International Journal of Scientific & Technology Research

Home About Us Scope Editorial Board Blog/Latest News Contact Us
10th percentile
Powered by  Scopus
Scopus coverage:
Nov 2018 to May 2020


IJSTR >> Volume 9 - Issue 3, March 2020 Edition

International Journal of Scientific & Technology Research  
International Journal of Scientific & Technology Research

Website: http://www.ijstr.org

ISSN 2277-8616

Openbullet: Credential Stuffing For Script Kiddies And Career Criminals

[Full Text]



Philip Kirkbride



Cyber Security, Credential stuffing, Password reuse, Two factor authentication, Captcha, Password dumps, authentication



OpenBullet is an open-source testing tool which has been growing in popularity in the amateur offensive security community. It is commonly used for credential stuffing. The application has grown around an underground economy which focuses on the combination of configuration files and credential dumps. In this paper I will discuss the environment that fostered the application, its use, and defensive measures which can be taken to protect against it. Password leak lists are bought and sold on black markets, as well as configurations files for the program, as well as large lists of proxies which can be used to disguise the origin of the attack. Using OpenBullet everything that is needed to successfully conduct a credential stuffing attack can be purchased with very little or no technical knowledge being needed, aside from learning how to use the OpenBullet user interface. The modularity and ease of use has bolstered the black-market. Several forums and non-public chats have sprung up, revolving around buying, selling, and giving tips related to everything needed to conduct credential stuffing attacks. As this trend continues communities, governments, and website operators are looking for more effective ways to fight this trend. Solutions include implementing two-factor authentication, rate-limiting, captchas, and alerting systems for both users and website operators.



[1]. M. Golla, D. V. Bailey and M. Dürmuth “I want my money back! Limiting Online Password-Guessing Financially.” In Symposium on Usable Privacy and Security (SOUPS). July, 2017.
[2]. "ecthros/uncaptcha2", GitHub, 2019. [Online]. Available: https://github.com/ecthros/uncaptcha2. [Accessed: 29- Sep- 2019]
[3]. Jenkins, J. L., Grimes, M., Proudfoot, J., and Lowry, P. B. 2013. "Improving Password Cybersecurity through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse through Keystroke-Dynamics Monitoring and Just-in-Time Warnings," Information Technology for Development (20:2), pp. 196-213.