While doing some digging for potentially useful tools, I came across this tool called Cr3dOv3r. Cr3dOv3r is a tool to check for password reuse on 15 different sites. When white hat hackers conduct a pentest, it is typical that they find password reuses which allows them to SSH into other systems of the target/client. Typically, hackers only report the valid logins regarding the issue of password reuse. I think this tool could be very beneficial to hackers when writing reports, as it provides them with a quick way to test multiple sites for the same reused password that allows them to log in to the other hosts. 

    This tool is very simple to use and is very straightforward, which we can all appreciate as a tool like this doesn’t need to be super in-depth. First, I am going to go over installing and getting it to run.

git clone
cd Cr3dOv3r
python3 -m pip install -r requirements.txt

 To use the tool, the only command you need to run is python3 <email>.

The first thing the tool will do is check if the email is on Haveibeenpwned, after which it will ask the user for the password and then check to see if it can be used to login to the following.

  1. Facebook
  2. Twitter
  4. Github
  5. VirusTotal
  6. LinkedIn
  7. Ebay
  8. Wikipedia
  9. Airdroid
  10. StackOverflow
  11. FourSquare
  12. GitLab
  13. Google
  14. Yahoo
  15. Mediafire

    I believe that this tool could be very informative to anyone who is trying to assess their security in different accounts.. It is also useful for hackers, as they typically only show what systems they were able to get into. However, if they were to run this tool with the password that was used to login to the other systems, they could save time and cover more ground to show their clients/targets the vulnerability they created by reusing passwords and the impact it can have. The more information hackers can provide to their clients, the better chance they have of securing their clients. Hopefully, this will also encourage the employees of corporate companies  to stop reusing passwords as this introduces a whole new attack surface to the company. I hope this tool is a very useful arsenal for your future pentest adventures! 

Clayton Wolfgang & Zablon Shewangziaw authors