Open Bullet

The OpenBullet web testing application. – GitHub

OpenBullet 1 has reached the end of its life, no more support will be provided for it. Please consider switching to OpenBullet 2 as it will be kept up to date and offers a lot more features.
Link to the Official Forum
The Plugin System was released with version 1. 2. 0. You can find a sample Plugin with fully documented code that you can use as a basis to develop your own plugins!
OpenBullet is a webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pentesting, unit testing through selenium and much more.
IMPORTANT! Performing (D)DoS attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer will not be held responsible for improper use of this software.
Here you can find the complete documentation for usage, config making and the RuriLib API.
The OpenBullet API was released. It can be used to host configs remotely on your server and have OpenBullet download them upon Rescan. It’s very useful to always have updated configs between different computers or people. You can learn more about it here.
Found a bug? Create an issue!
Make sure you have installed the framework (dev) 4. 7. 2.
Clone this repository and open the solution file with Visual Studio.
Switch to Release mode for a much cleaner output.
Build the solution (Visual Studio will fetch all the missing nuget packages).
You can find the executables inside the folders OpenBullet/bin/Release and OpenBulletCLI/bin/Release.
This software is licensed under the MIT License.
If you like this software, consider making a donation to the developer. Thank you!
BTC: 39yMkox6pP8tnSC7rZ5EM4nUUHgPbg1fKM
I want to thank all the community for their inputs that shaped OpenBullet into what it is now, and my gratitude goes towards demiurgo and meinname, who spent a lot of time helping me test and debug the Beta builds.
I am not on discord / telegram, anyone on there who claims to be me is a fake. If you need to contact me for any reason you can send me an email here: ruri [at] openbullet (dot) dev. I don’t check it very often so be patient please.
OpenBullet: Shopping Configs

OpenBullet: Shopping Configs

OpenBullet is a webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pentesting, unit testing through selenium and much more.
You can download the latest updated version – @FILE4NET + 650 configs @Password:
Cracking Course With Tools, Audio Explanation, Video and Text –
Advanced Course for Openbullet Anomaly & openbullet 2 [2021] with Tools, Audio Explanation, Video and Text –
Note – IMPORTANT! Performing (D)DoS attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer or this website will not be held responsible for improper use of this software.
OpenBullet configs is the result of numerous hours of passionated work from a small team of computer security enthusiasts. If you appreciated our work and you want to see OpenBullet configs kept being developed, please consider making a donation to our efforts via Ƀitcoins to 1CgAkPMgSG5SXvkTQnxU52HE2j8P9643Je.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the “Software”), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
How Cybercriminals Abuse OpenBullet for Credential Stuffing

How Cybercriminals Abuse OpenBullet for Credential Stuffing

Cyber Threats
In this blog, we detail how cybercriminals exploit OpenBullet, a legitimate web-testing software, to brute-force their way into targeted accounts.
By: Cedric Pernet, Fyodor Yarochkin, Vladimir Kropotov
April 30, 2021
Read time: ( words)
The trend for access-related cybercrime, such as credential stuffing, is steadily rising with no sign of slowing down. According to an Akamai report, there has been a total of 88 billion credential stuffing attacks from January 2018 to December 2019.
Credential stuffing, a type of a brute-force attack that makes use of botnets to access websites and online services using stolen credentials, allows financially motivated actors to gain unfettered access to victims’ bank accounts and sensitive information. Cybercriminals also profit from stolen credentials by selling them in underground forums and markets.
As the business of acquiring unique credentials continues to become more lucrative, cybercriminals are enriching their attack tools and techniques by abusing legitimate software for nefarious purposes.
In this blog, we detail how cybercriminals exploit OpenBullet, a legitimate web-testing software, to brute-force their way into targeted accounts. Due to OpenBullet’s popularity, a whole market for trading configuration scripts have formed in the underground. We explore how some threat actors compromise the supply chain of OpenBullet configuration scripts by supplying scripts with hidden features. Finally, we also give recommendations on how users and organizations can handle multiple passwords efficiently and securely, and provide guidance on how they can remain protected from credential stuffing attacks that lead to account takeovers.
A Closer Look at OpenBullet
OpenBullet is a free web-testing software that enables developers to perform specific requests on target webpages. The open-source tool can be found on GitHub and used for different tasks, including scraping and parsing data, performing automated penetration testing, and unit testing using Selenium.
The software enables users to try multiple “login:password” combinations as credential brute-force attacks on different websites for legitimate purposes, such as penetration testing. However, it can also be used by cybercriminals in order to discover valid credentials on different websites for ill gain.
OpenBullet allows a user to import prebuilt configuration files or configs, one for each website to be tested. It also has a flexible editor to modify configs as needed. This is a mandatory feature, since websites tend to make slight adjustments to the way that users connect to them in an effort to counter automated tools like OpenBullet.
Notably, OpenBullet’s GitHub page features a warning informing users that the tool shouldn’t be used for credential stuffing on websites that they do not own.
Figure 1. Disclaimer from the OpenBullet GitHub page
OpenBullet Features That Can Be Abused
This tab allows the user to import thousands of words that can be used when attempting to connect to targeted websites.
An entry can be as simple as “email address:password” or “login:password”.
Wordlists are not provided with the OpenBullet tool. As a result, users would need to find and use their own. However, OpenBullet has a wordlist generator feature.
As an example, we generated a wordlist on OpenBullet using the following characteristics:
Users’ email addresses that are composed of three digits followed by “”
Users’ passwords that start with “abc” followed by two digits
Figure 2. OpenBullet’s wordlist generator and the extracts of the generated wordlist on a Notepad file
Though this example does not exactly reflect reality, it still shows some possibilities of what the tool can do and how easy it is to create such wordlists.
A user can select this tab to launch a credential attack using OpenBullet. The runner tab shows the progress and the number of positive hits for every website that is being tested. Users can also launch multiple runners at the same time.
Figure 3. Screen capture of the runner tab working on OpenBullet
Some websites with good security might blocklist the IP address of a penetration tester — or a cybercriminal — especially if it is being used to make several attempts to log in to several different accounts. To avoid this, proxies are used.
Proxies are an important part of OpenBullet. They allow users multiple login attempts using a different IP address for each attempt. In addition, they can set up the time between each connection attempt, so that each attempt does not raise any alarms on the targeted website for an unusual login activity that typically would be generated by a high number of attempts in a very short period.
Different kinds of protocols are accepted for proxies in OpenBullet: HTTP, Socks4, Socks4a, and Socks5. The more proxies are added to OpenBullet, the better it is for fraudsters. It is also important to note that since proxies are not provided in the tool, users need to rely on using their own, which they can buy from underground forums or from paid proxy services, or even discover using internet-scanning techniques.
Figure 4. OpenBullet’s proxies tab, which features several proxies on different protocols or ports
Tools, Plug-ins, and Settings
Plug-ins can be easily imported to OpenBullet for different purposes. For example, by using additional plug-ins, users will be able to:
Mix a list of usernames and passwords to generate all possible combinations.
Export the hits from the runner tab directly to an instant messaging platform.
Use a known successful login or password combination on a big virtual private network (VPN) to get a full list of all of its working proxies.
The possibilities are seemingly endless as long as a user’s purpose involves sending and collecting data to and from a targeted website.
On the settings tab, OpenBullet users are able to tweak system settings, such as bypassing CAPTCHAs or using Selenium, a portable framework for testing web applications. Users need API keys in order to bypass CAPTCHAs. However, API keys are not provided in the tool.
Figure 5. OpenBullet options for CAPTCHAs in the settings tab
Configs are the heart of the OpenBullet tool. They are files that are imported to OpenBullet for every website that needs to be tested. Since every website handles authentication or login differently, a unique config file is needed for every website.
OpenBullet supports multiple config file types, including plain files (, otherwise referred to as “LoliScripts”) and encrypted files ().
In OpenBullet, configs can be created or modified using an interface called the “stacker, ” which works by executing several tasks called “blocks” in a stack, one after the other.
Let us take a closer look at a config that we found to be targeting a large retail company. Using this particular config, we can see how it is possible to do much more than just checking whether login credentials for authentication work.
Figure 6. Stacker interface showing different blocks to be executed from top to bottom
In the preceding screen capture, we can see seven different blocks: request, key check, request, and four parse blocks. Each block is called one after the other by OpenBullet when the runner is launched.
Figure 7. The first request block of a specific config that targets a retail company’s website
A user can also see and edit the config directly in LoliScript code, as seen in the following figure:
Figure 8. Full config in LoliScript code
The script in Figure 8 shows that once logged in, a user can go to the payment preference page of a victim company and quietly extract credit card information.
This is one striking example of the dangerous activities that cybercriminals can do on OpenBullet.
The Business of OpenBullet Configurations
While some OpenBullet configs can be found easily online, other more sensitive configs are sold on dedicated websites or on underground cybercrime forums and marketplaces. Generally, config prices average between US$5 to US$10 as of writing.
Figure 9. Types of OpenBullet configs available for sale on a dedicated website
Because configs tend to have a limited time of use due to the constantly changing parts of websites’ authentication processes, the widely adopted business model involves selling licenses to get configs updates as needed.
A single config bought for US$5 might work for some weeks, but when changes are applied to the login process, it becomes obsolete. Therefore, users tend to pay monthly licenses to get all of the necessary updates.
It is also not rare to see actors sharing some configs for free in order to attract users to purchase more advanced configs.
Figure 10. An actor sharing a LoliScript config on a Telegram channel. The script finds valid credential logs from an online antivirus company and steals product and activation codes with expiry dates.
OpenBullet variants
Because OpenBullet is open-source, it has allowed third-party developers to create their own version of the software (such as SilverBullet and OpenBullet Mod, Anomaly) that supports its own version of scripts called “anom. ” Some of these versions are even more calibrated for cybercrime use and can be found easily on online forums.
Figure 11. Example of a third-party OpenBullet version
Other Software
Aside from OpenBullet, other software for credential stuffing is available on GitHub or on underground forums.
Figure 12. A package of tools that are related to credential checking. The package is offered on an underground forum in the Russian language.
While other tools are available in the underground market, OpenBullet remains a tool favored for abuse by cybercriminals as it offers both comprehensive support and a wide range of possibilities. In particular, its wide adoption and the number of available configs make it popular among cybercriminals.
Backdoored Config Files
The official OpenBullet configuration format is not obfuscated. However, there are many unofficial OpenBullet configuration formats that come in some form of obfuscation. This enables the packing of backdoors or so-called hit loggers. In fact, backdoors in OpenBullet configuration files are very common — so common, in fact, that there are tutorials on how to remove them, as evidenced in Figure 13.
Figure 13. Part of a tutorial on how to remove backdoors in obfuscated OpenBullet configs
Many tutorials advise using only / / and not to use the encrypted / / / for not running obfuscated code. A typical backdoored config might look like the one in Figure 14.
Figure 14. Deobfuscated backdoored LoliScript. Sensitive data has been replaced by Xs.
Basically, backdoors involve the sending of data somewhere. In the example shown, there is a constant GET request leaking the usernames and passwords to one particular website controlled by the backdoor controller. Other kind of backdoors can be used to post stolen data on a particular page on a website or on messaging apps like Discord.
Other Ways Cybercriminals Illegally Obtain Credentials
Aside from abusing legitimate software and using malicious software, cybercriminals also employ other tried-and-tested ways in order to obtain user credentials — one of which involves using phishing campaigns.
However, phishing campaigns collect a few hundred credentials at best. They also require fraudsters to build and host phishing websites to which they would lead victims after sending thousands (if not millions) of fraudulent emails per campaign. According to our 2020 Cloud App Security Threat Report, 5, 465, 969 credential phishing attacks were detected and blocked in 2020.
Phishing campaigns typically need resources and time. As a result, this could lead cybercriminals to opt for other malicious means that require less effort.
Aside from searching for stolen credentials online, cybercriminals compromise websites such as large forums and dump their databases. This is why it is important for website administrators to ensure that their databases are encrypted.
Credentials can also be bought from underground websites and forums. Sometimes, credentials can even be obtained for free.
Figure 15. A compromised website’s full database being sold on an underground forum
It is also possible to buy credentials that have been saved in text files, which makes credential reuse easier for fraudsters.
Figure 16. Underground forum showing offers for credentials files
Typical Uses of Stolen Credentials
The difficulty of having one’s credentials stolen doesn’t end when fraudsters take hold of them through illicit means. Rather, this could be just the beginning. After all, the many uses that cybercriminals have for stolen credentials can be even more devastating. Just last year, we reported how cybercriminals use stolen credentials such as personally identifiable information (PII) or credit card data from people who might already be suffering from the global pandemic as cybercriminal prizes for online poker games and rap battles.
These are the typical uses of stolen credentials:
How to Securely Handle Multiple Passwords
Security professionals have always recommended the use of different non-guessable passwords for each website and online service.
While this recommendation makes sense, most people find it difficult to maintain a list of every password for every website that they need access to. Such difficulty seems inevitable in light of the fact that on average, people need to remember 100 passwords for their online accounts and services, according to a NordPass study. Some people opt to write down their credentials or save them as an online file as a practical way to keep track of them. Still, these methods are high-risk in nature: If a malicious actor were to get hold of the written document or gain access to the file that contains credentials, they would then also gain access to all the websites and services listed there.
Fortunately, users can rely on password managers, digital vaults where passwords can be stored and managed in an efficient and encrypted way. Some password managers even have autocomplete features that can be used for logging in to any website through a keyboard shortcut.
Some of these managers work as online services while others function locally. These managers store and encrypt passwords and require a master password for access. This means that a user would only need to remember their master password, after which they can proceed to create strong and unique passwords for all of their accounts without needing to remember each one.
How to Stay Protected From Credential Stuffing Attacks
The following are steps that users and organizations alike can take in order to protect themselves from credential stuffing attacks:
Practice good password hygiene. Users should avoid using weak passwords while organizations should implement a blocklist of commonly used passwords to prevent users from creating them. Users should also avoid reusing credentials for various online accounts and services. When creating passwords, users must make sure that each is unique and remember to change them routinely.
Enable multi-factor authentication (MFA) on websites and services. An increasing number of websites and services offer MFA. Generally, MFA consists of a combination of external one-time passwords (OTP) that are generated and stored on a device that the attacker should not have access to, such as mobile phones (via texting or a third-party application), fingerprints, software security tokens or certificates, and a security USB key. This is by far the most effective defense against credential stuffing attacks.
Create a PIN or answer additional security questions. Some websites enable users to answer additional security questions or provide a unique PIN for further authentication.
Enable login attempt analysis. Some websites and services such as email service providers run analyses of login attempts. These are based on different factors, including:
Browser information. An attempt to log in with a different browser, one that is never opted for by a user, could indicate a fraudulent login attempt.
IP address. Users who suddenly change the IP address and/or country of origin might be a good indicator of fraudulent attempt.
User behavior anomaly analysis. Users do not browse websites the same way as automated software or bots do. Therefore, a careful analysis of a user’s behavior can help trigger alerts and actions to protect the account.
It is important to note here that the use of CAPTCHA should not be considered as a secure method to defeat automated login attempts. As shown earlier, OpenBullet can use several different CAPTCHA API keys for evasion purposes.
It is undeniable that data breaches are becoming more commonplace and alarming. In February 2021, the Compilation of Many Breaches (COMB) was made available online, exposing a staggering 3. 2 billion credentials. In line with such developments, credential stuffing attacks are expected to continue rising in number.
Despite an accelerating number of online services allowing users to boost their account security by means of enabling either two-factor authentication (2FA) or MFA, the adoption of these security tools remains low. Research has shown that people tend to ignore 2FA or MFA, thinking that their passwords are already strong enough and that these practices are unnecessary. For instance, a 2018 report divulged that 90% of active Gmail users have not enabled 2FA.
The same goes for password managers — although these are effective in securing a large number of unique passwords, many users still do not use them, let alone trust them. According to a survey conducted by Password Manager and YouGov, 65% of Americans distrust password managers.
Given the nefarious uses by cybercriminals with regard to stolen credentials, it is vital to have more promotional campaigns that highlight the importance of creating strong, unique, and secure passwords and storing them in password managers. Indeed, users and organizations can only benefit greatly from the widespread adoption of credential security recommendations.

Frequently Asked Questions about open bullet

What is open bullet?

OpenBullet is a free web-testing software that enables developers to perform specific requests on target webpages. … The software enables users to try multiple “login:password” combinations as credential brute-force attacks on different websites for legitimate purposes, such as penetration testing.Apr 30, 2021

What is open bullet configuration?

OpenBullet is a website testing suite of software that allows users to perform requests on a target web application, and it’s been gaining interest across criminal locations since early April 2019.Jul 20, 2020

Is open bullet open source?

Bullet Train is a very interesting new open-source feature flag management service that has only recently been released. YARARLI + Open Bullet Anomaly ve 2500+ Adet Config.Jun 6, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *