Breach-Parse Basics | Terence Martin
Open-source intelligence gathering, or OSINT, can be a threat to organizations because it can be used to gather information about their employees, assets, and vulnerabilities. This information can then be used to launch targeted scanning against discovered infrastructure or launch password attacks and social engineering campaigns against the organization. In this blog series, I will examine some tools that attackers can use to gather information about an organization.
The first tool that I’d like to review is Breach-Parse, which can be used to search a database of breaches to locate compromised usernames and passwords.
To run Breach-Parse, you only need to specify the target domain and a text file to output.
Once the script is finished, three files are saved as the output: the “master” file, which contains both usernames and passwords, the “users” file, which contains usernames only, and the “passwords” file, which contains passwords only. Each of these datasets can be useful, as I’ll examine below.
The “master” file, which contains both parts of the credential pair:
It’s unlikely that any of these credential pairs are recent enough to work, as it’s unclear when the catalogued breaches occurred. However, examining this list can help identify users who may be may not practice good password hygiene, and who can then be attacked using a dictionary attack. In addition, these passwords can be used to build a password dictionary for future attacks.
In this image, the top two users are possibly incrementing the digits on the ends of the password. It is possible that by continuing to increment the number, an attacker could compromise that account. The third account appears to be using a date. If that user continues to use dates as passwords, researching that user could revel other relevant dates, leading to a compromise.
The “users” file can be used for phishing attacks, as it is an easily accessible list of email addresses associated with the domain or for discovering usernames for other login portals.
Finally, using the “passwords” file can help identify commonly used or default passwords, and can result in the compromise of accounts that have not changed passwords since being created.
If you’d like to check your organization’s data that is contained in Breach-Parse, installation instructions can be found at the GitHub link above. One wrinkle worth mentioning is that downloading the magnet: link for the breach database requires a BitTorrent client.
If you’d like a demonstration on how to install or use this tool, please let us know.