credmap: The Credential Mapper
It is not uncommon for people who are not experts in security to reuse credentials on different websites; even security savvy people occasionally reuse credentials. For this reason "credmap: The Credential Mapper" was created, to help bring awareness to the dangers of credential reuse. Credmap takes a username and/or e-mail, and a password as input and it attempts to login on a variety of known websites to verify if these credentials have been reused on any of them.
To get started, you will need Python 2.6+ (previous versions may work as well, however I haven't tested them)
- Python 2.6+
- Git (Optional)
The next step is to download the project.
In order to do so, you can clone credmap from the repository hosted on Github (Recommended)
git clone https://github.com/lightos/credmap.git
or download the ZIP file directly from
The reason cloning the project from the git repository is recommended over downloading the ZIP file is mainly because you will later be able to use the --update feature which does a git pull request.
Running the program
To run credmap, simply execute the main script "credmap.py".
$ python credmap.py -h
Figure 1: credmap's help menu.
Figure 1 illustrates all of the options that credmap currently supports during the writing of this post. It has almost all of the features one would expect from a web penetration tool. However, certain options aren't displayed in the help menu as they are already pre-configured individually for each website in the XML files located in the "websites" folder.
To start testing, a username and/or e-mail is required and a password. These can be specified with the --email, --username, --password arguments or through the --load argument which loads a list containing credentials separated by a colon (user:password).
python credmap.py -u credmaptool -e [email protected]
Figure 2: credmap begins testing different sites with the provided credentials.
If further information is required for each HTTP transaction, the verbosity levels can be increased from 1-3. Verbosity level 1 will show the CSRF token whenever it is fetched, while verbosity level 2 will show information about the HTTP request and verbosity level 3 will show the entire HTTP response, including the HTML.
python credmap.py --load credentials.txt -vvv
The configuration for each website is stored under the "websites" folder in individual XML files. The --list argument is useful to view a list of all websites available for testing. Filtering is also possible by excluding or only testing certain websites. To exclude websites from testing, the --exclude parameter can be used by passing the websites as comma separated values. On the other hand, to only test certain websites, the --only argument may be used also passing the websites as comma separated values.
python credmap.py --load credentials.txt --exclude example1.com,example2.com,example3.com
Figure 3: An example of an XML file with the required entries to login to Twitter.
As seen in Figure 3, adding a website is usually pretty straightforward. For a brief description of all the possible options that can go in a XML file, check out credmap's wiki.
More websites will be supported and new features will be added in future releases. All contributions are always welcome!