credmap: The Credential Mapper

credmap: The Credential Mapper

Posted on November 26, 2015 by Roberto Salgado


It is not uncommon for people who are not experts in security to reuse credentials on different websites; even security savvy people occasionally reuse credentials. For this reason "credmap: The Credential Mapper" was created, to help bring awareness to the dangers of credential reuse. Credmap takes a username and/or e-mail, and a password as input and it attempts to login on a variety of known websites to verify if these credentials have been reused on any of them.



To get started, you will need Python 2.6+ (previous versions may work as well, however I haven't tested them)

  • Python 2.6+
  • Git (Optional)



The next step is to download the project.

In order to do so, you can clone credmap from the repository hosted on Github (Recommended)

git clone

or download the ZIP file directly from

The reason cloning the project from the git repository is recommended over downloading the ZIP file is mainly because you will later be able to use the --update feature which does a git pull request.


Running the program

To run credmap, simply execute the main script "".

$ python -h

credmap's help menu.

Figure 1: credmap's help menu.


Figure 1 illustrates all of the options that credmap currently supports during the writing of this post. It has almost all of the features one would expect from a web penetration tool. However, certain options aren't displayed in the help menu as they are already pre-configured individually for each website in the XML files located in the "websites" folder.

 To start testing, a username and/or e-mail is required and a password. These can be specified with the --email, --username, --password arguments or through the --load argument which loads a list containing credentials separated by a colon (user:password).

python -u credmaptool -e [email protected]

credmap begins testing with the provided credentials.

Figure 2: credmap begins testing different sites with the provided credentials.

If further information is required for each HTTP transaction, the verbosity levels can be increased from 1-3. Verbosity level 1 will show the CSRF token whenever it is fetched, while verbosity level 2 will show information about the HTTP request and verbosity level 3 will show the entire HTTP response, including the HTML.

python --load credentials.txt -vvv

The configuration for each website is stored under the "websites" folder in individual XML files. The --list argument is useful to view a list of all websites available for testing. Filtering is also possible by excluding or only testing certain websites. To exclude websites from testing, the --exclude parameter can be used by passing the websites as comma separated values. On the other hand, to only test certain websites, the --only argument may be used also passing the websites as comma separated values.

python --load credentials.txt --exclude,,

  An example of a XML file.

Figure 3: An example of an XML file with the required entries to login to Twitter.

As seen in Figure 3, adding a website is usually pretty straightforward. For a brief description of all the possible options that can go in a XML file, check out credmap's wiki.


More websites will be supported and new features will be added in future releases. All contributions are always welcome!



Latest Blog Entries

Three Non Web-based XSS Injections
In this post guest blogger Alejandro Hernandez (nitr0us) writes about some interesting and fun XSS vectors which are not commonly seen.

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.