connection from the other side of a firewall TO your computer, (given the firewall allows outgoing tcp connections of some sort).
The real challenge with this method though, is...... how are you going to get a TCP-based proxy server program running on a computer that is on AOL's internal network behind the firewall, so it can send an 'outgoing' connection to your computer?
In the past (around 2000), some clever kids sent AOL internal employees emails with 'screensaver' attachments that were really a trojan that installed a TCP-based 'remote' proxy server on the AOL employees computers inside the network.
Once installed, the 'remote' proxy server sent an 'outgoing' connection through AOL's firewall, and connected to a second, 'local' proxy program these kids also ran on their computer at home.
Then, these kids opened their AOL client, and had the AOL client connect to this 'local' proxy server, which 'relayed' all packets to the 'remote' proxy server behind the firewall. The 'remote' proxy server then connected directly to AOL server and relayed the packets to the AOL server. So the effect was just like a real direct AOL connection from inside AOL's firewall.
Like this:
AOL Client--->LocalProxy<---||FIREWALL||---RemoteProxy---->AOL
But like I said, this happened around 2000 - AOL has learned from this experience and adapted. They train their employees to be wary of trojans and have adopted a policy against the downloading & installation of anything on their internal computers.
Also, this was before AOL's email system had virus/trojan scanning - nowadays AOL's email servers scan all email for suspicious attachments. So the overall point is, this method is still possible, but much much difficult to pull off nowadays compared to back then.
So what does all this mean? GOOD FUCKING LUCK if you want to try to break in Merlin from outside AOL's network nowadays, it would be the HACK OF THE FUCKING CENTURY. It's pretty much impossible, due to the firewall and especially the SecurID challenge.
If you don't believe me, maybe this will convince you - Google AOL+CRIS or AOL+Merlin. Look at all the results, all the news articles and pages about hacking AOL. There's a whole lot!
Then.... notice that they are all dated, numerous CRIS hacks between 1995 and early 2001. Then after 2001..... NOTHING!! Virtually NOTHING AT ALL after 2001, not a single report of AOL's customer database getting hacked. And 2000 is the year AOL decided to install Merlin.
Pretty amazing, considering all those years of AOL being famous for being the largest piece of swiss cheese in the universe. Perhaps they finally got their shit together this time around.
Also, after Merlin all those AOL hacking news web sites like inside-aol.com and observers.net, anti-aol.com died FAST, because there was no more AOL hacking news or anything happening to keep things interesting anymore. The AOL scene shrunk fast as well, all kids do anymore on AOL is run password crackers... no real action goes on anymore.
Yes, kids have hacked Merlin before with the leaked PegaREACH client. But all those hacks happened when Merlin was in the process of being installed and incomplete - those holes are no longer open.
I am not a skid and, you are skid because you are learning this.
PLEASE REP or vouches or fuck you
