Open Bullet Proxies

Open Bullet Proxies

February 4, 2022
0

How Cybercriminals Abuse OpenBullet for Credential Stuffing

Cyber Threats
In this blog, we detail how cybercriminals exploit OpenBullet, a legitimate web-testing software, to brute-force their way into targeted accounts.
By: Cedric Pernet, Fyodor Yarochkin, Vladimir Kropotov
April 30, 2021
Read time: ( words)
The trend for access-related cybercrime, such as credential stuffing, is steadily rising with no sign of slowing down. According to an Akamai report, there has been a total of 88 billion credential stuffing attacks from January 2018 to December 2019.
Credential stuffing, a type of a brute-force attack that makes use of botnets to access websites and online services using stolen credentials, allows financially motivated actors to gain unfettered access to victims’ bank accounts and sensitive information. Cybercriminals also profit from stolen credentials by selling them in underground forums and markets.
As the business of acquiring unique credentials continues to become more lucrative, cybercriminals are enriching their attack tools and techniques by abusing legitimate software for nefarious purposes.
In this blog, we detail how cybercriminals exploit OpenBullet, a legitimate web-testing software, to brute-force their way into targeted accounts. Due to OpenBullet’s popularity, a whole market for trading configuration scripts have formed in the underground. We explore how some threat actors compromise the supply chain of OpenBullet configuration scripts by supplying scripts with hidden features. Finally, we also give recommendations on how users and organizations can handle multiple passwords efficiently and securely, and provide guidance on how they can remain protected from credential stuffing attacks that lead to account takeovers.
A Closer Look at OpenBullet
OpenBullet is a free web-testing software that enables developers to perform specific requests on target webpages. The open-source tool can be found on GitHub and used for different tasks, including scraping and parsing data, performing automated penetration testing, and unit testing using Selenium.
The software enables users to try multiple “login:password” combinations as credential brute-force attacks on different websites for legitimate purposes, such as penetration testing. However, it can also be used by cybercriminals in order to discover valid credentials on different websites for ill gain.
OpenBullet allows a user to import prebuilt configuration files or configs, one for each website to be tested. It also has a flexible editor to modify configs as needed. This is a mandatory feature, since websites tend to make slight adjustments to the way that users connect to them in an effort to counter automated tools like OpenBullet.
Notably, OpenBullet’s GitHub page features a warning informing users that the tool shouldn’t be used for credential stuffing on websites that they do not own.
Figure 1. Disclaimer from the OpenBullet GitHub page
OpenBullet Features That Can Be Abused
Wordlists
This tab allows the user to import thousands of words that can be used when attempting to connect to targeted websites.
An entry can be as simple as “email address:password” or “login:password”.
Wordlists are not provided with the OpenBullet tool. As a result, users would need to find and use their own. However, OpenBullet has a wordlist generator feature.
As an example, we generated a wordlist on OpenBullet using the following characteristics:
Users’ email addresses that are composed of three digits followed by “”
Users’ passwords that start with “abc” followed by two digits
Figure 2. OpenBullet’s wordlist generator and the extracts of the generated wordlist on a Notepad file
Though this example does not exactly reflect reality, it still shows some possibilities of what the tool can do and how easy it is to create such wordlists.
Runner
A user can select this tab to launch a credential attack using OpenBullet. The runner tab shows the progress and the number of positive hits for every website that is being tested. Users can also launch multiple runners at the same time.
Figure 3. Screen capture of the runner tab working on OpenBullet
Proxies
Some websites with good security might blocklist the IP address of a penetration tester — or a cybercriminal — especially if it is being used to make several attempts to log in to several different accounts. To avoid this, proxies are used.
Proxies are an important part of OpenBullet. They allow users multiple login attempts using a different IP address for each attempt. In addition, they can set up the time between each connection attempt, so that each attempt does not raise any alarms on the targeted website for an unusual login activity that typically would be generated by a high number of attempts in a very short period.
Different kinds of protocols are accepted for proxies in OpenBullet: HTTP, Socks4, Socks4a, and Socks5. The more proxies are added to OpenBullet, the better it is for fraudsters. It is also important to note that since proxies are not provided in the tool, users need to rely on using their own, which they can buy from underground forums or from paid proxy services, or even discover using internet-scanning techniques.
Figure 4. OpenBullet’s proxies tab, which features several proxies on different protocols or ports
Tools, Plug-ins, and Settings
Plug-ins can be easily imported to OpenBullet for different purposes. For example, by using additional plug-ins, users will be able to:
Mix a list of usernames and passwords to generate all possible combinations.
Export the hits from the runner tab directly to an instant messaging platform.
Use a known successful login or password combination on a big virtual private network (VPN) to get a full list of all of its working proxies.
The possibilities are seemingly endless as long as a user’s purpose involves sending and collecting data to and from a targeted website.
On the settings tab, OpenBullet users are able to tweak system settings, such as bypassing CAPTCHAs or using Selenium, a portable framework for testing web applications. Users need API keys in order to bypass CAPTCHAs. However, API keys are not provided in the tool.
Figure 5. OpenBullet options for CAPTCHAs in the settings tab
Configs
Configs are the heart of the OpenBullet tool. They are files that are imported to OpenBullet for every website that needs to be tested. Since every website handles authentication or login differently, a unique config file is needed for every website.
OpenBullet supports multiple config file types, including plain files (, otherwise referred to as “LoliScripts”) and encrypted files ().
In OpenBullet, configs can be created or modified using an interface called the “stacker, ” which works by executing several tasks called “blocks” in a stack, one after the other.
Let us take a closer look at a config that we found to be targeting a large retail company. Using this particular config, we can see how it is possible to do much more than just checking whether login credentials for authentication work.
Figure 6. Stacker interface showing different blocks to be executed from top to bottom
In the preceding screen capture, we can see seven different blocks: request, key check, request, and four parse blocks. Each block is called one after the other by OpenBullet when the runner is launched.
Figure 7. The first request block of a specific config that targets a retail company’s website
A user can also see and edit the config directly in LoliScript code, as seen in the following figure:
Figure 8. Full config in LoliScript code
The script in Figure 8 shows that once logged in, a user can go to the payment preference page of a victim company and quietly extract credit card information.
This is one striking example of the dangerous activities that cybercriminals can do on OpenBullet.
The Business of OpenBullet Configurations
While some OpenBullet configs can be found easily online, other more sensitive configs are sold on dedicated websites or on underground cybercrime forums and marketplaces. Generally, config prices average between US$5 to US$10 as of writing.
Figure 9. Types of OpenBullet configs available for sale on a dedicated website
Because configs tend to have a limited time of use due to the constantly changing parts of websites’ authentication processes, the widely adopted business model involves selling licenses to get configs updates as needed.
A single config bought for US$5 might work for some weeks, but when changes are applied to the login process, it becomes obsolete. Therefore, users tend to pay monthly licenses to get all of the necessary updates.
It is also not rare to see actors sharing some configs for free in order to attract users to purchase more advanced configs.
Figure 10. An actor sharing a LoliScript config on a Telegram channel. The script finds valid credential logs from an online antivirus company and steals product and activation codes with expiry dates.
OpenBullet variants
Because OpenBullet is open-source, it has allowed third-party developers to create their own version of the software (such as SilverBullet and OpenBullet Mod, Anomaly) that supports its own version of scripts called “anom. ” Some of these versions are even more calibrated for cybercrime use and can be found easily on online forums.
Figure 11. Example of a third-party OpenBullet version
Other Software
Aside from OpenBullet, other software for credential stuffing is available on GitHub or on underground forums.
Figure 12. A package of tools that are related to credential checking. The package is offered on an underground forum in the Russian language.
While other tools are available in the underground market, OpenBullet remains a tool favored for abuse by cybercriminals as it offers both comprehensive support and a wide range of possibilities. In particular, its wide adoption and the number of available configs make it popular among cybercriminals.
Backdoored Config Files
The official OpenBullet configuration format is not obfuscated. However, there are many unofficial OpenBullet configuration formats that come in some form of obfuscation. This enables the packing of backdoors or so-called hit loggers. In fact, backdoors in OpenBullet configuration files are very common — so common, in fact, that there are tutorials on how to remove them, as evidenced in Figure 13.
Figure 13. Part of a tutorial on how to remove backdoors in obfuscated OpenBullet configs
Many tutorials advise using only / / and not to use the encrypted / / / for not running obfuscated code. A typical backdoored config might look like the one in Figure 14.
Figure 14. Deobfuscated backdoored LoliScript. Sensitive data has been replaced by Xs.
Basically, backdoors involve the sending of data somewhere. In the example shown, there is a constant GET request leaking the usernames and passwords to one particular website controlled by the backdoor controller. Other kind of backdoors can be used to post stolen data on a particular page on a website or on messaging apps like Discord.
Other Ways Cybercriminals Illegally Obtain Credentials
Aside from abusing legitimate software and using malicious software, cybercriminals also employ other tried-and-tested ways in order to obtain user credentials — one of which involves using phishing campaigns.
However, phishing campaigns collect a few hundred credentials at best. They also require fraudsters to build and host phishing websites to which they would lead victims after sending thousands (if not millions) of fraudulent emails per campaign. According to our 2020 Cloud App Security Threat Report, 5, 465, 969 credential phishing attacks were detected and blocked in 2020.
Phishing campaigns typically need resources and time. As a result, this could lead cybercriminals to opt for other malicious means that require less effort.
Aside from searching for stolen credentials online, cybercriminals compromise websites such as large forums and dump their databases. This is why it is important for website administrators to ensure that their databases are encrypted.
Credentials can also be bought from underground websites and forums. Sometimes, credentials can even be obtained for free.
Figure 15. A compromised website’s full database being sold on an underground forum
It is also possible to buy credentials that have been saved in text files, which makes credential reuse easier for fraudsters.
Figure 16. Underground forum showing offers for credentials files
Typical Uses of Stolen Credentials
The difficulty of having one’s credentials stolen doesn’t end when fraudsters take hold of them through illicit means. Rather, this could be just the beginning. After all, the many uses that cybercriminals have for stolen credentials can be even more devastating. Just last year, we reported how cybercriminals use stolen credentials such as personally identifiable information (PII) or credit card data from people who might already be suffering from the global pandemic as cybercriminal prizes for online poker games and rap battles.
These are the typical uses of stolen credentials:
How to Securely Handle Multiple Passwords
Security professionals have always recommended the use of different non-guessable passwords for each website and online service.
While this recommendation makes sense, most people find it difficult to maintain a list of every password for every website that they need access to. Such difficulty seems inevitable in light of the fact that on average, people need to remember 100 passwords for their online accounts and services, according to a NordPass study. Some people opt to write down their credentials or save them as an online file as a practical way to keep track of them. Still, these methods are high-risk in nature: If a malicious actor were to get hold of the written document or gain access to the file that contains credentials, they would then also gain access to all the websites and services listed there.
Fortunately, users can rely on password managers, digital vaults where passwords can be stored and managed in an efficient and encrypted way. Some password managers even have autocomplete features that can be used for logging in to any website through a keyboard shortcut.
Some of these managers work as online services while others function locally. These managers store and encrypt passwords and require a master password for access. This means that a user would only need to remember their master password, after which they can proceed to create strong and unique passwords for all of their accounts without needing to remember each one.
How to Stay Protected From Credential Stuffing Attacks
The following are steps that users and organizations alike can take in order to protect themselves from credential stuffing attacks:
Practice good password hygiene. Users should avoid using weak passwords while organizations should implement a blocklist of commonly used passwords to prevent users from creating them. Users should also avoid reusing credentials for various online accounts and services. When creating passwords, users must make sure that each is unique and remember to change them routinely.
Enable multi-factor authentication (MFA) on websites and services. An increasing number of websites and services offer MFA. Generally, MFA consists of a combination of external one-time passwords (OTP) that are generated and stored on a device that the attacker should not have access to, such as mobile phones (via texting or a third-party application), fingerprints, software security tokens or certificates, and a security USB key. This is by far the most effective defense against credential stuffing attacks.
Create a PIN or answer additional security questions. Some websites enable users to answer additional security questions or provide a unique PIN for further authentication.
Enable login attempt analysis. Some websites and services such as email service providers run analyses of login attempts. These are based on different factors, including:
Browser information. An attempt to log in with a different browser, one that is never opted for by a user, could indicate a fraudulent login attempt.
IP address. Users who suddenly change the IP address and/or country of origin might be a good indicator of fraudulent attempt.
User behavior anomaly analysis. Users do not browse websites the same way as automated software or bots do. Therefore, a careful analysis of a user’s behavior can help trigger alerts and actions to protect the account.
It is important to note here that the use of CAPTCHA should not be considered as a secure method to defeat automated login attempts. As shown earlier, OpenBullet can use several different CAPTCHA API keys for evasion purposes.
It is undeniable that data breaches are becoming more commonplace and alarming. In February 2021, the Compilation of Many Breaches (COMB) was made available online, exposing a staggering 3. 2 billion credentials. In line with such developments, credential stuffing attacks are expected to continue rising in number.
Despite an accelerating number of online services allowing users to boost their account security by means of enabling either two-factor authentication (2FA) or MFA, the adoption of these security tools remains low. Research has shown that people tend to ignore 2FA or MFA, thinking that their passwords are already strong enough and that these practices are unnecessary. For instance, a 2018 report divulged that 90% of active Gmail users have not enabled 2FA.
The same goes for password managers — although these are effective in securing a large number of unique passwords, many users still do not use them, let alone trust them. According to a survey conducted by Password Manager and YouGov, 65% of Americans distrust password managers.
Given the nefarious uses by cybercriminals with regard to stolen credentials, it is vital to have more promotional campaigns that highlight the importance of creating strong, unique, and secure passwords and storing them in password managers. Indeed, users and organizations can only benefit greatly from the widespread adoption of credential security recommendations.
Tags
Best Proxies For OpenBullet - ProxyRack

Best Proxies For OpenBullet – ProxyRack

What Are The Best ProxyRack Proxies For OpenBullet?
Since you can use any type of proxy – whether residential or datacenter – what are the best options?
The first I’ll recommend is a shared datacenter proxy. With ProxyRack, you can purchase shared datacenter proxies and gain access to 100 to 5, 000 IP addresses. The IP addresses are pulled from shared data centers all within the USA. If you reside in the USA, such proxies are the best because they are within your region and yet still keeps you anonymous. Furthermore, bandwidth is unmetered.
Product
Advantage
Link
Shared Datacenter
Cheap and reliable
Premium GEO Residential
Choose your location
Private Residential
Never get blocked
3 Day Trial
Test all products to find the best fit
For residential proxies, I would recommend a private residential proxy or a Geo residential proxy. Private residential proxies give you access to real residential IP addresses. That implies that you’ll be browsing with a residential IP address issued by a real internet service provider. Upon purchase, these IP addresses are exclusively for your private use; hence, you don’t share them with anyone.
What’s the advantage of using regular residential proxies? It’s simple, you alone can make use of the residential IP addresses provided by the private residential proxy. Normally, proxy providers issue IP addresses at random for users. The IP addresses are not static but instead, rotary which implies that the IP address you use now can be issued later to another user.
3 Day Trial of All Proxy Products
We want you to find the perfect Proxy Product for your purposes. So we have introduced this new trial product that gives you access to all our products. 3 Days for $13. 95, Learn more
However, you could run into problems if a particular residential IP address used by someone else was flagged and then issued to you. It could even affect the entire IP addresses in the residential proxy network. This is unlikely, but to stay on a safe side, use private residential proxies.
Geo-targeted residential proxies offer even more advantages. With such proxies, you can select IP addresses from a particular country, city, and ISP across the world. In fact, you can select up to 5 million IP addresses every month.
Thankfully, private residential proxies from ProxyRack have unmetered monthly data transfer limits while you can get up to 200GB monthly data transfer limit on geo-targeted residential proxies.
What Types Of Proxies Work With OpenBullet?
Whenever proxies are talked about, there’s usually the question of which is the best to use and there are 2 primary options – residential proxies and data center proxies.
The best way to understand residential proxies is by considering your Internet Service Provider. When you browse the internet, your ISP issues a residential IP address for your connection. This residential IP address is linked to your true location which is why websites can detect where you are browsing from and your online activity over time.
Usually, these ISPs issue dynamic IP addresses. These IP addresses change every time you access the internet; it changes on intervals set by your ISP. That’s the same thing you get with residential proxies. Residential proxy servers issue residential IP addresses from its massive pool of IP addresses. However, the difference with a proxy is that you can make use of a residential IP address of your preferred country.
On the other hand, datacenter proxies are the opposite of the residential ones. They are the most common because they provide complete anonymity which is one of the main reasons why people use proxies.
Thankfully, datacenter proxies are not linked to your ISP. They make use of IP addresses pulled out of secondary servers and there’s usually a bulk of IP addresses to use. As you browse with a datacenter proxy, your true IP address is obfuscated and you’ll be issued with a new one. For instance, you could be in Madrid, Spain, and set your datacenter proxy to NY, USA. Then, you’ll be browsing with a new US IP address.
Nevertheless, I don’t think the type of proxy you use will matter because anyone would work with OpenBullet. The primary reason you’ll be needing a proxy is to hide your location or access a platform that is restricted in your region, which both residential and datacenter proxies facilitate. For what it’s worth, I would pick datacenter proxies over residential proxies for use with OpenBullet.
Although residential proxies have a lower risk of ban, datacenter proxies are faster. Likewise, you don’t want to spend hours with OpenBullet doing activities like web scraping, account hijacking, brute force attacks, etc. They should be completed as quickly as possible. Furthermore, datacenter proxies are best for anonymity as they aren’t linked to any ISP.
There are also mobile proxies i. e. 4G/3G proxies, but since you’ll be using OpenBullet on a desktop computer, you can’t make use of such proxies.
Why Do You Need Proxies With OpenBullet?
The two main reasons why people make use of proxies is to hide their real identity and to bypass geographical restrictions. These are also basic reasons why you need to use proxies with OpenBullet.
Brute force attacks and credential stuffing are activities you want to be flagged for doing online. Not to mention, when the website or platform you are targeting is not owned by you. Even if you have a good reason for doing such, it is an illegal activity.
You can use the OpenBullet suite to launch your web requests but it cannot keep you anonymous. Hence, you need to use a proxy. Moreover, proxies act as intermediaries between your computing device and the internet.
So, instead of your request going directly from your device to the website, it passes through a proxy server which makes some alterations before sending it to the website. Data coming back from the website to your device passes through the proxy server as well before getting to you.
Nevertheless, the proxy server will make alterations regarding your location and your IP address. Website administrators can trace your location with those strings of numbers called IP addresses. If brute-forcing is detected, your IP address will be used by the site administrators to detect your location and if it’s a serious case that warrants an arrest, they could trace the IP address to your ISP and then to your exact location.
But with a proxy, your true IP address is replaced with a new anonymous one. The new IP address still represents a location but it won’t be your real location; it could even be a location that doesn’t exist. As a result, even if your IP address is identified and flagged, you will be safe and you can continue using a different IP address generated by the proxy service.
Talking about geographical restrictions. The website or platform you want to target could be one that isn’t accessible from your location. Again, the site bots can detect your location and restrict access from your IP address. If your IP address is replaced with a new one from a proxy service, you can gain uninterrupted access. You just have to select an IP address (generated by the proxy service) in a country or region where your target website is not blocked.
What Is OpenBullet And What Is It Used For?
According to its developers, OpenBullet is a web testing suite. This implies that it was developed for running various cyber tests on the internet. For instance, you can use OpenBullet to send requests towards a target website or platform, while it features tools to analyze the results.
Additionally, OpenBullet is an open-source project on GitHub launched in March 2019. The initial uses of this web testing suite include:
Web scraping
Data parsing
Automated pen testing
Account checking
Unit testing through selenium
The software was never meant for improper use. The developers did warn users of the suite that it is illegal to perform DDoS attacks or credential stuffing on websites they don’t own. Hence, those who use it for such purposes do so at their own risk.
However, for the hacking community, OpenBullet is of the utmost value and a favorite because of its effectiveness. Hackers and cybercriminals use the suite for totally different actions including brute-forcing, credential stuffing, penetration testing, and web scraping.
Brute-forcing simply involves putting different letters and numbers together into account login fields to ‘find’ the correct credentials. Manually, this can be a hell of a time-waster, but with a brute-force tool, like OpenBullet, it’s more than easy.
Credential stuffing is still a form of brute-forcing but instead of random letters and numbers, the attacker tries to gain access using a password list which they have beforehand.
On the other hand, account checkers are used for checking the accuracy of credential details, possibly discovered from a brute force attack or credential stuffing.
Despite the developers’ warning, there’s no way to keep the tool off the hands of hackers. Truth be told, OpenBullet is an innovative tool that is useful to cybersecurity agencies and companies. The reason why OpenBullet quickly became popular among hackers is its open-source nature.
Any developer who intends to use the tool can modify its settings to suit their interest. Indirectly, this implies that the tool can be modified to execute tasks in whatever way a particular hacker is skilled in, thus, increasing the effectiveness of every attack. This puts OpenBullet at an advantage over other popular hacking tools like BlackBullet.
You might wonder why the tool is yet to be identified as a cyber threat. Regarding that, a lot of thanks can go to the fact that the software uses low GPU resources and the developers stay up to date with maintenance.
A lot of activities occur on the internet. Activities like brute force attacks, pen testing, DDoS attacks, and more. While these are usually linked to hackers, not everyone that performs them does so to cause harm. You might want to run a pen test or DDoS attack on your website or client website to check how strong their security is. In fact, cybersecurity companies do this all the time.
Furthermore, assuming your website or any social media account was hacked, you can get it back if you know how the hacker did it; hence, you’ll be forced to attack your website or social media account.
In all of these, one thing is for sure and that is you will need cyber tools. While there are several cybersecurity tools available, OpenBullet is a notable one.
With OpenBullet, you can run a series of web testing tasks against websites or web applications. However, it is essential that you use proxies to execute such tasks with a tool like OpenBullet. Hence, I’ll be showing you the best proxies for OpenBullet.
But, before we proceed, let’s answer this primary question – what is OpenBullet all about, and what are its uses?
Bottom Line
OpenBullet is a controversial cybersecurity suite that is seemingly used mainly by cybercriminals and hackers. This article was for informational purposes and not to encourage using OpenBullet and proxies to execute fraudulent and illegal activities on the internet.
However, I doubt the developers who released the project on GitHub have illegal intentions in mind. It’s even interesting what you can do with OpenBullet even though a lot of people would regard it solely as a hacking tool. However, OpenBullet can still be used to perform clean activities on the internet, which is highly recommended.
As discussed earlier, you can use any type of proxy with OpenBullet. But, the best proxies for OpenBullet include shared datacenter proxies, private residential proxies, and geo-targeted residential proxies.
Related articles
Best Proxies For Python
Best Proxies For Node Js
Best Proxies For Puppeteer
Best Proxies For Selenium
Best Proxies For Burpsuite
Best Proxies For Haskell
Best Proxies For Wget
Best Proxies For OpenBullet - ProxyRack

Best Proxies For OpenBullet – ProxyRack

Frequently Asked Questions about open bullet proxies

Do you need proxies for OpenBullet?

You can use the OpenBullet suite to launch your web requests but it cannot keep you anonymous. Hence, you need to use a proxy.Oct 1, 2020

Is it legal to use proxies?

Are Proxies Legal? By strict definition, it is legal to use proxies to stream online content from outside the U.S. In fact, proxies have been traditionally used to protect internet users and networks from hackers, malicious programmes, and other suspicious activity.Jun 30, 2012

What are resi proxies?

Share: Residential proxies allow you to choose a specific location (country, city, or a mobile carrier) and surf the web as a real-user in that area. Proxies can be defined as intermediaries that protect users from general web traffic. They act as buffers while also concealing your IP address.Oct 24, 2019

ProxyBoys