Pages

Sunday, May 7, 2017

ihavebeenpwned?

Background
Like some of the paranoid folks out there, I've signed myself up to haveibeenpwned.com to get informed via email whenever a site got hacked and my credentials are being leaked. A few days ago, I received an email saying that my credentials associated with my email address (user id) was leaked on seemingly a Russian site known as 'exploit.in'. I needed to know what password was leaked before I go on a mass change on all my accounts.


"Anti Public" combo list
It's said to be 458million credentials leaked. Yep, holy.
For more information: https://haveibeenpwned.com/PwnedWebsites#ExploitIn

Hunting the leaked password database
After perusing some forums, I managed to get my hands on the dump. It's about 10gb zipped up and 26gb unzipped. The files are separated with filenames starting from 1.txt to 111.txt, and the contents are in a format of [email address]:[cleartextpassword]. You get gmails, yahoos and even some .ru email addresses on it.
Holy batman it's 26gb of cleartext credentials which rivals the WPA list! On a SSD and a i5 3.2ghz, it still takes a few minutes to parse through the whole list. So back to the task "am I pwned?", I did a:
type * | findstr [partial my email address] > search_results.txt
After a couple of minutes, I found two email entries: a gmail and a yahoo. The yahoo has already expired and the gmail is a super old password that was since multiple password-changes ago. Phew for me. But still, quite a scare.

Charlie Mike: Investigate the passwords
Well, my curiosity goes beyond my own security status. I wanted to know what type of passwords were cracked and if they were able to bruteforce complex ones. So I went on performing some simple text processing. I'll do a post on this when I'm done. :)

Shiny New Dict
And of course, since it was verified to be a real credential dump, how can I ignore a super reliable word list? It came with a super easy format so the following commands helped cleaned it up:
cat exploit.in_2016.lst | sort | uniq > exploit.in_2016_uniq.lst
cat exploit.in | cut -d":" -f 2 > exploit-in.txt

LOL 50% CPU utilization on sort.exe
This is going to take a while. Don't wait up.
JS.