¶ Breach Detection
The main purpose of Breach Detection is to automate the remote breach detection process and alert the user to the potential risk to the asset.
To achieve the purpose, the user is given the opportunity to safely add their assets to the regular monitoring system. For the convenience of using the monitoring system, the user has the ability to configure the frequency of breach detection. If the user deems that monitoring the asset that he has added is no longer practical (useful), the user has the option to delete the corresponding asset.
¶ Frequency of breach detection:
- day
- week
- month
The system has the ability to take action on the results (leaks). This means that the user can make decisions based on the information received and assign a status to the result.
¶ Statuses of result:
- not an issue
- resolved
- issue
¶ First steps
First of all, you need to create a project - this is a workspace where you can add various assets for monitoring.
Click Create project and fill data. Name and monitoring frequency are required, title and description are optional.
After that you have project card. You can change the monitoring frequency at any time after the project has been created. And also edit the description, title, name.
Currently, the project has not created any asset for monitoring. Let's fix this. Click Explore and now you need to add one or more assets.
To add an asset, click on Add asset button.
Choose an asset type from the options provided. After that, you will see additional fields that you need to fill in for the selected asset type. To add an asset you have two options. Manually add an asset or upload a text document (.txt) with a list of assets.
If you want to add more than one asset manually, click on the Add button. An additional field for your asset will appear.
Click Save to save the assets. Now you see the added assets. Scanning will start automatically. Wait a bit and the discovered vulnerabilities will be displayed.
Once the scan is complete, you can view the results.
Click on View to view the issues. Click on View data to see the details of the issue.
You can select specific issue and mark them with available statuses.
By default, issues marked as not issue and resolved will not be displayed in the general list, to view them, turn on their display.
You can use the search field to find the information you need.
You can also select issues found at a specific scan time.
¶ List of audits:
¶ IP or IP range:
Add IP, ASN or CIDR
Has to be covered:
- “Hacked/Defaced”
- “Iframe, third-party js code”
- “News with “leaked”, ”hacked” ”
- “Paste websites”
- “Github”
- “Whois leaked email”
- “File sharing services”
- “Other leaks”
Services:
- http://isithacked.com/
- https://github.com/TheRealFlyingFrog/LeakLookerLib ( most important)
- https://github.com/jonathan6661/P1sty
- https://psbdmp.ws/
- https://infoleaks.cc/
- https://www.zone-h.org/
- Search by RSS feeds. These forum’s RSS feeds and twitters can be used to identify leaks by IP, domain name, and company name:
- https://rsshub.app/telegram/channel/dataleak
- https://rsshub.app/telegram/channel/data1eaks
- https://rsshub.app/telegram/channel/Freedomf0x
- https://rsshub.app/telegram/channel/leaks_db
- https://rsshub.app/twitter/user/Dumps_monitor
- https://xss.is/forums/140/index.rss
- https://raidforums.com/syndication.php?fid=153&limit=50
- https://raidforums.com/syndication.php?fid=216&limit=50
- https://combo-list.com/feed/
- https://sinfulsite.com/syndication.php?fid=61
- https://sinfulsite.com/syndication.php?fid=59
- https://www.crackingpro.com/index.php?/forum/124-other-leaks.xml/
- https://nulledbb.com/syndication.php?fid=30
- https://darksearch.io/apidoc
- https://pastebin.com/doc_api
- Extract email from whois and apply “email” leaks audits.
- Network scan
- ftp - check for anon audit, port: 21
- rsync - run common checks audit, port 873
- smb - check for null session, ports 139, 445
- Scan 4444 and 1337 for Metasploit bind
- https://www.dehashed.com
- https://snusbase.com/
Repo: https://github.com/kevthehermit/PasteHunter
¶ Domain/URL:
Add domain
Has to be covered:
- “Hacked/Defaced”
- “Iframe, third-party js code”
- “News with “leaked”, ”hacked” ”
- “Paste websites”
- “Github”
- “Whois leaked email”
- “Subdomain takeover”
- “Open storages”
- “Is domain expiring”
Services:
- http://isithacked.com/
- https://www.zone-h.org/
- https://github.com/TheRealFlyingFrog/LeakLookerLib ( most important)
- https://github.com/Warflop/Whoisleak
- https://gitlab.com/NightLionSec/noscrape/
- https://github.com/haroonawanofficial/BreachedDataScraper
- https://psbdmp.ws/
- https://pastebin.com/doc_api
- https://infoleaks.cc/
- https://haveibeenpwned.com/
- https://github.com/kevthehermit/PasteHunter
- https://github.com/NaveenRudra/RTTM
- https://github.com/IntelligenceX/SDK
- https://github.com/x0rz/phishing_catcher: Phishing catcher using Certstream
- Extract email from whois and apply “email” leaks audits
- Search by RSS feeds. These forum’s RSS feeds and twitters can be used to identify leaks by IP, domain name, and company name:
- https://rsshub.app/telegram/channel/dataleak
- https://rsshub.app/telegram/channel/data1eaks
- https://rsshub.app/telegram/channel/Freedomf0x
- https://rsshub.app/telegram/channel/leaks_db
- https://rsshub.app/twitter/user/Dumps_monitor
- https://xss.is/forums/140/index.rss
- https://raidforums.com/syndication.php?fid=153&limit=50
- https://raidforums.com/syndication.php?fid=216&limit=50
- https://combo-list.com/feed/
- https://sinfulsite.com/syndication.php?fid=61
- https://sinfulsite.com/syndication.php?fid=59
- https://www.crackingpro.com/index.php?/forum/124-other-leaks.xml/
- https://nulledbb.com/syndication.php?fid=30
- Network scan
- ftp - check for anon audit, port: 21
- rsync - run common checks audit, port 873
- smb - check for a null session, ports 139, 445
- Scan 4444 and 1337 for Metasploit bind
Repo: Tool for checking domain expiration: https://github.com/nixcraft/domain-check-2
¶ Company name:
Add company name
Has to be covered:
- Leaked emails
- “IP addresses”
- “News with “leaked”,”hacked” ”
Services:
- Search by RSS feeds. These forum’s RSS feeds and twitters can be used to identify leaks by IP, domain name, and company name:
- https://cracking.org/forums/other-leaks.248/index.rss
- https://cracking.org/forums/databases.31/index.rss
- https://nulledbb.com/syndication.php?fid=30
- https://www.crackingpro.com/index.php?/forum/124-other-leaks.xml/
- https://www.crackingpro.com/index.php?/forum/17-requests.xml/
- https://solidforums.com/syndication.php?fid=23
- https://solidforums.com/syndication.php?fid=34
- https://sinfulsite.com/syndication.php?fid=61
- https://sinfulsite.com/syndication.php?fid=59
- https://combo-list.com/feed/
- https://raidforums.com/syndication.php?fid=153&limit=50
- https://raidforums.com/syndication.php?fid=216&limit=50
- https://xss.is/forums/140/index.rss
- https://twitter.com/Dumps_monitor
- https://t.me/leaks_db
- https://t.me/freedomf0x
- https://t.me/data1eaks
- https://t.me/dataleak
- Convert the company name to ASN and apply IP/Domain checks if the user confirms that he owns this ASN. This can be done via amass: amass intel -org Tesla and then amass intel -active -asn
Repos: https://github.com/woj-ciech/LeakLooker should be modified to use the “org:” argument.
¶ Phishing detection for domain | username
- https://github.com/nixcraft/domain-check-2
- https://github.com/atenreiro/opensquat
- https://github.com/gfek/Hunting-New-Registered-Domains
¶ Email:
Has to be covered: Leaked emails
Services:
- HaveIBeenPwned(v3)
- Hunter.io
- Snusbase
- Leak-Lookup
- Emailrep.io
- Scylla.sh
- Dehashed.sh
- IntelX.io
Repo and websites:
- https://github.com/khast3x/h8mail
- https://github.com/p4yl0ad/HaveEye
- https://psbdmp.ws/
- https://infoleaks.cc/
- https://haveibeenpwned.com/ and the ones used at services
- Have I Been Pwned API
- WeLeakInfo API
- DeHashed API
- SnusBase API
- https://github.com/IntelligenceX/SDK
¶ Indication of compromise:
- Port 4444 or 1337 open (Nmap check)
- Malicious script on the main page ( virus check main page or authority)
- https://github.com/Neo23x0/Loki
¶ Cloud leaks
Has to be covered:
Bucket name ( azure, amazon, google )
Depending on this choice it will be checked on the cloud provider.
- S3 buckets
- GCP buckets
Actions. Need to find new buckets and check to exist for permissions.
¶ Github and GitLab external
Has to be covered: Github, GitLab secret leaks
- https://github.com/eth0izzle/shhgit we download the repo and check for leaks
- https://github.com/nielsing/yar secret leak
- https://github.com/michenriksen/gitrob
- https://github.com/woj-ciech/LeakLooker
¶ API Keys
Has to be covered:
- Aws key leaks detection ( user provides Access key or list of keys, without secret)
- Azure key ( CLIENT_ID)
- Google cloud
- Github key leaks detection ( user provides Access key or list of keys, without secret)
Services:
- AWS_ACCESS_KEY_ID key to search in GitHub.
- CLIENT_ID, TENANT_ID For Azure
- Client_id or project_id for Google cloud
- Client_id for Github
- idToken For Firebase
- client_id For Facebook
Answer: https://github.com/michenriksen/gitrob can be used to search for these keys if will be tuned. Or use GitHub, GitLab API
Repo: Should be self-made. Idea is to write dorks based on chosen keys. We provide a menu where users add keys for monitoring. The info which is grabbed for monitoring is not confidential.
Reference: https://github.com/streaak/keyhacks
Please see this repo: https://github.com/woj-ciech/LeakLooker-X
¶ Additional info
Leaks:
- https://github.com/woj-ciech/LeakLooker-X
- https://github.com/rndinfosecguy/Scavenger
- https://github.com/woj-ciech/Kamerka-GUI
- https://github.com/jonathan6661/P1sty
- https://breachreport.com/
- https://buckets.grayhatwarfare.com/
for git and domain:
https://github.com/hisxo/gitGraber