Password OSINT

Local Database (Linux)

Download the 3.2 billion record list

COMB Magnet:

magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

Once the torrent is downloaded. Use the following password to unzip:

+w/P3PRqQQoJ6g

Breach-Parse

Once the database has been downloaded we can use Breach-Parse to pull targeted information from the database.

Breach Parse: https://github.com/hmaverickadams/breach-parse

Following the Breach-Parse install instructions we can then run Breach-Parse against the database downloaded earlier.

# Search for all results in a domain
breach-parse <Domain> Domain.txt "/media/sf_CompilationOfManyBreaches/data"

# Search for a specific email address
breach-parse <Example@Outlook.com> Email.txt "/media/sf_CompilationOfManyBreaches/data"

breach-parse @example.com Example.txt "/media/sf_CompilationOfManyBreaches/data"  

Breach-Parse will then create three separate files as shown below. We are then able to read the contents of the master file to read both breached email addresses and plain text passwords.

Local Database (Windows)

Download the 3.2 billion record list

COMB: https://github.com/samokosik/COMB

Once the torrent is downloaded. Use the following password to unzip (Use 7zip):

+w/P3PRqQQoJ6g

Notepad++

Notepad++: https://notepad-plus-plus.org/downloads/

In Notepad++ select the pink folder icon to add a folder as a workspace. After adding the data folder from the COMB database we should see something similar as below.

We can then right click on the data folder and proceed with "Find in files". Allowing us to specify a search query on the entire database.

This will take some time to complete. However, once completed we should see a screen similar to this:

Web Tools

HaveIBeenPwned

URL: https://haveibeenpwned.com/

We can see from the example above the account example@microsoft.com has been involved in 21 breaches and 1 paste.

A little further down the page we can see what breaches they were and a little more information. Each listing will describe some details about the breach and what was leaked. In some cases, this may be only email addresses and in others, this could be plain text or hashes passwords with related email addresses.

In many of these cases it would be feasible to assume the related accounts database breaches are discoverable online whether free or paid for.

This site is a useful resource for blue team personnel as with a registered account it is possible to receive notifications for when specific accounts are found in future breaches. The blue team can also verify ownership of a domain and perform a domain wide search on breaches, as well as setup breach notifications for future leaks.

Resources

BreachDirectory: https://breachdirectory.org/

Dehashed: https://dehashed.com/

NTLM: https://ntlm.pw/

WeLeakInfo: https://weleakinfo.to/v2/

LeakCheck: https://leakcheck.io/

SnusBase: https://snusbase.com/

Scylla (Hopefully soon): https://scylla.so/

HaveIBeenPwned: https://haveibeenpwned.com/

ComboList: https://github.com/samokosik/COMB