Requirements:
1) Modules: requests, numpy
2) Python version 3.6 or higher
pip3 install -r requirements.txt
This tool was built in order to help PenTesters carry out credential stuffing attacks, or for SysAdmins/Internal Security Teams to monitor who in their company is vulnerable to such attacks.
The help pages (-h or --help) gives all the details needed to properly utilise this tool, as shown below.
If using the list generated by the -w/--wordlist switch with BurpSuite, then the following steps should be taken
- Use attack type: pitchfork
- Paste full the wordlist of “username:password" into both payload sections
- Set a payload processing rule of “Match/Replace”.
- For username payload set the regex to :(.*)
- For password payload set the regex to this ^[^:]+:\s*
NB: If passing solely the domain, do not put the '*@' in front of it, as this may break the searches.