User guide

Updated for version 1.1.4

1. Introduction
This is an in-depth guide that will be constantly updated and covers the usage -
both as a cracker and as a config maker - of Black Bullet.

Please consider reading this guide if you get stuck or do not fully understand
the usage or purpose of a feature and contact support only if you didn’t find
an answer to your question this guide.

Please also remind that this tool was not coded for the purpose of breaking into
other people’s accounts, so please only use it on servers and accounts you own
or for which you have a written permission to test the security to cracking
attacks. Creating this program, for me, is a way to improve my skills as a
developer and contribute to the community that made me learn a lot of what I
know today and made me love website security testing as a whole.
2. Product activation and login
When you buy Black Bullet you will be given a License Key for you to use during
the product activation.

Please mind that a License Key can only be used to activate the program on 1
machine, so in case you want to use it on other machines you will need to buy
another license.
If you change your PC or decide to permanently move to another PC, you can
use the Reset button directly on the new PC before logging in.

When you first open Black Bullet you will see a screen like this

Just enter your desired username, password and the license key you got with
your purchase and click Register.
From now on, every time you open the program you can just press Login.

Note that your username, password and license key are stored in the License.txt
file located in the Settings folder, so if you ever forget them you know where to
find them. That file is also used for autocompleting the login fields.
3. Quick Start
This chapter is intended for those who just want to start using the program right
away with some existing configs.

- First of all head to the Configs option in the main menu.

- After that, click on the Import button

- You will be prompted to import an existing .ini file (or .enc in case of
encrypted configs). Once your config has been imported, you will see it in
the config manager’s list. Remember that the manager only holds a
reference to the file, so if you delete or move the original file it will not be
able to find it anymore!

- After that, we need a Wordlist. Head to the Wordlists menu option.

- Now click on Add to import a wordlist.

- You will be asked to load the wordlist file and give it a unique name.
Selecting a type and writing a purpose is not required.

- After clicking ACCEPT you will see your wordlist appear in the List Manager.

- If your config requires the use of proxies you should also head to the Proxies
menu option

- Now click on Import to select your proxies

- You will be prompted to import the proxies from a file or by copy-pasting
some into a textbox. You also need to specify a type for the proxies.

- Lastly, you might want to check the proxies you just imported, adjust some
settings in the Settings menu option or just head to the Bruteforcer

- Here you can select a config and a wordlist using the respective Select
buttons.

- Once your config and wordlist are set, adjust the number of bots (it can
range from 1 to 200) and start the Bruteforcer.

- Your hits will be automatically saved in the database and you can view
them and export them from the Hits Database menu option
4. In-depth look: Menu Options
4.1 Bruteforcer
The Bruteforcer offers several features
- Set a starting position for your wordlist so you don’t have to restart from the
beginning in case you have to quit the bruteforcing process halfway
through. Every time you abort a Bruteforcer session, the program will add a
record to the database with the position where you left off.
- Set 1 to 200 bots. The bots won’t start at the same time, it will take a bit for
them to all fully initialize so be patient. If you want them to start at the same
time, please head to the Settings tab, check “Bruteforcer Turbo” and click
apply.
Important: Do not set too many bots, especially on slow PCs and if running
heavy / proxyless configs or the program will eat up your CPU and clog the
PC requiring a reboot.
- Start / Abort / Hard Abort button.
- List display of the bots status so you can know what they are doing and if
they get stuck on a particular block.
- List display of hits, free accounts and combos to check.
- Console to keep track of the log history of the Bruteforcer.
- Informative panel which keeps track of combo results, proxy statuses and
error codes.
- Possibility to override the default proxy settings for configs.
- You can right click on “To Check” combos and select to view the returned
page source to easily spot issues that you couldn’t find in the debugger.
- When running card:pin lists, the Bruteforcer will automatically skip other pin
tests for the current card if the correct pin has already been found.

4.2 Scheduler
The Scheduler lets you plan a Bruteforcer task list so you don’t have to load
another config / wordlist pair every time the previous one has finished, leaving
dead periods of time in between and reducing efficiency.
In order to add a Task just click the Add Task button and set its parameters
(config, wordlist and amount of bots).
When you think your Task List is complete, Start the Scheduler and it will run the
tasks one after another in the Bruteforcer, putting a little green tick near the
completed ones.
Notice that during this process all buttons except the Stop button will be
disabled to ensure that the tasks are not edited while the scheduler is running.
4.3 Proxies
In the proxy manager you can Import, Export and Check proxies.
Once you imported the proxies with their correct type, you can test them by
setting a website and a Source Success Keyword. This means that if the proxy
finds that keyword in the body of the webpage, the test is considered
successful and the proxy is marked as good.

Proxies are also tested for their country and ping and you can sort the list to see
all the proxies with ping 0 (not working) and easily select remove them with the
“Delete Not Working” button on the right.
Proxies are stored inside the local database file and are used for every config
that requires proxies (if the config default is not overridden in the Bruteforcer).

4.4 Wordlists
The List Manager allows you to quickly see the size of your wordlists (# of
combos), their type (username / password, email / password, gift cards etc.)
and their purpose so you can pick the best one for your config’s needs.
Remember that the wordlists are stored in the database by reference, so if you
move or delete the old file you will have to delete the old entry and add it
again.

4.5 Configs

4.5.1 Manager
In the manager you can import one or more configs, create a new config, see
the Overview of a selected config and finally load it into Stacker.
Remember that the configs, just like wordlists, are stored by reference in the
database to allow for quick on-the-fly edits to the code without even opening
the program. For this reason if you move or delete a config file you will have to
delete its entry and import it again.

4.5.2 Stacker
See the Config Creation chapter.
4.5.3 Other Options

Here you can set options regarding proxies and combos (for example if the site
requires all users to have passwords with at least 1 digit or uppercase letter). It
also contains information regarding the config itself like its name, author and
other useful things that Bruteforcer users might want to know like the suggested
amount of bots, the type of combos accepted by the site and if captcha
solving is present.
DO NOT FORGET to save your config after the edits or you will lose all the hard
work you put into creating it!

4.6 Hits Database

From the Hits Database you can view and export your premium / free / to
check combos. There is a useful timestamp to see when the combo was tested
and of course the captured data.

Before exporting the hits you should configure your Export Format

You can use the keywords (in all capital letters and with angle brackets):
<TYPE>
<CONFIG>
<FIRSTURL>
<TIMESTAMP>
<COMBO>
<CAPTUREDDATA>

Those special keywords will be replaced with the corresponding database

columns, while any other character will be outputted normally.

4.7 Tools

4.7.1 Giftcard List Generator

Here you can output lists of numbers or number:pin to be used with your gift
card configs. You can put a starting number and an amount and the program
will add 1 to the starting number as many times as the amount you specified.
You can also check if the cards are valid via Luhn algorithm so only those will
be in the output.

Important: If you need to generate pins too, please only generate a small
number of cards since for each card there will be 10N outputs where N is the
number of digits in the pin.
4.8 Settings
Here you can set some global proxy settings that will be applied to any config
that runs in the Bruteforcer and the list of global ban keys for proxies (very useful
when using free proxies that often block websites through captive portals).
You will need to edit the list externally and then reload it through the related
button. Global Ban Keys are always checked BEFORE Keychains.
Last you can set up your API keys for the different available Captcha Solving
Services and set the one you want to use every time a config asks for a
captcha solve.
You can also find settings for sounds, themes and other utilities like logging,
setting the recommended amount of bots automatically and showing the HEX
bytes of the response body (very useful when it’s encrypted).
Please remember to apply your settings or they won’t be saved.

4.9 About
A couple words you might want to read.
5. Stacker guide for Config Creators
Stacker is the block list editor for Black Bullet configs and you need to learn how
to use it if you want to make your own custom configs.

If you prefer video tutorials I have some on my channel with walkthroughs on

how to make configs from a beginner level to advanced ones.

Stacker mainly consists of 3 parts

The stack
This is where all your blocks are displayed. Blocks are executed in order from the
top to the bottom of the stack and you can click on them to edit their settings.
You can add and remove blocks, move them up and down in the stack and if
you right click on them you can enable / disable them or duplicate them.
You can also resize them with the handy slider if they don’t all fit in the screen.
A very useful thing to do is to change the label of your blocks so you don’t
forget what they do and you can easily understand the flow of the config when
you take a glance at the stack.

Block Info
This is where you can edit the settings of each block. Each block has different
settings you need to set up if you want it to work correctly. Different block types
are covered in sections 5.x of this guide.
Debugger
This is what really makes Stacker a fantastic config making framework. The
debugger gives you the ability to test your blocks, all together or step by step,
right as you are building your stack! This way you can easily see the server’s
responses and all the variables and captured data and spot any error quickly.
The debugger offers 3 tabs:
- Data: lets you see the overall status of the test and the variables / captured
data you parsed.
- Complete Log: This is where you can see everything that happens when
executing your stack, all colored and divided into sections block by block.
- HTML View: This can help you easily see if you landed on the correct page
without having to look at a hundred lines of code and easily get failure /
success / … keys from the page.
In order to use the debugger correctly you will need to provide a Test Combo
and a Test Proxy (only needed if the config needs proxies, you can enable or
disable the proxy with the checkbox right next to the “Test Proxy” textbox).
Before covering the blocks, let’s take a look at some key concepts:

BOT STATUS
Every bot (in debugger there is only one but in Bruteforcer there can be more)
starts off with a NONE status. This status can then be manipulated via KEY
CHECK blocks or even other blocks.
If the status is NONE or SUCCESS the program will keep executing the blocks in
the stack in sequential order.
If the status is FAIL, BAN, FREE, RETRY or ERROR the program will stop executing
the stack.

If the bot reaches the end of the stack with the NONE status, the combo will be
marked as “To Check”.

The ERROR status is caused by failure in blocks and acts the same way as a BAN
but notifies you that the config might need some adjustments.

VARIABLES
Variables can be set by parsing via Parse Block or using the Function Block and
they allow to store any kind of data you want to use later. They can be
manipulated through functions and used everywhere you need. To define a
variable just give it a name, I tend to prefer all caps names without spaces in
them like
TOKEN
You can then use this variable in almost any textbox inside the blocks by typing

<TOKEN>
This means the program will replace every instance of the string <TOKEN> with
the value stored inside the variable TOKEN.

CAPTURED DATA

Only captured data is shown to the user when he gets a hit with your config.
You also cannot use captured data in the blocks like you can do with variables.

FIXED VARIABLES
There are some variables that are always present
<USER> - Replaced with the username / GC code of your combo
<PASS> - Replaced with the password / GC pin of your combo
<ADDRESS> - Replaced with the destination address after redirects
<STATUS> - Replaced with the status of the bot
<SOURCE> - Replaced with the response source
<BYTES> - Replaced with the response source as HEX bytes
<RESPONSECODE> - Replaced with the HTTP response code
<COMBO> - Replaced with the unparsed combo
<PROXY> - Replaced with the proxy in use in host:port format

Now let’s take a look at the different block types that are provided by default
in the kit.

5.1 Request
This is the most elementary block and the one that’s needed in every config,
often in multiple instances.

You can set a target URL and a method. If the method needs some Content
(e.g. POST) you also need to set the POST data that will be sent in the request
body.
You can also set custom cookies and headers (some headers are fixed
because they need to be present in every request. Content-type is only
needed in POST requests so it will be disregarded in GET requests).

You can also edit fixed required headers and set custom cookies / headers.
Remember you can use variables everywhere you want in here and they will be
replaced with the corresponding value.
If the site cannot be reached within the timeframe set in the settings (20
seconds by default) the bot status will be marked as ERROR.

If the site sets cookies in the middle of redirects you will need to uncheck the
“Auto Redirect” checkbox and do the redirects manually by parsing Location
headers and using them as URL in the next request. This is to ensure all cookies
are saved.

5.2 Basic Auth

This block automates the very easy task of logging into the so-called popup
login sites, a quite old form of authentication that is still used by some websites.
There is not much to explain here apart from the fact that you need to set the
URL you want to call in the Block Info. Only HTTP proxies are supported here!
5.3 Key Check
This is another very important block. Without this we would never know if a test
has been successful or not.

The Key Check block can be filled with Keychains.

Keychains hold individual keys and they are processed in a sequential fashion
(from Keychain #1 to Keychain #N) so the last one can override any state set
by previous Keychains. They can have two modes (AND and OR mode) which
define if all the keys inside the keychain need to be present or if a single one of
them can trigger the keychain verification.
The Keychains can have multiple results:

- Success
- Failure
- Ban (when a captcha appears on the page or the site blacklists your IP)
- Retry (for example when the server returns a 503 error)
- Free (use it for free accounts, for example when the key is quota=0)
Inside the Keychains, we can set individual Keys.

Regular keys can become NOT keys (by checking the box) which means they
trigger if the key value is NOT present in the target field.
You can also tick the MATCH checkbox which will trigger the key if the target
field matches exactly the key string you defined.
The target field can be the Status Code, a Header, a Cookie, the Source (it’s
the most common option), the address, the raw HEX bytes or even a Variable.
If no keychain has been triggered during the block execution, the bot’s status
will remain NONE. You can activate the option to set the status to BAN when
this happens. This will completely prevent any “To Check” combo to appear in
the Bruteforcer screen as all the To Check combos will be retried with a
different proxy.
5.4 Parse
This is the block you want to use to capture data or get a string (e.g. a CSRF
token) from the page and store it in a variable to use it in a later request.

It provides different parse targets, a textbox to set the name of your Variable or
Captured Data, some prefix / suffix to add to your data and some target-
specific settings.

When the “is capture?” box is ticked, the parsed data is stored inside the
captured data instead of a variable.
There are different modes that are currently supported and each one of them
can be useful in different situations. Most can also be used recursively by ticking
the “Recursive” checkbox.

More information about the parsing modes is provided at the bottom of the
Block Info when a mode is selected.
5.5 Function
The function block provides a collection of functions, selectable from a
dropdown menu, to manipulate data and store it into variables or captured
data.
For example:

As you can see, the function “Hash” with the option “SHA512” is executed on
the input <PASS>SALT123 (where <PASS> has been replaced with the actual
password from the current combo) and its result is stored in the variable HASH,
which can be later used as <HASH> in future requests or function calls.

More information on each individual function is provided inside the Block Info
when you select a function.
A special function that we will cover here is the Jump function.

Thanks to this function you can redirect the flow of the stack and jump to a
target block. With this function you can replicate if / else, for and while loops in
an assembler-like fashion that allows you to implement complex code in your
configs.
5.6 Recaptcha
This block allows you to solve a reCaptcha challenge on a given webpage by
using the Captcha Solving Service that has been set up in the settings.

The Captcha Solving Service API will be called with the given URL and Google
Site Key and the block will wait for the g-recaptcha-response data. When
successful, the response will in this case be stored in the variable (in the picture
it will be RECAP) and can later be used in future requests.
The block will also show the current balance when running it in the debugger so
you can check if there is enough balance in the account before running a
combo in the Bruteforcer.
You can use the Auto button to try and get the Site Key automatically from the
page. Always double-check when using this feature. If it doesn’t work, look for a
request to Google’s userverify API for ReCaptcha where the Site Key is sent as a
GET parameter.

5.7 Captcha

Lets you download a captcha image from a specified URL and upload it to a
Captcha Solving Service API to get back the plaintext response that you can
use in your requests.
If you parsed the base64 data of the Captcha image from the page you can
use it by using the variable in the Captcha URL box and ticking the “Base 64 in
URL box” checkbox.
The downloaded Captcha images are stored in the Captchas folder so you
can check if anything goes wrong by looking at what happens in that folder.
5.8 OCR
[WORK IN PROGRESS]

5.9 RAW HTTP

This block is intended for people who know how HTTP requests work and want
complete control over the shape of their requests.
Proxies are supported but SSL is not supported yet as of version 1.1.4.
5.10 Automatic

This is not a proper block but it will try to automatically set some REQUEST and
PARSE blocks and fill them with the correct data you need to make a config for
simple sites. Please always double check everything since this is still
experimental.

6.0 Future Plans

I will continue to update Black Bullet by releasing bugfixes and adding new
features.

I’m planning to:

- Add a built-in combo suite to quickly edit combos (e.g. remove duplicates,
remove non-US emails, join or split files …)
- Add a built-in proxy scraper.
- Add a build-in combo scraper.
- Add a brand new config making system specifically for Selenium-driven
cracking.