Finding Enterprise Credentials in Data Breaches

In the age of the breach, it’s a safe assumption that almost every public account’s credentials have been exposed at some point. “Have I Been Pwned” (HIBP), is a database that contains usernames and other information about any compromise they come across. While available for individuals to search against, certain protections have been put in place to prevent DDoS attacks, making mass scanning using their public API difficult.
As a red teamer, this information is very valuable during the passive reconnaissance phase of an engagement, and querying a single email at a time doesn’t scale well against an organization of 10,000 users. While many applications and scripts have been written and shared using the API’s, there wasn’t one available that successfully scans through an entire list of emails.
HIBP leverages CloudFlare as a web application firewall (WAF) that enforces brute-force protection through the use of 2 user-agent-based cookies and rate-limiting. To circumvent these controls, the script first reaches out to CloudFlare leveraging a pre-set user agent and obtains the authentication cookies using an opensource project known as cloudflare-scrape (cfscrape). The script then utilizes the obtained cookies and a built-in 2-second time delay between queries to conform to the rate-limit.
The script can identify whether a specific email address has been breached according to HIPB, obtain any paste information if present, search or obtain a list of breaches, and download a copy of all breaches contained within HIBP.
This script is available through the CRITICALSTART GitHub, for use by individuals or enterprises, and will be a future capability of the CRITICALSTART MSSP.

Example of searching emails for potential breaches and obtaining pastes if they exist within HIBP database
by Quentin Rhoads-Herrera | Offensive Security Manager, CRITICALSTART
May 1, 2018
Director of Professional Services
As the Director of Professional Services, Quentin leads the offensive and defensive security teams known as TEAMARES. He is an experienced security professional with expertise in security analysis, physical security, risk assessment, and penetration testing. Quentin’s diverse background is built from a variety of staff and leadership positions in IT, with specific experience in threat and vulnerability management, penetration testing, network operations, process improvement, standards development and interoperability testing.
You may also be interested in…
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- News
CRITICALSTART aims to eliminate “acceptable risk” from cybersecurity’s vocabulary
CRITICALSTART, a leading and trusted provider of Managed Detection and Response (MDR) services to hu... - News
SMU Cox Dallas 100™ Names CRITICALSTART One of the Fastest Growing Privately Held Companies in Dallas Area
PLANO, TX, (February, 25 2020) – CRITICALSTART, a leading cybersecurity provider of Managed ... Data Sheet
The Financial Consequences of Risk Acceptance Security Strategies Whitepaper
CRITICALSTART reduces endpoint risk to levels unachievable by traditional Managed Detection and Resp...
RESOURCE CATEGORIES
-
- Consumer Education(39)
- Consumer Stories(2)
- Cybersecurity Consulting(10)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(9)
- Interview(51)
- MDR Services(64)
- MOBILESOC(9)
- News(4)
- Penetration Testing(16)
- Press Release(59)
- Research Report(9)
- Security Assessments(16)
- TEAMARES(17)
- Thought Leadership(17)
- Threat Hunting(9)
- Video(1)
- Vulnerability Disclosure(3)