STORM Cracker Credential Stuffing Tool: What You Need to Know
Credential Stuffing Tools – Account Takeover at The Click of a Mouse
Account Takeover/credential stuffing (Referred to as ATO from here) tools are readily available to download, with the most well-known weapon of choice selected by hackers being Sentry MBA.
Cracking and Credential Stuffing tools have made ATO attacks extremely easy for even low-tech criminals to profit from automated attacks against any website of choice with little more than a few mouse clicks. This new and emerging attack vector means unsophisticated actors can compromise your customer accounts with little to no knowledge of traditional hacking techniques.
This in combination with the proliferation of stolen or leaked databases has resulted in a recent surge in automated credential stuffing attacks, meaning organizations face round the clock threats from attackers.
In this case, all an attacker requires to cause a security and data risk to any organization is a pre-configured config for the target, a combo list of emails/usernames and passwords and a “proxy list” of open proxies to direct traffic through in order to evade IP banning and easy detection by law enforcement. The rest is up to the “cracker” and how willing they are to exploit the accounts they have access to.
Sentry MBA is one of the older free tools now, with other paid for tools like Snipr, and many “cracking” forums will even advertise free “checkers” custom built for particular websites. But what is STORM Cracker? Does it represent a significant change over the custom checkers and the established tools like Sentry MBA, or is it more of the same? This overview will aim to answer those and more questions.
Overview of the STORM Cracker tool
The version of STORM Cracker used for this analysis is version 2.4, released March of 2018. STORM comes as two executables; one “config” builder GUI that aims to make the definition of the input files for a particular target easier, and the STORM utility itself which runs the ATO attacks.
Part #1 – Building an attack configuration
The GUI is fairly basic, allowing for loading and saving of the configurations and basic editing of these configs.
In the above screenshot, you can manage, load, edit and save configs. Manipulate the behavior of the attack and define the URLs, success and failure keys to be extracted from the website response.
For example, this is a fake config of myecom.com, a Commerce-based website, you can see this basic config defines a load of the login form in link1, a post to login in link2 and then loads an offer page in link3 to see if there are any credits to be exploited.
This is a typical ATO config, they’ll log in, go straight to the page with the exploitable aspect and extract how many points, bitcoins, etc that are available to be stolen all as part of the config. The attacker then gets a list of all accounts they’ve taken over and how valuable they are, to either resell or exploit themselves.
These stages are all configured in the tool with a moderate level of sophistication, the tool supports SSL, the required proxies for hiding IP and distributing the attacks over seemingly many endpoints. The GUI also has some basic tools for escaping/unescaping strings for HTTP communication.
STORM Cracker will continue to develop this config builder CUI, adding further sophisticated control options.
Part #2 – Performing an attack
The second executable is one of the credential stuffing tools used to perform a cyber-attack, this runs the configs, takes in the combo list of emails/username and passwords and directs the requests between the list of proxies given.
The combo list and proxy list are loaded here, and the timeouts, the number of threads, etc. are all configured to run the ATO attack. The output of “hits” where a “combo” of user credentials worked on the attacked site are reported in the UI and written to a folder for the attacker to re-sell or exploit.
There is a basic debug option here, but again it is less complex than Sentry MBA, a single “combo” can be entered and the stages of the attack stepped through to see where it fails.
Another feature this is missing is CAPTCHA defeat, although the ability Sentry MBA has in that regard is only to defeat simple image-based CAPTCHAs. ReCaptcha, FunCaptcha and any of the newer advanced ones are not automated within Sentry, yet.
So, now this is a minor missing feature as there are no tools like this that can defeat any complex captcha within one of these “cracking” toolsets currently advertised on cracking forums. Typically, they target end-points that have no captcha, increasingly mobile interfaces and API endpoints to verify the accounts they have stolen work.
Should I be concerned about STORM Cracker?
STORM Cracker can bypass DDOS protection offered by some of the leading CDNs
These CDNs will test the “browser” to check if it is a real browser and not an automated tool. STORM Cracker does not reveal the approaches they use to bypass these CDN defenses, and implementation is seamless to the hacking using the tool, they just point the tool at a protected URL and it bypasses the protection. The STORM codebase does include the open-source Noesis Javascript library, which allows for server-side execution of Javascript, it is likely this is being used as the basis for this functionality.
The existence of this type of functionality does indicate the cracking community is aware that Javascript-based checking like this is a challenge, and they are starting to work on ways to defeat it, with some success as shown in the case of STORM.
API and mobile application API access points are also targeted
These credential stuffing tools also find additional ways to attack in addition to website login pages. They exploit interfaces to systems they want to attack that are not accessed via a web browser like API end-points, Mobile application APIs / end-points.
Then when they have verified the accounts work they can manually access them via the web interface and exploit them. As more companies attempt to lessen these attack vectors there will inevitably be pressure to defeat and bypass corporate bot detection systems in these cracking tools.
Future development and ATO prevention
Despite being less complex than the more established Sentry MBA, STORM is being actively developed. The Community donates to the developers, with each version having a target for the developer(s) to release the tool. As the tool progresses its features and reputation in the online “cracker” community those development donations will continue to rise, fuelling faster tool development.
In the immediate interim, invest in a dedicated ATO prevention solution. Here at Netacea we use a range of approaches to detect ATO activity. At a simple level, the built-in reputational analysis and blacklists of known bad actors can easily weed out the less sophisticated attempts. However, this pool is rapidly shrinking as more complex tools such as STORM are developed and become more widely available.
To address the remaining attacks, Netacea has developed the leading, artificial intelligence-based Account Takeover detection tool currently available. Netacea Intelligence uses advanced machine learning techniques to detect ATO attempts by spotting patterns of behavior that indicate suspicious behavior. This includes spotting indications of an upcoming attack, such as large amounts of fake account creations that can be used to camouflage the real ATO attack, as well as actual attacks themselves.
Frequently Asked Questions about STORM Cracker
What is STORM Cracker?
STORM Cracker is a credential stuffing tool for stealing, cracking and phishing. It can steal credentials from many sources including: email providers, enterprise networks (LDAP/AD), forums and websites. The tool also provides prompting features to allow the user to enter new credentials to attempt to crack. It supports mutiple attack methods including SQLi, XSS/HTML Injection, CRLF Injection and bruteforce methods for checking if an account has valid credentials after the initial infiltration phase using one of these techniques has been successful.
What is Sentry MBA?
Sentry MBA is a credential cracking tool that can be used to steal, crack and phish. It is designed to have an interface that is more user-friendly than other similar tools. Sentry MBA supports multiple methods of attack which are SQL injection, Cross-Site Scripting (XSS), and CRLF injection; all of which are designed in a way to avoid detection by the credentials owner’s security systems.
How to protect your business from Credential Stuffing using STORM Cracker?
Most of these attacks can be thwarted by having a robust, up-to-date ATO solution in place to detect and prevent credential stuffing. In the absence of an ATO system, it is recommended to add additional authentication steps to your login process that are separate from any other measures you may have already added.
If you have any questions or would like to learn more about our approach to stopping credential stuffing attacks, request a Netacea Bot Protection demo, where you can access the Netacea Credential Stuffing and Bot Management dashboard and test it on your live site.