Mitigating “Sentry MBA” - Credentials Stuffing Threat

“Credentials stuffing” attack technique became a very popular way nowadays to brute force user accounts over web applications’ login pages. Instead of trying to guess a certain user password from a generated word list (a.k.a. “dictionary”), attackers “reuse” credentials leaked from other websites. The attack exploits the fact that people usually use the same user name and password on many different websites. Those attacks are executed using special tools tailored for this scenario, called by the hackers “Combo Checkers”, such as “Sentry MBA”.  

 

Figure 1: “Sentry MBA” Combo Checker Tool

Although the tool is not new, the popularity of “Sentry MBA” amongst hackers is growing due to its high flexibility. Many “checkers” that are out there usually being developed to attack a certain website, while “Sentry MBA” is based on a configuration file that can be adopted to attack any website. This high configurability already created a market where people sell configurations for specific targets for only couple of US dollars.

Being so popular amongst hackers and having a surprisingly high offering of “login” configurations for the most known brands just emphasize the current gap for businesses to have the right mitigations in place.

 

Mitigating with BigIP-ASM

By Tomer Zait

Although this “Bruter” offers a unique flexibility and has several evasion techniques, it doesn’t support JavaScript anti-bot challenges. The tool is not able to pass ASM’s “client side integrity” brute-force mitigation, while also “Proactive Bot Defense” protection will block the tool on its first request. 

Figure 2: “Proactive Bot Defense” JavaScript Challenge blocks bot login attempt

Figure 3: “Proactive Bot Defense” sends “TCP RESET” for each login attempt from the tool

CAPTCHA Resistance

Though not supporting JavaScript challenges, a really nice feature that “Sentry MBA” provides is “teseract” OCR (Optical Character Recognition) engine to solve CAPTCHAs. Many CAPTCHA images are succeptible to machine-based solution due to their weak image obscuring effects.

While testing this capability against ASM the tool even failed to recognize the CAPTCHA image as it was “inline” in the HTML page, using the “data” url (i.e. “data:image/png;base64”), instead of loading it as an external resource. Another reason the tool will fail is that ASM CAPTCHA solution is submitted using JavaScript and not as an HTML FORM like the tool expects.

Figure 4: “Sentry MBA” OCR Wizard fails to recognize CAPTCHA issued by ASM

Even when perfroming an isolated test of ASM's issued CAPTCHA image with the teseract OCR engine, it failed to recognize the characters on the image.

Default User-Agent Strings

Besides the high configurability of “Sentry MBA” which allows adopting it to any target website, the properties of the issued HTTP request, such as method, referrer and user-agent headers can be customized as well. The tool ships with default user-agent strings which belong to relatively old browsers and could be used for tool identification and blocking.

  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
  • Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00

Figure 5: “Sentry MBA” default user-agent strings

One can see two user-agents containing “Windows NT 5.1” which represents “Windows XP”. Another one is “Internet Explorer” version 7 coupled with “Windows Vista” (NT 6.0) and there is the “Opera” browser user-agent version before the year of 2009.

 

Published Jan 17, 2017
Version 1.0

Was this article helpful?

3 Comments

  • Where this fails miserably is on mobile apps and AJAX/JSON API requests as these do not support JavaScript and as a result ASM simply blindly blocks all traffic. CAPTCHA is also not working here as CAPTCHA image response do not work with JSON/API responses. Further work is needed by the ASM Product Development team to introduce more programmability of ASM features such as Brute Force protection and CAPTCHA in iRules