Tools for Credential Stuffing: A Deep Dive

Credential stuffing has become a commonplace tactic where a hacker will steal someone’s username or password and use them to log into other systems.

Published in

Digital Security Now

4 min readOct 13, 2017

They do this to find more info out about the person, including your personal information (social security number or credit card information).

In 2017, security breaches were more frequent than ever. From Yahoo to Equifax, millions of credentials were hacked, leaked, or otherwise exposed. Yes, this is bad, but what can be even worse is what happens next.

Credential Stuffing, In Brief

Just to establish what we’re talking about for those who may not be aware, the logic behind credential stuffing is simple. People largely use the same login credentials across multiple applications. If your Yahoo email address and password were leaked, hackers are betting that you most likely use those same credentials on other sites. Often, they’re not wrong.

Having your personal information stolen or leaked is bad on its own. However, the real danger may come from what happens next. Once leaked, if your information can be used access other applications, further damage may result. Fraud, identity theft, the list goes on.

This type of attack is nothing new. In the past, it was referred to as credential checking and it required manual entry of credentials across multiple platforms. For instance, let’s suppose I obtained your Yahoo email address and password. If I want to see if you use that same set of credentials for your PayPal account it used to be that I had to do it manually. This would require me to manually go to the PayPal website and enter the information.

Sounds tedious? It was. However, in the present time, these hackers use automated tools to perform “stuffing,” making it easier to access as many sites as they want. When dealing with tens of thousands, or even millions of credentials; what used to take a lifetime now may only take a few days. Sometimes less.

On average, hackers and attackers see about a 2 % success rate in credential stuffing attacks. That may seem low, but consider the number of credentials being tested. The recent Equifax breach may have exposed the private information of as many as 143 million users.

If that information were to be used in credential-based attacks, a 2% success rate may affect as many as 2.86 million people to further harm.

Automation is what makes these large-scale attacks possible and more dangerous than ever. Would-be credential thieves have a host of tools at their disposal to conduct these attacks. Let’s examine a few of the more popular ones currently used.

SENTRY MBA

As is often the case, Sentry MBA was designed with a noble purpose in mind. Originally used as a tool to test Sentry MBA’s website for breaches, it has since been used for the greater bad, not good.

According to the original disclaimer:

“This program is intended ONLY for testing your own sites. Any other use of this program is forbidden. The Author does not take responsibility for any improper use of the program. When you start up the tool, you have to agree that you won’t using to test creds against any site or asset that you don’t own.”

Have you ever noticed that the side effects on a bottle of Aspirin include “headaches?” Ironically it can often be the case that a tool designed to do one thing can actually do the exact opposite. Sentry MBA finds itself in this situation.

After being leaked into underground communities, Sentry MBA has been used as a tool to perform credential stuffing rather than to prevent data leaks. Today it is one of the most popular tools used to launch credential stuffing attacks.

This program needs three things to crack the information for its target:

Configuration file — helps navigate the “unique” characteristics of the site, such as the URL.
Proxy file — IP addresses. This is to not tip the hacker off and make it look like it’s coming from one place. Accessing IP addresses helps make it look like login attempts are coming from a broad spectrum of places.
Combo — using usernames and passwords to be tested with the target site. This is how they “unlock” access into the site.

Some forums on the dark web and underground community that promote and discuss the distribution and selling of Sentry MBA include Crack Warrior, Cracking King and Sentry[.]MBA.

VERTEX

Like Sentry MBA, Vertex needs a configuration and proxy file to bum rush multiple interfaces at once. Reportedly, it was developed by the same person who created Sentry, but this isn’t 100% confirmed. Regardless, Vertex has been around for much longer and is still used to perform credential stuffing attacks.

Vertex is straightforward tool. When downloading the combination and proxy list as well as configuration file on the site, the hacker then starts Vertex and it bum rushes the site, stealing a ton of person information.

APEX

An older tool from 2010, Apex is relatively simple and reliable, but lacks the ability to crack websites that use SSL or HTTPS. Like the first two, it requires a configuration file, combination list and proxy list to work.

Mirai

Mirai is malware that is often use in DDoS attacks against vulnerable IoT devices, though has been used in credential attacks as well. As intended, Mirai access unsecured IoT devices (such as cameras, routers, etc) and infects them. The result: your infected devices are now used to launch a variety of attacks.

Bad enough on its own, the developer of Mirai released the source code for the malware and the hacker community has had a field day with it. Releasing the source code for a malicious piece of software is like releasing the blueprint for its design.

Now anyone with the know-how and desire may use, copy, and alter the program to suit their own needs.

What’s Next?

While the development of these tools cannot be prevented, you can prepare yourself and prevent it from happening to you. In our next installment, we’ll address some common (and other not so common) ways to protect yourself against credential stuffing.