Aiwgwwibreown
Newbie
- Joined
- 30.09.24
- Messages
- 9
- Reaction score
- 2
- Points
- 3
do🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.
This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.
View attachment 6048
Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.
Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.
So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.
What are MITM Tools?
Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.
At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.
Heres the basic flow:
- You type a URL into your browser
- Your browser sends the request to Burp/Caido
- Burp/Caido forwards the request to the website
- The website sends its response back to Burp/Caido
- Burp/Caido passes the response to your browser
But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.
Say youre scoping out a big e-commerce site. With Burp or Caido, you can:
- See exactly what data is being sent when you add items to your cart
- Identify what APIs are being called during checkout
- Spot any hidden fields or tokens used for fraud prevention
- Detect what kind of payment gateway theyre using
This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.
For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.
The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.
Setting Up Your Digital Scalpel: Burp Suite
Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:
- Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
- Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
View attachment 6051
View attachment 6052- Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
- Open Burp and go to http://burp
- Click "CA Certificate" in the top right
View attachment 6054- Import the downloaded certificate and trust it for websites
View attachment 6055- Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
- In Burp, go to User options > SOCKS Proxy
- Enable SOCKS proxy
- Enter your proxy details
Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?
Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.
Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.
Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.
Detecting AI Antifraud Analytics
Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.
With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.
Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.
Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.
As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:
- Sift Science: "https://cdn.sift.com/s.js"
- Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
- Riskified: "https://beacon.riskified.com?shop=example.com"
- Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
- SEON: "https://cdn.seondf.com/js/v6/agent.js"
- Kount: "https://b.kount.net/collect/sdk"
- Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
- ClearSale: "https://integration.clearsale.com.br/fp/check.js"
- Bolt: "https://connect.bolt.com/connect.js"
- Accertify: "https://h.online-metrix.net/fp/tags.js"
- PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
- Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
- Shape Security: "https://ds.shapesecurity.com/ds/client.js"
Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.
Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.
These scripts collect a fuckton of data about your session. Theyre tracking:
- Device fingerprints
- Mouse movements and clicks
- Typing speed and patterns
- Time spent on page
- Browser plugins and settings
Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.
Here are a bunch of URLs for POST requests that monitor your sessions risk:
- Sift Science: "https://api.sift.com/v205/events"
- Signifyd: "https://api.signifyd.com/v2/cases"
- Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
- Forter: "https://api.forter-secure.com/v2/decisions"
- SEON: "https://api.seon.io/"
- Kount: "https://risk.kount.net/order.json"
- Ravelin: "https://live.ravelin.com/v2/sdk/event"
- ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
- Bolt: "https://api.bolt.com/v1/merchant/transactions"
- Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
- PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
- Feedzai: "https://api.feedzai.com/v2/labels"
For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:
JSON:{ "event": { "$type": "$create_order", "$user_id": "user123", "$session_id": "abc123xyz", "$order_id": "ORDER-123456", "$amount": 10000, "$currency_code": "USD", "$billing_address": { "$name": "John Doe", "$address_1": "123 Main St", "$city": "San Francisco", "$region": "CA", "$country": "US", "$zipcode": "94111" }, "$payment_methods": [ { "$payment_type": "$credit_card", "$payment_gateway": "$stripe", "$card_bin": "424242", "$card_last4": "4242" } ], "$shipping_address": { "$name": "Jane Doe", "$address_1": "456 Oak St", "$city": "San Francisco", "$region": "CA", "$country": "US", "$zipcode": "94110" } } }
This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.
For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057
Booking.com Showing Riskified Token:
Identifying Payment Gateways
Encontrar la pasarela de pago es fundamental para encontrar las tarjetas y los métodos correctos. Aquí te contamos cómo desenmascarar a estos bastardos:
Comience siempre con una tarjeta de prueba. Algunas tarjetas de prueba populares son:
Cuando envíe la tarjeta de prueba, controle el tráfico de la red. Verá solicitudes al dominio de la pasarela de pago. Busque:
- Raya : 4242 4242 4242 4242
- Braintree : 4111 1111 1111 1111
- Anunciante : 5555 4444 3333 1111
- Raya : https://api.stripe.com/v1/payment_intents
- Braintree : https://api.braintreegateway.com/merchants/
- Adyen : https://checkoutshopper-live.adyen.com/checkoutshopper/
- Fuente cibernética : https://secureacceptance.cybersource.com
- Authorize.Net : https://api.authorize.net/xml/v1/request.api
- Pago mundial : https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp
Así es como podría verse una solicitud de Braintree :
[código]
PUBLICACIÓN https://api.braintreegateway.com/co...client/v1/métodos_de_pago/tarjetas_de_crédito
{
"tarjeta_de_crédito": {
"número": "4111111111111111",
"mes_de_vencimiento": "12",
"año_de_vencimiento": "2025",
"cvv": "123"
},
"compartir": verdadero
}
[/código]
Y así es como se ve una solicitud de Stripe :
[código]
PUBLICAR https://api.stripe.com/v1/payment_intents
{
"cantidad": 2000,
"moneda": "usd",
"payment_method_types[]": "tarjeta",
"método de pago": "pm_card_visa"
}
[/código]
Algunos sitios procesan primero los pagos en su propio dominio. Si no ve llamadas directas a una pasarela de pago conocida, busque solicitudes a los puntos finales de API de los sitios , como "/api/process-payment" o "/checkout/finalize".
En estos casos, deberá investigar más a fondo. Busque señales reveladoras en los parámetros de la solicitud:
- "stripe_token" o "stripe_source" sugieren Stripe
- "braintree_nonce" apunta a Braintree
- "adyen_encrypted_data" indica Adyen
- "cybersource_token" implica CyberSource
- "authorize_transaction_key" sugiere Authorize.Net
- "worldpay_order_code" sugiere WorldPay
Recuerde que algunos sitios utilizan múltiples pasarelas de pago o realizan el pago a través de servicios intermediarios. Esté atento a servicios como:
Texto oculto: no se puede citar.
Encontrar la pasarela de pago adecuada es solo el primer paso. Cada pasarela tiene sus propias peculiaridades y vulnerabilidades potenciales. Ahora que sabe a cuáles se enfrenta, puede ajustar su enfoque y aumentar sus posibilidades de éxito.
Reflexiones finales
Desde la configuración de Burp Suite hasta la detección de sistemas antifraude y el desenmascaramiento de pasarelas de pago, ahora tienes las herramientas para atacar a tus objetivos como un profesional.
Recuerde que cuanto más sepa sobre las defensas de un sitio, mejor podrá adaptar su ataque. No se limite a lanzar cartas contra una pared con la esperanza de que algo se pegue. Utilice estas técnicas para diseñar una estrategia que maximice sus posibilidades de éxito.
Pero aún no hemos terminado. En nuestra próxima guía, nos adentraremos en el reconocimiento móvil. Te mostraremos cómo aplicar estos mismos principios a las aplicaciones móviles, un nuevo campo de juego para el reconocimiento de tarjetas.
Y nos pondremos manos a la obra con la herramienta Tamper de Burps . Aprenderá a modificar solicitudes sobre la marcha, a reducir su puntuación de fraude editando los valores enviados a los sistemas antifraude y a eludir a los perros de la inteligencia artificial .
Hasta la próxima, mantén tu seguridad operacional a raya y tus habilidades a punto. Mantente alerta.
Clase terminada. Doctrina fuera.
