Breach Data
Breach Data Recon
Navigation
Searching Breach Data
Online Tools
Several online sites provide breach data lookup services. I have listed a few here Searching Tools & Links
The following are some CLI-based commands to extract breach data credentials for use in penetration tests. These tools search online-based databases and don’t require local storage of breached data. The credentials can be used for testing internal and external systems such as Active Directory and web portal logins. Breach data is also useful for learning the password habits of target staff to build more effective password brute force and cracking strategies.
pwnedOrNot is an OSINT tool for finding passwords of compromised email accounts and can be found here: https://github.com/thewhiteh4t/pwnedOrNot
python3 ./pwnedornot.py -e [email protected] #Checks a single email python3 ./pwnedornot.py -f <file name> #Checks multiple emails from a file python3 ./pwnedornot.py -e [email protected] -d hacker.com #Filters results by specified domain name python3 ./pwnedornot.py -e [email protected] -n #Skips password dumps and only retrieves breach info python3 ./pwnedornot.py -c hacker.com #Check if a domain has been breached
Another tool that will provide passwords for the given name, email etc is Proxynova. This is an online tool that can be interacted with via cURL.
curl 'https://api.proxynova.com/comb?query=jrubin' | jq #Displays all email and password combinations containing the queried name
DeHashed is also a great tool for obtaining breached usernames and passwords. It requires credits to use and also has a GUI.
python3 ./dehashed.py -d hacker.com -a <api_key> -v #Querying Dehashed for all entries for the specified domain.
Offline Tools
Unfortunately, most breach data services charge a monthly subscription for access. As a penetration tester, it is a good idea to collect data dumps and various data breaches and keep them on some form of storage for searching when you are on an engagement.
There are several places on the clear net as well as the dark web where you can download breach databases and a bit of Google searching will get you there. A great starting resource and parsing tool called breach-parse can be found here: https://github.com/hmaverickadams/breach-parse
./breach-parse.sh @hacker.com Output.txt "~/BreachCompilation/data" #Extracts all username/email and password combinations matching the email domain provided
Once you have a solid collection of data dumps and other breach data I use the following code snippets to help search for data.
#Powershell code to extract all 13 digit numbers starting with 1000
#You can modify this to extract Identity numbers, mobiles etc just modify the regex pattern
$folderPath = "D:\Breach Data\Data"
$pattern = "(?<!\d)1000\d{9}(?!\d)"
Get-ChildItem -Path $folderPath -File -Recurse | ForEach-Object {
$content = Get-Content $_.FullName -Raw
$matches = [regex]::Matches($content, $pattern)
foreach ($match in $matches) {
Write-Output $match.Value
}
}
Another PowerShell script I often use to search all files and folders, in my breach data dumps, for a specific word and print the filename and line number of the match.
#Modify the -Pattern variable for what you're searching for.
Get-ChildItem -Path 'D:\Breach Data\Data\*' -Recurse | Where-Object {!$_.PSIsContainer} | ForEach-Object {
$file = $_.FullName
Select-String -Path $file -Pattern "password" | ForEach-Object {
$_.Line + " | Matched: " + $_.Matches.Value + " | Line Number: " + $_.LineNumber + " | File: " + $file
}
}