“Credentials stuffing” attack technique became a very popular way nowadays to brute force user accounts over web applications’ login pages. Instead of trying to guess a certain user password from a generated word list (a.k.a. “dictionary”), attackers “reuse” credentials leaked from other websites. The attack exploits the fact that people usually use the same user name and password on many different websites. Those attacks are executed using special tools tailored for this scenario, called by the hackers “Combo Checkers”, such as “Sentry MBA”.
Figure 1: “Sentry MBA” Combo Checker Tool
Although the tool is not new, the popularity of “Sentry MBA” amongst hackers is growing due to its high flexibility. Many “checkers” that are out there usually being developed to attack a certain website, while “Sentry MBA” is based on a configuration file that can be adopted to attack any website. This high configurability already created a market where people sell configurations for specific targets for only couple of US dollars.
Being so popular amongst hackers and having a surprisingly high offering of “login” configurations for the most known brands just emphasize the current gap for businesses to have the right mitigations in place.
Mitigating with BigIP-ASM
By Tomer Zait
Figure 3: “Proactive Bot Defense” sends “TCP RESET” for each login attempt from the tool
Figure 4: “Sentry MBA” OCR Wizard fails to recognize CAPTCHA issued by ASM
Even when perfroming an isolated test of ASM's issued CAPTCHA image with the teseract OCR engine, it failed to recognize the characters on the image.
Default User-Agent Strings
Besides the high configurability of “Sentry MBA” which allows adopting it to any target website, the properties of the issued HTTP request, such as method, referrer and user-agent headers can be customized as well. The tool ships with default user-agent strings which belong to relatively old browsers and could be used for tool identification and blocking.
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00
Figure 5: “Sentry MBA” default user-agent strings
One can see two user-agents containing “Windows NT 5.1” which represents “Windows XP”. Another one is “Internet Explorer” version 7 coupled with “Windows Vista” (NT 6.0) and there is the “Opera” browser user-agent version before the year of 2009.