Using sites like Pastebin to collect information on the purpose of pentest
Sites for common use of text like “Pastebin” ( Pastebin , Pastie , etc.) are popular repositories of compromised data. Watching them can help detect company leaks. In addition, such services can help the penster at the stage of collecting information about the target.
The sites I link to are Pastebin , Pastie , FrubarPaste , YourPaste , Codepad , Slexy and LodgeIt . Here you can find information left not only by the attacker, but also by a careless employee.
The Internet-based Pentester often begins by gathering publicly available information that may shed light on the details of the target system. The information gathering stage is a springboard for the development of a subsequent attack. Here you can get data related to the victim, such as:
In order to understand what data can be found there, let's look at Silas Cutler's post. Danger of sites like “Patebin” ( The Dangers of Pastebin Sites ). The author investigated these sites for several months to collect published data. The information received included credit card numbers, social security numbers, cracked Wi-Fi passwords, dumps of logins and passwords, chat logs, etc.
')
Siles has published a script for Pastebin analysis , which may be useful for many.
Collecting and storing information may seem attractive to companies that spend a lot of pentest, but will be too costly for most pentesters. If storage and subsequent search in local archives seem impractical, then you can use the tools of search engines (for example, making a request in Google such as “ password example.org site: pastebin.com ”).
An alternative to Google is a specialized search tool developed by Andrew Mohawk, which he called Pastebin Parser . It allows you to process requests by setting them on different sites like Pastebin using different techniques . The author also implemented a utility available for download. It can be installed locally and customized to fit your needs.
The same author has developed a web tool called PasteLert , which can inform you about the appearance of information that is suitable for the given conditions on sites like Pastebin.
The idea of using data on such sites to collect information in preparation for Pentest was discussed by Corelan Team. They introduced the Pastenum utility, which can be installed locally.
As you can see, there are several ways to analyze sites for the general use of texts that can be used at the stage of collecting information about the target. You can add the mentioned sites and utilities to your gentleman's set, and also leave a comment if you develop your own utility for this purpose (on the source page - Approx. Translation )
The sites I link to are Pastebin , Pastie , FrubarPaste , YourPaste , Codepad , Slexy and LodgeIt . Here you can find information left not only by the attacker, but also by a careless employee.
The Internet-based Pentester often begins by gathering publicly available information that may shed light on the details of the target system. The information gathering stage is a springboard for the development of a subsequent attack. Here you can get data related to the victim, such as:
- credit card numbers or personal information;
- Fragments of source codes that can shed light on the principles of the site;
- network device configuration details;
- Names, surnames of employees, contacts and positions.
In order to understand what data can be found there, let's look at Silas Cutler's post. Danger of sites like “Patebin” ( The Dangers of Pastebin Sites ). The author investigated these sites for several months to collect published data. The information received included credit card numbers, social security numbers, cracked Wi-Fi passwords, dumps of logins and passwords, chat logs, etc.
')
Siles has published a script for Pastebin analysis , which may be useful for many.
Collecting and storing information may seem attractive to companies that spend a lot of pentest, but will be too costly for most pentesters. If storage and subsequent search in local archives seem impractical, then you can use the tools of search engines (for example, making a request in Google such as “ password example.org site: pastebin.com ”).
An alternative to Google is a specialized search tool developed by Andrew Mohawk, which he called Pastebin Parser . It allows you to process requests by setting them on different sites like Pastebin using different techniques . The author also implemented a utility available for download. It can be installed locally and customized to fit your needs.
The same author has developed a web tool called PasteLert , which can inform you about the appearance of information that is suitable for the given conditions on sites like Pastebin.
The idea of using data on such sites to collect information in preparation for Pentest was discussed by Corelan Team. They introduced the Pastenum utility, which can be installed locally.
As you can see, there are several ways to analyze sites for the general use of texts that can be used at the stage of collecting information about the target. You can add the mentioned sites and utilities to your gentleman's set, and also leave a comment if you develop your own utility for this purpose (on the source page - Approx. Translation )
Source: https://habr.com/ru/post/123593/
All Articles