OpenBullet is an open-source penetration testing software designed for web testing. In the hands of an ethical hacker, it is used to stress-test login forms and API endpoints. In the hands of a malicious actor (a "cracker"), it becomes a weapon for Credential Stuffing.
How it works: OpenBullet automates the process of taking thousands or millions of username/password combinations and throwing them at a website (like Netflix, Spotify, or a bank) as fast as possible.
It uses "Configs" (configuration files) that tell the software how to talk to a specific website—where to put the email, where to put the password, and what text to look for to know if the login worked ("Success") or failed ("Fail"). openbulletwordlist
grep -v ":$" combo.txt
The era of simple user:pass is ending. Modern OpenBullet 2.0 supports Proxyless APIs and JWT token parsing. The next generation of openbulletwordlist will look like: Lists generated by the user using tools like
[\"email\":\"user@site.com\",\"pass\":\"123\", \"2fa_token\":\"000000\"]
This is JSONL (JSON Lines). As 2FA becomes standard, traditional wordlists die. The new focus is on Session Cookie wordlists and Refresh Token wordlists. where to put the password
To stay relevant, you must learn to scrape session cookies from malware logs (with legal authority) rather than just passwords.
Lists generated by the user using tools like OpenBullet itself (using a "Checker" config to generate a "Combo" config). This involves scraping valid emails from a site and then checking them.
Even if the openbulletwordlist contains the correct password, MFA stops the attack cold (provided the site doesn't have MFA fatigue vulnerabilities).
