Hi I have a very quick question here

What is the accounts cracking or testing on a website I mean using email and password to login called, is it penstesting or what?

The exact attack is called credential stuffing, and it can be executed with OpenBullet and many other softwares.

Pentesting is when you are being paid to conduct a security assessment on someone’s website or web API.

It is completely illegal to do so without the consent of the owner of the website, and it is also illegal do possess databases with leaked credentials in the first place.

This particular attack is useful when penetration testers (red teams) manage to breach a database of endpoint A that is being used by the same employees that also use endpoint B, so it’s useful to see which ones reused the same credentials on endpoint B to gain access. They can then search for a user with a given authority level to gain access to more and more of the network under assessment. Both endpoints must be included in the initial contract/agreement and you need permission to perform the attack on them.

Another use case is when red teamers make an ad-hoc list of passwords using social-engineered keywords, for example if Alice likes cats they will try alice:cats, alice:ilovecats, alice:ilovecats1 etc. in order to try and guess the password. This attack is mitigated by having a timeout on login attempts for the same user.

1 Like

Thanks Ruri for those valuable informations but if someone’s want to learn http requests and tokens and stuff what should he search for, Like I used to do cracking before ( I learned from youtube tutorials but it’s not enough ) but I stopped and now I wanna start do legal stuff but it’s just complicated now as I am working with big companies and you can’t really make a config for that with the previous basic cracking experience so the question is what should I aim for if I wanna get better using openbullet.
Thanks.

I might make some video tutorials in the future if I have some time on my hands, since people are finding OB2 hard to use. Stay tuned for more updates on this, there will be an announcement.

1 Like

It would be great, Thanks