Default User Agents in Sentry MBA (Credential Testing)
Sentry MBA is THE tool of choice for credential testing (stuffing). Feed it a list of accounts/credentials, a list of proxy IPs to route traffic through, the login page(s) of the site to be attacked, and you are pretty much ready to go.
Last week in a demonstration of this lovely product, we were shown the list of default user agents the tool passes in its latest version. These are configurable of course, though many users will not bother to update.
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00
Note the following, per the presenter:
IE 7 – This isn’t a real agent.
IE 8 – This isn’t a real agent.
Firefox 3.0.11 – Real, but REALLY old.
Safari 3 on Windows – Real but really old and who uses Safari on Windows...
Opera – This isn’t a real user agent. There was no version of Opera that actually used this exact agent string, so you can exact match on this.
Given a surge in reported stuffing activity over past few weeks across many FIs, consider a rule watching for these agents if you feel there are gaps in detection. Syntax something like this:
(agent==('Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00')
|| agent==('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/2009060215 Firefox/3.0.11')
|| etc...can use contains (~) as well to open up the rule on partial string matching...)
NOTE: Have not tried this in a production environment, so treat as a test and monitor closely. Be sure to use a dedupe register.
Can also look for these in Search, but likely will need to use contains (~), as agent is usually an indexed key and there's a known limitation for exact matches on it.
Please share any results or feedback if you look at this!
- Community Thread
- Forum Thread
- RSA Web Threat Detection
- Rules Library
- Web Threat Detection