Breached & Sensitive data in the Public Domain

I have become numb to reading the news "$company hacked!!!" followed by how much personal data was leaked...

but as a Penetration Tester this is useful, very useful... or even worse useful to someone with the wrong intentions.

... let's get into it a bit

Note: none of the techniques or resources shown are new, having said that some people need to see this if they haven't already

Leaked Data

Leak

Examples

Google Dorking

Google Dorking is essentially manipulating search queries to get what you want ... (or as Google call it Operators )
there are dedicated hacking sites that offer you insight on how to quickly identify vulnerabilities via 'Google Dorking'

If we where to put the following 'Dork' into google
site:pastebin.com intext:gov.uk we get results from a website called pastebin.com and it will return everything it has stored with 'gov.uk' in the text, we could go a step further and use the search term site:pastebin.com intext:mil 2ac9cb7dc02b3c0083eb70898e549b63
EEEEPwe can see site: is pastebin.com and intext: is mil but this time we have added a MD5 Hash that when cracked returns the value 'Password1' so we now have a list of people who work for a military function with weak passwords.

Have a play with the google search operators and maybe you yourself will find something useful that the SoC/IR team should be made aware of.


Shodan.io

Shodan is very cool... for Penetration Testers and Hackers, this is a constantly updating index of some types of computer protocols and hardware running on the internet this doesn't look for people it looks for services and responses from those services so for example if you wanted to find some vulnerable cisco hardware facing the internet you would similaly to google dorks write the following into Shodan cisco-ios 200 port:80 if you wanted to target a nation state you could take it further cisco-ios 200 port:80 country:sy let's break it down, we are looking for a banner that is returned stating 'cisco-ios and 200' cisco-ios will be the server response and 200 is a web response that is the beginning of the 200 OK Response code and the country ... well we will use Syria as an example, it's topical - with the responses that are returned it is possible to acquire configurations and compromise networking and routing equipment but with another query it could just as easily be used to target computer systems here is the query to acquire systems running windows shares that allow anonymous access to admin shares (so bad) "Anonymous login successful" ADMIN$ port:445
We could spend so much time on all just these two places alone, but I want to make this post palatable

Shodan


haveibeenpwned.com

A Troy Hunt project

Essentially Troy Correlates stolen data and provides the public with access to query those addresses to see if they appear in a compromised database somewhere.

The benefits are obvious if you are aware of the service, but the benefits are negative if you do not i.e. social engineering, profiling a user or a company - if those passwords exist on breached sites and the owner of the account isn't aware of the breach or is a bit lazy, then that password may still be active in other locations online. let's be honest... who has a handful of 'good' passwords and a handful of 'naff' passwords ? right?

HaveiBeenPwned I'm not sure of the legalities Troy faces for hosting stolen data, it is in the public domain, but it's certainly not for the public domain. - that's a little off topic.


Recorded Future

Instantly Analyze 691,975 Sources in 7 Languages.

Recorded future has a huge dataset it's literally a matter of 'what do you want?' once you have built your querys it will return everything it has form it's 691,975 sources and you can go as far back as 2005 - once you have your data you can display it in different views for what you need, geographic, heatmaps, .json & api for your own applications, incredibly powerful.

RF we will come back to recorded future in another post around tracking and profiling people devices


The Takeaway

The Takeaway is there are a few common situations where data may have left your environments and you need to be mindful of that, action changes if you see compromised accounts additionally it may not be form 'your' breached data imagine if bob or alice are members of poniesondrugs.com and the forum is compromised, bob and Alice both use their work email addresses and are terrible at remembering passwords, so they use the same one everywhere an Attacker or RedTeamer will have that in seconds and it could afford them some level of permission on the network/business/thing of value

Recommendations:

Ask your Security team to try and 'D0x' the company and provide a report, they will know what that means
or ask a security company to do the same, they will also know what it means. and keep those password expiring on your domains & Sites

Behave.

These examples are obviously for demonstration, if you have the slightest inclination remember that this is all public data, there are agencies that are bigger and better than you that have more access to more goodies, it's not worth it.


Resources: