Just because it’s discarded it doesn’t mean it’s useless. Nowadays it doesn’t really matter which Google dork you use, but you’ll always hit some username/password dump. There are some nice tools out there to monitor pastebin (or any of the alternatives) for example:
- https://github.com/xme/pastemon
- https://github.com/lbragues/pasteminer
- http://www.andrewmohawk.com/pasteLert/
- http://andrewmohawk.com/2011/03/25/pastebin-scraper/
- http://www.shellguardians.com/2011/07/monitoring-pastebin-leaks.html
But then what? you scraped/monitored or just F5’ed the website and are now sitting on a nice pile of potentially interesting information. You could of course try it out and see if it contained any working samples…chances are those are long gone by now. Luckily for us, we all know that people tend to reuse their password on multiple websites. So all we have to do is check their username on multiple (known) services and see if they have forgotten to change their password on any of them. Since it’s been a while that I’ve coded in python I decided to use python for the job. After all it seemed like fun to write something that could maybe remotely resemble a framework-thingie. It was easier then I thought, had to rewrite it a couple of times though due to poor design choices. Not saying it’s great now, but at least it seems to be able to perform all the tasks I’d like to have.
Now since this is just a POC for an idea, it’s non optimized, non threaded and non-usable for serious harvesting and testing of large amounts of data. Remember that in most countries it’s illegal to use someone else his credentials. For the development I’ve just created some testing accounts and tested it on them to see if the idea was viable and produced any results.
The core of the whole thing is like a couple of lines to dynamically load up the module classes:
def loadmodules(modulepath,configfile):
"""load modules & create class instances, returns a dictionary.
Return dictionary is of the form:
:
"""
ccc = parseconfig(configfile)
loadedmodules = dict()
for key in ccc:
modulefilename = key
if not key in loadedmodules:
#load the module based on filename
tempmodule = imp.load_source(modulefilename, "%s%s.py" % (modulepath,modulefilename))
#find the class
moduleclass = getattr(tempmodule,modulefilename.title())
#instantiate the class
moduleinstance = moduleclass()
loadedmodules[key] = moduleinstance
return loadedmodules
Then some basic ‘library’ functionality is provided on per protocol basis, at the moment it includes some ‘libs’ for imap, pop3 and HTTP forms and a small module for some sqlite DB operations. The whole thing can then be used as one pleases, either by building on top of it or by using the provided ‘simple_scavenger.py’ example. When you run the provided example it, it provides output on the CLI:
./simple_scavenger.py ../creds.txt
{'hotmail': ['usernamehere', 'passwordhere', 'pop3'], 'yahoo': ['usernamehere', 'passwordhere', 'imap']}
{'linkedin': ['usernamehere', 'passwordhere', 'httpform'], 'gmail': ['usernamehere', 'passwordhere', 'imap']}
and stores it in the DB for easy retrieval:
sqlite3 creds.db "select * from creds" usernamehere|passwordhere|pop3|hotmail|1353450068 usernamehere|passwordhere|imap|yahoo|1353450068 usernamehere|passwordhere|httpform|linkedin|1353450112 usernamehere|passwordhere|imap|gmail|1353450112
That’s all there is to it.
At the beginning of this post I said I’d build it to hopefully be some kind of framework-thingie, so let’s see how you could expand this to authenticate with the given credentials on another service.
DiabloHorn 