Just because it’s discarded it doesn’t mean it’s useless. Nowadays it doesn’t really matter which Google dork you use, but you’ll always hit some username/password dump. There are some nice tools out there to monitor pastebin (or any of the alternatives) for example:
- https://github.com/xme/pastemon
- https://github.com/lbragues/pasteminer
- http://www.andrewmohawk.com/pasteLert/
- http://andrewmohawk.com/2011/03/25/pastebin-scraper/
- http://www.shellguardians.com/2011/07/monitoring-pastebin-leaks.html
But then what? you scraped/monitored or just F5’ed the website and are now sitting on a nice pile of potentially interesting information. You could of course try it out and see if it contained any working samples…chances are those are long gone by now. Luckily for us, we all know that people tend to reuse their password on multiple websites. So all we have to do is check their username on multiple (known) services and see if they have forgotten to change their password on any of them. Since it’s been a while that I’ve coded in python I decided to use python for the job. After all it seemed like fun to write something that could maybe remotely resemble a framework-thingie. It was easier then I thought, had to rewrite it a couple of times though due to poor design choices. Not saying it’s great now, but at least it seems to be able to perform all the tasks I’d like to have.
Now since this is just a POC for an idea, it’s non optimized, non threaded and non-usable for serious harvesting and testing of large amounts of data. Remember that in most countries it’s illegal to use someone else his credentials. For the development I’ve just created some testing accounts and tested it on them to see if the idea was viable and produced any results.
The core of the whole thing is like a couple of lines to dynamically load up the module classes:
def loadmodules(modulepath,configfile):
"""load modules & create class instances, returns a dictionary.
Return dictionary is of the form:
:
"""
ccc = parseconfig(configfile)
loadedmodules = dict()
for key in ccc:
modulefilename = key
if not key in loadedmodules:
#load the module based on filename
tempmodule = imp.load_source(modulefilename, "%s%s.py" % (modulepath,modulefilename))
#find the class
moduleclass = getattr(tempmodule,modulefilename.title())
#instantiate the class
moduleinstance = moduleclass()
loadedmodules[key] = moduleinstance
return loadedmodules
Then some basic ‘library’ functionality is provided on per protocol basis, at the moment it includes some ‘libs’ for imap, pop3 and HTTP forms and a small module for some sqlite DB operations. The whole thing can then be used as one pleases, either by building on top of it or by using the provided ‘simple_scavenger.py’ example. When you run the provided example it, it provides output on the CLI:
./simple_scavenger.py ../creds.txt
{'hotmail': ['usernamehere', 'passwordhere', 'pop3'], 'yahoo': ['usernamehere', 'passwordhere', 'imap']}
{'linkedin': ['usernamehere', 'passwordhere', 'httpform'], 'gmail': ['usernamehere', 'passwordhere', 'imap']}
and stores it in the DB for easy retrieval:
sqlite3 creds.db "select * from creds" usernamehere|passwordhere|pop3|hotmail|1353450068 usernamehere|passwordhere|imap|yahoo|1353450068 usernamehere|passwordhere|httpform|linkedin|1353450112 usernamehere|passwordhere|imap|gmail|1353450112
That’s all there is to it.
At the beginning of this post I said I’d build it to hopefully be some kind of framework-thingie, so let’s see how you could expand this to authenticate with the given credentials on another service.
I’ve chosen to use the following website to write a login module for Credential Scavenger (credsca): http://leaks-db.hacktalk.net courtesy of connection (has a nice twitter feed). Due to the subject of this entry it seemed fitting :)
So first of all you’ll have to decide what kind of authentication you need to implement and then check if credsca contains a library for it. In this case it does it’s called ‘httpform.py’, since we are going to do the authentication check using the HTTP form provided by the website. Copy/paste the linkedin.py file in the directory modules and name it leaksdbhacktalk.py for example, then change all linkedin references to something you like. Now you basically need to retrieve the following information to be able to build your module:
- The base url
- The path to where the loginform posts
- The formname or id
- The names of the username/password fields
- The ‘welcome’ message after successful login
- The logout link text
The module names should be self-explanatory but just in case, these are the variables/lines that you need to adjust with your values (already includes the correct values):
- _baseformurl = ‘http://leaks-db.hacktalk.net’
- _loginformurl = _baseformurl + ‘/node?destination=node’
- loginform = self.httpform.getformbyid(Leaksdbhacktalk._loginformurl,’user-login-form’)
- Where ‘user-login-form’ is the ID of the form we want to submit
- loginform[‘name’] = username
- loginform[‘pass’] = password
- if ‘My account’ in res:
- Note it’s case sensitive
- self.logouturl = Leaksdbhacktalk._baseformurl + self.httpform.getlogout(res,’Log out’)
- Note it’s case sensitive
Now before you think you are done, you are not. The framework is build on the thought that the user decides how the data is fed to it. This means that the modules will only get preformatted data if the user supplies it. For the moment being I’ve kinda assumed that the data will be in one of the following two formats:
- username:password
- emailaddress:password
So to make sure your new module works with these formats add the following to it:
def prepareusername(self,username):
luser = username.lower()
if '@' in luser:
return luser.split('@',1)[0]
else:
return luser
and adjust the call to the login function accordingly. The most important thing however, is that you return the correct username and not the one that your module received or else the output will be useless. If you’ve adjusted everything correctly when you run simple_scavenger.py it should output something like:
{‘leaksdbhacktalk’: [‘usernamehere’, ‘passwordhere’, ‘httpform’]}
That’s all, if everything went as planned the new module is up and running in like 10 minutes and your creds.db is filled accordingly.
credsca is just a POC so for the more serious use of it, you’ll need to modify it according to your wishes. If you only want to check your OWN account every time a new leak occurs you’ll be fine with this version. Just need to add the needed modules for the services you want to check your account against. Source available on github as usual.
DiabloHorn 
One thought on “Credential Scavenger”