Force OP Guide

This is a list of common tactics people use to get admin on servers without the owner's permission. It will also outline ways the server owners can protect against such methods.

But I heard that Force OP Hacks are Fake!
Well, the majority force OP hacks out there are fake. Check this link for examples of them. If all it takes to OP yourself on a server is to download some shady exe file, surely there would be hundreds of servers getting hacked daily, right? Real ForceOP hacks take effort to carry out, and never work on big servers like Hypixel. Searching up "ForceOP hack" on Google to get them will guarantee that you get a virus on your computer. It doesn't matter how many likes or comments the video showcasing the hack got, it's still fake.

Password Brute Force (Cracked Servers)
In cracked servers, players have to set a password via "/register password" to prevent others from logging in under their name. People tend to use commonly used passwords and not unique ones, which is why clients like Wurst have a "ForceOP" hack that tries the commonly used passwords to login. This obviously will have a very low success rate, but this method is one that will always work. Using a password that is not common would obviously fix this, and blocking the IP if too many failed login attempts occurred over a short period of time would also work too.

Another similar application of this is where someone creates a cracked server and uploads their server to some server listing website (like PlanetMinecraft). Players would register using a password, and then the owner of that cracked server would try that username and password across popular cracked servers. This works because people use the same password across multiple servers.

BungeeCord Exploits
This is probably the most popular way to ForceOP on a server. The vast majority of OP exploits performed are using this method. This method exploits the structure of the Bungeecord server. Bungeecord servers serve as a link between several Spigot servers, which allows for thousands of players to be on a single network at a time. For example, if example.com:25565 is the main server, the Spigot servers may be hosted at example.com:25566 or some other port. Because of technical restrictions, Spigot subservers must be in offline mode, meaning that anyone can directly join from any username, regardless of whether the main Bungeecord is premium or cracked. To carry out this exploit, tools like NMap are used to scan the ports of that IP, potentially revealing subservers to connect to. Port scanning hosting providers like BisectHosting is also possible, as the subservers do not have to be hosted in the same domain.

Some server owners have tried to block this method by disabling IP forwarding, and anyone trying to connect to the subservers will get a message starting with "If you wish to enable IP forwarding". This is not enough to stop this exploit. There is a workaround to this by changing the IP of the CHandshake packet that would bypass this message (SkillClient did this). A plugin like Only Proxy Join is needed to stop people from connecting directly to your subservers.

In-Game Exploits
This is a category for any exploit performed in game that could allow you to OP yourself. A great example of this was the sign exploit, where the player would create a sign with a command attached to it, and right clicking it would allow the player to run any command ignoring permission levels. These exploits get patched very quickly, and will not work in any server that is up to date with their Spigot version.

Session Exploits
These are the most serious types of exploits. It happened recently in March 2020 (https://github.com/nerdsinspace/leaky-leaky) where players could bypass Mojang's authentication servers. Usually, these exploits are patched hours after being released, and by the time you find them, they will probably be patched. It affects any kind of server (the last one was used on Hypixel and 2b2t), but they don't appear often. The only way to prevent these kind of exploits is to remove the OP command from players in game, although famous players can still get hacked (which is why Mojang takes these exploits so seriously).

Poisoned Plugins
A poisoned plugin is one that contains a secret command allowing a player to get OP. It is usually disguised as a utility plugin. One method to hack a server is to convince the owner to install these plugins, and then running the secret command when the owner goes offline. Another method is to upload the plugin to a plugin sharing website like SpigotMC, and then waiting for users to install the plugin on their servers. The poisoned plugin would contact a website with the IP of the server, and a while after someone would log in and mess with the server.. One way to prevent yourself from being hacked with this method is to download plugins from trustworthy sources. Also remember to check the source code of the plugin by decompiling it.

Miscellaneous Strategies
This category describes any other exploit that could be employed. For example, someone could find the password to the server hosting and wreck havoc from there. Or, someone could use social engineering to find some sensitive information and hack a server.