• Resources
  • Blogs
  • STORM Cracker Credential Stuffing Tool: What You Need to Know

STORM Cracker Credential Stuffing Tool: What You Need to Know

Alex McConnell
Alex McConnell
23/08/18
6 Minute read
Genesis Market: A Hacker’s Haven of Stolen Credentials

Article Contents


    Credential Stuffing Tools – Account Takeover at The Click of a Mouse

    Account Takeover/credential stuffing (Referred to as ATO from here) tools are readily available to download, with the most well-known weapon of choice selected by hackers being Sentry MBA.

    Cracking and Credential Stuffing tools have made ATO attacks extremely easy for even low-tech criminals to profit from automated attacks against any website of choice with little more than a few mouse clicks. This new and emerging attack vector means unsophisticated actors can compromise your customer accounts with little to no knowledge of traditional hacking techniques.

    This in combination with the proliferation of stolen or leaked databases has resulted in a recent surge in automated credential stuffing attacks, meaning organizations face round the clock threats from attackers.

    In this case, all an attacker requires to cause a security and data risk to any organization is a pre-configured config for the target, a combo list of emails/usernames and passwords and a “proxy list” of open proxies to direct traffic through in order to evade IP banning and easy detection by law enforcement. The rest is up to the “cracker” and how willing they are to exploit the accounts they have access to.

    Sentry MBA is one of the older free tools now, with other paid for tools like Snipr, and many “cracking” forums will even advertise free “checkers” custom built for particular websites. But what is STORM Cracker? Does it represent a significant change over the custom checkers and the established tools like Sentry MBA, or is it more of the same? This overview will aim to answer those and more questions.

    Overview of the STORM Cracker tool

    The version of STORM Cracker used for this analysis is version 2.4, released March of 2018. STORM comes as two executables; one “config” builder GUI that aims to make the definition of the input files for a particular target easier, and the STORM utility itself which runs the ATO attacks.

    Part #1 – Building an attack configuration

    The GUI is fairly basic, allowing for loading and saving of the configurations and basic editing of these configs.

    Storm Cracker GUI
    Storm Cracker GUI

    In the above screenshot, you can manage, load, edit and save configs. Manipulate the behavior of the attack and define the URLs, success and failure keys to be extracted from the website response.

    For example, this is a fake config of myecom.com, a Commerce-based website, you can see this basic config defines a load of the login form in link1, a post to login in link2 and then loads an offer page in link3 to see if there are any credits to be exploited.

    Credential Stuffing - ATO Config using STORM
    ATO Config

    This is a typical ATO config, they’ll log in, go straight to the page with the exploitable aspect and extract how many points, bitcoins, etc that are available to be stolen all as part of the config. The attacker then gets a list of all accounts they’ve taken over and how valuable they are, to either resell or exploit themselves.

    Storm cracker config GUI
    Config Builder GUI

    These stages are all configured in the tool with a moderate level of sophistication, the tool supports SSL, the required proxies for hiding IP and distributing the attacks over seemingly many endpoints. The GUI also has some basic tools for escaping/unescaping strings for HTTP communication.

    STORM Cracker will continue to develop this config builder CUI, adding further sophisticated control options.

    Part #2 – Performing an attack

    The second executable is one of the credential stuffing tools used to perform a cyber-attack, this runs the configs, takes in the combo list of emails/username and passwords and directs the requests between the list of proxies given.

    Credential Stuffing with STORM Cracker
    Credential Stuffing with STORM Cracker

    The combo list and proxy list are loaded here, and the timeouts, the number of threads, etc. are all configured to run the ATO attack. The output of “hits” where a “combo” of user credentials worked on the attacked site are reported in the UI and written to a folder for the attacker to re-sell or exploit.

    There is a basic debug option here, but again it is less complex than Sentry MBA, a single “combo” can be entered and the stages of the attack stepped through to see where it fails.

    Another feature this is missing is CAPTCHA defeat, although the ability Sentry MBA has in that regard is only to defeat simple image-based CAPTCHAs. ReCaptcha, FunCaptcha and any of the newer advanced ones are not automated within Sentry, yet.

    So, now this is a minor missing feature as there are no tools like this that can defeat any complex captcha within one of these “cracking” toolsets currently advertised on cracking forums. Typically, they target end-points that have no captcha, increasingly mobile interfaces and API endpoints to verify the accounts they have stolen work.

    Should I be concerned about STORM Cracker?

    STORM Cracker can bypass DDOS protection offered by some of the leading CDNs

    These CDNs will test the “browser” to check if it is a real browser and not an automated tool. STORM Cracker does not reveal the approaches they use to bypass these CDN defenses, and implementation is seamless to the hacking using the tool, they just point the tool at a protected URL and it bypasses the protection. The STORM codebase does include the open-source Noesis Javascript library, which allows for server-side execution of Javascript, it is likely this is being used as the basis for this functionality.

    The existence of this type of functionality does indicate the cracking community is aware that Javascript-based checking like this is a challenge, and they are starting to work on ways to defeat it, with some success as shown in the case of STORM.

    API and mobile application API access points are also targeted

    These credential stuffing tools also find additional ways to attack in addition to website login pages. They exploit interfaces to systems they want to attack that are not accessed via a web browser like API end-points, Mobile application APIs / end-points.

    Then when they have verified the accounts work they can manually access them via the web interface and exploit them. As more companies attempt to lessen these attack vectors there will inevitably be pressure to defeat and bypass corporate bot detection systems in these cracking tools.

    Future development and ATO prevention

    Despite being less complex than the more established Sentry MBA, STORM is being actively developed. The Community donates to the developers, with each version having a target for the developer(s) to release the tool. As the tool progresses its features and reputation in the online “cracker” community those development donations will continue to rise, fuelling faster tool development.

    In the immediate interim, invest in a dedicated ATO prevention solution. Here at Netacea we use a range of approaches to detect ATO activity. At a simple level, the built-in reputational analysis and blacklists of known bad actors can easily weed out the less sophisticated attempts. However, this pool is rapidly shrinking as more complex tools such as STORM are developed and become more widely available.

    To address the remaining attacks, Netacea has developed the leading, artificial intelligence-based Account Takeover detection tool currently available. Netacea Intelligence uses advanced machine learning techniques to detect ATO attempts by spotting patterns of behavior that indicate suspicious behavior. This includes spotting indications of an upcoming attack, such as large amounts of fake account creations that can be used to camouflage the real ATO attack, as well as actual attacks themselves.

    Frequently Asked Questions about STORM Cracker

    What is STORM Cracker?

    STORM Cracker is a credential stuffing tool for stealing, cracking and phishing. It can steal credentials from many sources including: email providers, enterprise networks (LDAP/AD), forums and websites. The tool also provides prompting features to allow the user to enter new credentials to attempt to crack. It supports mutiple attack methods including SQLi, XSS/HTML Injection, CRLF Injection and bruteforce methods for checking if an account has valid credentials after the initial infiltration phase using one of these techniques has been successful.

    What is Sentry MBA?

    Sentry MBA is a credential cracking tool that can be used to steal, crack and phish. It is designed to have an interface that is more user-friendly than other similar tools. Sentry MBA supports multiple methods of attack which are SQL injection, Cross-Site Scripting (XSS), and CRLF injection; all of which are designed in a way to avoid detection by the credentials owner’s security systems.

    How to protect your business from Credential Stuffing using STORM Cracker?

    Most of these attacks can be thwarted by having a robust, up-to-date ATO solution in place to detect and prevent credential stuffing. In the absence of an ATO system, it is recommended to add additional authentication steps to your login process that are separate from any other measures you may have already added.

    If you have any questions or would like to learn more about our approach to stopping credential stuffing attacks, request a Netacea Bot Protection demo, where you can access the Netacea Credential Stuffing and Bot Management dashboard and test it on your live site.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related Blogs

    Knight chess piece
    Blog
    Alex McConnell
    |
    04/06/24

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Robot
    Blog
    Alex McConnell
    |
    28/05/24

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Blog
    Alex McConnell
    |
    22/05/24

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo

    Address(Required)