Breach-Parse Basics

Breach-Parse Basics | Terence Martin

Open-source intelligence gathering, or OSINT, can be a threat to organizations because it can be used to gather information about their employees, assets, and vulnerabilities. This information can then be used to launch targeted scanning against discovered infrastructure or launch password attacks and social engineering campaigns against the organization. In this blog series, I will examine some tools that attackers can use to gather information about an organization.

The first tool that I’d like to review is Breach-Parse, which can be used to search a database of breaches to locate compromised usernames and passwords.

To run Breach-Parse, you only need to specify the target domain and a text file to output.

Figure 1: Running Breach-Parse

Once the script is finished, three files are saved as the output: the “master” file, which contains both usernames and passwords, the “users” file, which contains usernames only, and the “passwords” file, which contains passwords only. Each of these datasets can be useful, as I’ll examine below.

Figure 2: Breach-Parse Files

The “master” file, which contains both parts of the credential pair:

Figure 3: Username / Password Pairs

It’s unlikely that any of these credential pairs are recent enough to work, as it’s unclear when the catalogued breaches occurred. However, examining this list can help identify users who may be may not practice good password hygiene, and who can then be attacked using a dictionary attack. In addition, these passwords can be used to build a password dictionary for future attacks.

Figure 4: Incrementing Digits Example

In this image, the top two users are possibly incrementing the digits on the ends of the password. It is possible that by continuing to increment the number, an attacker could compromise that account. The third account appears to be using a date. If that user continues to use dates as passwords, researching that user could revel other relevant dates, leading to a compromise.

The “users” file can be used for phishing attacks, as it is an easily accessible list of email addresses associated with the domain or for discovering usernames for other login portals.

Figure 5: Users File

Finally, using the “passwords” file can help identify commonly used or default passwords, and can result in the compromise of accounts that have not changed passwords since being created.

Figure 6: Passwords File

If you’d like to check your organization’s data that is contained in Breach-Parse, installation instructions can be found at the GitHub link above. One wrinkle worth mentioning is that downloading the magnet: link for the breach database requires a BitTorrent client.

If you’d like a demonstration on how to install or use this tool, please let us know.

Share this post

Get an Actionable Blueprint for Your Compliance & Cyber Security