One Second Analysis: Credentials Posted to Pastebin

2017-11-14

Super-quick analysis of account credentials (username/password pairs, in various forms) posted to Pastebin over roughly a day: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I've had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now. This is where the number of credentials extracted stood as of Start time. Clean (unproblematic) credentials: I wrote a somewhat lazy parser that attempts to help me identify patterns in the extracted paste bodies so I can more effectively grab credentials pasted in a variety of formats.…more

DIY Threat Intel: Building A Pastebin Scraper

2017-11-13

There are many things to be found on Pastebin, as demonstrated by Jordan Wright's dumpmon (on Twitter as @dumpmon). Things like: Private SSH keys Login credentials for various services and devices Database dumps Lists of compromised systems Lists of compromised accounts Lots of threat intelligence services offer to monitor the “dark web” for you, to watch for any mention of your credentials and/or intellectual property. Almost invariably, one component of these services is monitoring Pastebin and similar paste sites.…more

Analyst Tip: Testing Firewall Egress

2017-10-13

A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you're on.…more