Tips for an Information Security Analyst/Pentester career - Ep. 27: OSINT (Pt.6)

Over this post I'm going to delve once more into open source intelligence, by showing some juicy tricks I found thanks to Georgia Weidman's online class (not a sponsored link, it's only a valuable class I'm trying to study from).

A) Discover whether an email account was compromised

As a pentester, you may find it easier to hack into the target company and you can show the customer tangible evidence of a poor security posture if you can retrieve compromised corporate email accounts.

I already mentioned haveibeenpwned website as being a valuable tool to use for this purpose.

However, you can obtain the same result by using a specific recon–ng module, called recon/contacts-credentials/hibp_paste.

As I've already shown in a previous post, we can see the description of our specific module by running show info (after selecting it through the use command, followed by the module name).

In order to use recon/contacts-credentials/hibp_paste, we need to indicate a specific email account by running the set source command, as shown below.

The module will check for pastes related to that email account once we issue the run command.

In the example are shown three different email accounts I own.

For the first two of them, the module returned not found. This is a good news, even though that doesn't mean you can be 100% sure your account is safe.

In fact, it could have been compromised, but not have been dumped yet.

For the third one, it returned a result, as I already knew.

In fact, that specific account was involved in a breach related to 000webhost.com where I signed up for by using that email address.

You'll notice that recon-ng returns the URL where the specific paste was found and it automatically downloads it for you as well to the root directory.

In the embedded video, I showed you the password hash related to that account.

By the way, don't even bother trying to hack that account.

I closed my profile on 000webhost.com and I changed my Yahoo! password to an extremely complex one.

You can try doing it but be advised, even if you spent the rest of your life attempting, you wouldn't succeed.

According to several password checkers, it would take you some trillion years, so good luck with that.

B) Discovering publicly available password files

I previously mentioned the Google hacking database as an essential hacking tool.

If we search for files containing passwords in the search engine, we can retrieve some very juicy Google dorks.

I'm only going to show you some of them in this post, due to time constraints, but I promise you they'll be very interesting.

1) xamppdirpasswd filetype:txt

Allows to retrieve passwords for Xampp, stored in clear text.

As you might already know, Xampp is a very handy software allowing you to easily and quickly set up a Web server on your local machine through a very straightforward installation procedure.

Though being very easy to use and efficient, Xampp doesn't exactly come with great security implementations.

As a matter of fact, though, I couldn't access through those passwords (as WebDav was disabled).

However, I could easily access PhpMyAdmin control panel without any password whatsoever, which is a very bad thing.

I believe this is the default setup for Xampp and I don't think many users bother changing the default settings.

Why is it bad? 

You access the database as root user.

So, you can run any SQL commands on it and your database can be considered as gone.

2) inurl:_vti_pvt/administrators.pwd:

A Google Dork to retrieve sensitive information Login/password for MS FrontPage share point.

3) intext:DB_PASSWORD || intext:"MySQL hostname" ext:txt: This dork allows you to search for WordPress configuration file, which contains Username, Password, Secret Keys and other juicy information.

4) site:pastebin.com intext:"*@*.com:*": Finds pastebin.com dumped mail lists with passwords. I could immediately find a list of Instagram usernames and passwords.

Wrap-up

Once again, we can appreciate the huge potential for open source intelligence both for offensive and defensive purposes. 

Quoting Gandalf, there's more in the search engine than what meets the eye. 

Episode 26