¶ Breach detection — Briefly about features, modules, and use cases
The main purpose of Breach Detection
is to automate the remote breach detection process and alert the user to the potential risk to the asset.
To achieve the purpose, the user is given the opportunity to safely add their assets to the regular monitoring system. For the convenience of using the monitoring system, the user has the ability to configure the frequency of breach detection. If the user deems that monitoring the asset that he has added is no longer practical (useful), the user has the option to delete the corresponding asset.

The system has the ability to take action on the results (leaks). This means that the user can make decisions based on the information received and assign a status to the result.
First of all, you need to add asset from wich you can create a breach detection project.

Select all the assets you need and click Configure workflow
.

After that, you can adjust the scanning frequency and other parameters.

After clicking Create & Run
you can see that a project has been created in which we have our workflows to choose from.

If the workflows do not start automatically, you should manually select the desired workflow and then click Create and Run New Execution

Wait a bit and the discovered vulnerabilities will be displayed.
Once the scan is complete, you can view the results.

For a more detailed output, click the "Expand" icon.

Add IP, ASN or CIDR
Has to be covered:
- “Hacked/Defaced”
- “Iframe, third-party js code”
- “News with “leaked”, ”hacked” ”
- “Paste websites”
- “Github”
- “Whois leaked email”
- “File sharing services”
- “Other leaks”
Services:
- http://isithacked.com/
- https://github.com/TheRealFlyingFrog/LeakLookerLib ( most important)
- https://github.com/jonathan6661/P1sty
- https://psbdmp.ws/
- https://infoleaks.cc/
- https://www.zone-h.org/
- Search by RSS feeds. These forum’s RSS feeds and twitters can be used to identify leaks by IP, domain name, and company name:
- https://rsshub.app/telegram/channel/dataleak
- https://rsshub.app/telegram/channel/data1eaks
- https://rsshub.app/telegram/channel/Freedomf0x
- https://rsshub.app/telegram/channel/leaks_db
- https://rsshub.app/twitter/user/Dumps_monitor
- https://xss.is/forums/140/index.rss
- https://raidforums.com/syndication.php?fid=153&limit=50
- https://raidforums.com/syndication.php?fid=216&limit=50
- https://combo-list.com/feed/
- https://sinfulsite.com/syndication.php?fid=61
- https://sinfulsite.com/syndication.php?fid=59
- https://www.crackingpro.com/index.php?/forum/124-other-leaks.xml/
- https://nulledbb.com/syndication.php?fid=30
- https://darksearch.io/apidoc
- https://pastebin.com/doc_api
- Extract email from whois and apply “email” leaks audits.
- Network scan
- ftp - check for anon audit, port: 21
- rsync - run common checks audit, port 873
- smb - check for null session, ports 139, 445
- Scan 4444 and 1337 for Metasploit bind
- https://www.dehashed.com
- https://snusbase.com/
Repo: https://github.com/kevthehermit/PasteHunter
¶ Domain/URL:
Add domain
Has to be covered:
- “Hacked/Defaced”
- “Iframe, third-party js code”
- “News with “leaked”, ”hacked” ”
- “Paste websites”
- “Github”
- “Whois leaked email”
- “Subdomain takeover”
- “Open storages”
- “Is domain expiring”
Services:
- http://isithacked.com/
- https://www.zone-h.org/
- https://github.com/TheRealFlyingFrog/LeakLookerLib ( most important)
- https://github.com/Warflop/Whoisleak
- https://gitlab.com/NightLionSec/noscrape/
- https://github.com/haroonawanofficial/BreachedDataScraper
- https://psbdmp.ws/
- https://pastebin.com/doc_api
- https://infoleaks.cc/
- https://haveibeenpwned.com/
- https://github.com/kevthehermit/PasteHunter
- https://github.com/NaveenRudra/RTTM
- https://github.com/IntelligenceX/SDK
- https://github.com/x0rz/phishing_catcher: Phishing catcher using Certstream
- Extract email from whois and apply “email” leaks audits
- Search by RSS feeds. These forum’s RSS feeds and twitters can be used to identify leaks by IP, domain name, and company name:
- https://rsshub.app/telegram/channel/dataleak
- https://rsshub.app/telegram/channel/data1eaks
- https://rsshub.app/telegram/channel/Freedomf0x
- https://rsshub.app/telegram/channel/leaks_db
- https://rsshub.app/twitter/user/Dumps_monitor
- https://xss.is/forums/140/index.rss
- https://raidforums.com/syndication.php?fid=153&limit=50
- https://raidforums.com/syndication.php?fid=216&limit=50
- https://combo-list.com/feed/
- https://sinfulsite.com/syndication.php?fid=61
- https://sinfulsite.com/syndication.php?fid=59
- https://www.crackingpro.com/index.php?/forum/124-other-leaks.xml/
- https://nulledbb.com/syndication.php?fid=30
- Network scan
- ftp - check for anon audit, port: 21
- rsync - run common checks audit, port 873
- smb - check for a null session, ports 139, 445
- Scan 4444 and 1337 for Metasploit bind
Repo: Tool for checking domain expiration: https://github.com/nixcraft/domain-check-2
Add company name
Has to be covered:
- Leaked emails
- “IP addresses”
- “News with “leaked”,”hacked” ”
Services:
Repos: https://github.com/woj-ciech/LeakLooker should be modified to use the “org:” argument.
¶ Phishing detection for domain | username
- https://github.com/nixcraft/domain-check-2
- https://github.com/atenreiro/opensquat
- https://github.com/gfek/Hunting-New-Registered-Domains
Has to be covered: Leaked emails
Services:
- HaveIBeenPwned(v3)
- Hunter.io
- Snusbase
- Leak-Lookup
- Emailrep.io
- Scylla.sh
- Dehashed.sh
- IntelX.io
Repo and websites:
- https://github.com/khast3x/h8mail
- https://github.com/p4yl0ad/HaveEye
- https://psbdmp.ws/
- https://infoleaks.cc/
- https://haveibeenpwned.com/ and the ones used at services
- Have I Been Pwned API
- WeLeakInfo API
- DeHashed API
- SnusBase API
- https://github.com/IntelligenceX/SDK
- Port 4444 or 1337 open (Nmap check)
- Malicious script on the main page ( virus check main page or authority)
- https://github.com/Neo23x0/Loki
Has to be covered:
Bucket name ( azure, amazon, google )
Depending on this choice it will be checked on the cloud provider.
- S3 buckets
- GCP buckets
Actions. Need to find new buckets and check to exist for permissions.
- https://github.com/woj-ciech/LeakLooker
- https://github.com/initstring/cloud_enum check perms
Custom permutations wordlist
¶ Github and GitLab external
Has to be covered: Github, GitLab secret leaks
Has to be covered:
- Aws key leaks detection ( user provides Access key or list of keys, without secret)
- Azure key ( CLIENT_ID)
- Google cloud
- Github key leaks detection ( user provides Access key or list of keys, without secret)
Services:
- AWS_ACCESS_KEY_ID key to search in GitHub.
- CLIENT_ID, TENANT_ID For Azure
- Client_id or project_id for Google cloud
- Client_id for Github
- idToken For Firebase
- client_id For Facebook
Answer: https://github.com/michenriksen/gitrob can be used to search for these keys if will be tuned. Or use GitHub, GitLab API
Repo: Should be self-made. Idea is to write dorks based on chosen keys. We provide a menu where users add keys for monitoring. The info which is grabbed for monitoring is not confidential.
Reference: https://github.com/streaak/keyhacks
Please see this repo: https://github.com/woj-ciech/LeakLooker-X

Leaks: