Lab 3: Human Like Automation

Run this lab from the JUMPHOST

In this test we will replicate a more “human like” automation that fully renders the page by remotely controlling the Chrome browser.

1. Launch OpenBullet from the desktop.

2. Navigate to Configs -> Manager -> New Give it a name “Human Credential Stuffing” and Accept. Double click to edit this item.

3. Add a new BROWSER ACTION block. The default action of OPEN is all we need.

4. Add a new NAVIGATE block. Configure URL as http://namespace.lab-sec.f5demos.com/user/vipsignin

5. Now we will add find the Username and Password fields and inject the text into them. The field ID’s or Names can be found in the HTML of the site but are provided

4. Add a new ELEMENT ACTION block. Under Find Element Element By ID = email (case sensitive). For Action choose SENDKEYSHUMAN and for the INPUT put in <USERNAME>

5. Add a new ELEMENT ACTION block. Under Find Element Element By ID = password (case sensitive). For Action choose SENDKEYSHUMAN and for the INPUT put in <PASSWORD>

6. Add a new ELEMENT ACTION block. Under Find Element Element By ID = password (case sensitive). For Action choose SUBMIT

7. Add a new BROWSER ACTION block. For the Action choose DOMtoSOURCE. This will copy the page source code from the browser to the local <SOURCE> variable

8. Next we want to ensure we identify when the login was successful and to capture the secret word.

9. Add a new KEY CHECK block. Click the Keychain + button twice. Now in the first entry this will be to determine success we will look in the page source for the follow string. Click the Key + button once for each new Keychain and enter Login Successful in the indicated field. For the second block we will use this for failure. Change the type to FAILURE and enter Incorrect Details into the indicated field.

10. Add a new PARSE block. Configure Var/Cap Name as “SECRET” and click “IS CAPTURE”. Then for the Left String we use SECRET !!! and Right String we use !!! This will capture and save the value to the log during an attack. Ensure your configuration is SAVED.

11. Lets test our configuration. Now fill in the credentials john.smith@nobody.com:test123 in the DATA field and ensure Credentials is the method selected. Now hit Start. A new Chrome window should open and we can watch the bot work its magic. Close the browser manually once it completes.

12. Now its time to run a large credential stuffing attack!

13. Swith to the RUNNER menu. Choose NEW and click on the entry to edit it.

14. Click SELECT CFG and choose the configuration we just created Human Credential Stuffing, click SELECT LIST and choose LAB2 and lastly hit START and watch the attack begin. Leave the number of bots set to 1 as multiple browser may make the system slow. If you need to rerun the test you need to reset the start count to 1 (Used if you have a very long credential list)

15. Now you can see the attack running in realtime on the left hand side and on the right hand side it will show any of the successful attempts. This will also bring up the chrome window to watch. (Chrome could be run in headless mode if desired)

16. Additionally we can go to the distributed cloud dashboard outside of the RDP Jumphost. Click on Web App & API Protection then Dashboards and then Security Dashboard. Scroll down and select <namespace>-lb under Load Balancers and explore using the Bot Defense tab at the top right of the dashboard.

End of Lab 3: This concludes the overall lab, feel free to review and test the configuration. Closing presentation and remarks will begin shortly.