PW - Breachego - Christian Heinrich & Daniel Cuthbert

that will display more statistics and give us more stories from live large corporate environments regarding passwords anything from you know how health desk will do password resets that's something that I would like to hear more about I do know a lot of help desks as an example let's say if you call them and say you have lost your password they will actually send your new password to your manager and you have to go to your manager to get your new password as an example I've seen that many many times in different countries do you trust your manager so for Cambridge in the UK in December and for Las Vegas next year please submit uh papers articles presentations on that

AR now one of the submissions that we got for our uh Curren CP was from uh chrisan and it's basically uh you know well you spend 10 seconds tell you whato is but this one I mean I I read I read it it was like yes I want this period so to do back story okay so uh um the original to the I was going to deliver today was uh Troy hunt and I were going to present on um with Troy presenting

have okay now we're cooking um so um essentially my day job for the moment is I work as a Panter staff um but due to obviously eroding sort of commercials of that industry um I've started developing more and more into multigo itself um which is essentially integrating thepart data sources uh into multigo and then working out um how to best position product itself um so I've done this for a lot of companies um I've developed transforms through Facebook through Instagram um forar which takes a person's email address follow um and then essentially a profile picture uh with that email address um recorded future um and the most recent one I'm doing is the um web application which

basically takes Chinese and European any competitors on pce and runs them over your your web logs and it's essentially used thing um I've developed transforms in both Canary uh which is third party sort of application framewor um as well as the the trans themselves um pretty much everything that I develop is B for free um and you can and go to GitHub look at my repository and just search on and find a whole T of sort of configuration files and any other um so the agenda for today is large week we just discussed the integration of the apis themselves from fre vendors um H bank P FR arm and abic um have I been ping as I mentioned

before is destroy hunts um I guess you can say pet project um he doesn't really commercialize it um and sort of put it together to one about zero itself um but he's recently started toing cor um apis and that kind of thing so if you run a like Iden theft service you can em addresses and it will tell you compromised but you also a lot of uh Alternatives that cost next to nothing so if you talk your own to send you back a brid email address email from there um breach alarm so we've they've offered an API to me uh last support their free API endpoint uh which is to the bries endpoint and Abus which his API in the

elite base is currently don't worry about that message um is currently free um I'll also cover the configuration itself of Mula um and I'll present a couple of case studies um the case study that I'll present today is on um atlan um we do make a lot of developer tools it originally started as a job um but if someone else wants to put forward another everyone quite happy to uh to look at doing that um I guess you should cover what Mulo is first um so up on the screen here um I have M and um essentially the power of it is this view here which is a bubble view um so if we look at a a main view here what

we basically have is uh bit uh email address on the top um which then feed into a uh a post posting so if we're interested to visualize as to which one of those two posts is the most popular we switch it over to Bubble view um we select one and then we say okay I've selected this place which one are the um the email addresses that are applicable into that post and what we find here is that it selected all the um it selected all the email addresses of come through if you select the low one and select the parents from there you can see that we've actually identified because the bubble itself is slightly smaller um that it has less

email addresses in coming to it um so what it's essentially used for is uh link analysis um but it also provides a an XML document format which you can use uh to basically um use web service so you don't need to continually push out new code changes to end user um the end user can just those up automatically so the first one I'll cover is is is have I been P um so what we have or what I have done with this one is I've integrated all the latest release um API version 2 end points into it um so this is the getting all the the breaches for an account now an accounts under have I

been find as either an alias or an email address um we can also get all relevant Pace to uh ghost being pasty slexy um etc etc um where an email address does appear and we can also get a single breach site itself too so if you was run it against a do or hacking team or any of those um you would be able to find out where the email address is breached under what domain and then the history of that brdge itself um and as part of this development we support all the the the HTTP status codes um of the API itself so we essentially take in um two types of inputs in

multigo the first one being the uh the email address uh which is the one down the bottom here which I'll just zoom in on to you um the examples that I'm using are taken from the API documentation itself so they're already publicized in all know um in addition to that we have a number

of uh we have a number of ales too that are related to the uh Snapchat uh database compromise um So within maltego itself it enables you to in the latest release being chlorine um enables you to position the transforms uh based on author um than the the the transform set so transform set is essentially a series of related transforms um to finally the individual transforms El so in this case for aliases we can run uh the breached uh accounts endpoint against it so which I will do now okay so we get two entities returned from there one is a just a generic entity uh which is the um which essentially allows you to select entities based on

if you're using all three uh providers of information in terms of their API have I been ping breach alarm and music um you can select these individual um boxes and then if you're an API provider essentially do a quality assurance on on um your own API itself and what your data set is now as youve probably guessed by what was up the top here um so we're related to the Snapchat database one these aliases have all appeared within Snapchat itself okay and so as a an investigator what I would like to investigate is what are the relevant documentation that's against um St so we get essentially the note view here if we click on the

entity um we see that same notice repeated here now that is text that is returned by the how API itself and it's obviously ly come back and now said not only have these aliases been compromised but also the uh domain

itself as you can

see now this is the pace um example um so what we originally started with is Troy gave me um pasty which was identified as 730 848 which is the top one um so what I had essentially done is run all those email addresses that were in one past against another one um and it's returned uh p C ID 730 804 4098 now as you can see in terms of the view itself the ones that are pointing in to this uh 730 8049 pasty are not the same uh posts to pasty that was the one above so if you investigating an incident uh or performing incident response you wanted to essentially contain a disclosure judging by the fact that a

lot of breaches are reposted to pasty past in ghost beIN uh quickly so that continuously you could pretty much work out that you might want to get a copy of of both of these pasts because they might indicate that you've been breached at different signs and the data has been coming through um now as one final thing um what multigo can do is it will actually automate all of this for you um so I've created two multigame machines now essentially what these are is that they take an input entity and they will do the the to breach transforms for you and then if it returns a domain name it will also check the have about records the domain name

itself

so if you to run it um it simply takes an

Ias

some struggles I'm not sure why it actually does this demo no well this goes back to C um for those of you who are wondering these demos are actually uh running from a HP stream 11 which is like the $200 laptop that you can buy um but anyway um moving on um that essentially runs the transforms that are applicable to the Emil entity first and then to the domain enti that's return from me um so I'll come back to that one to actually show you um that it's executed and all that um but just to move along um there is one other final thing

um [Music]

so what it essentially does is as you can see this is against food bar so food bar has appeared in these um ppin posts and in addition to that um it's been used in these various bres yeah so that's the first run of what the machine does then the machine picks up all the domain

types just by selecting the group of Transformers um it then goes through and populates um what the actual compromises are and gives you indiv individual um annotations as to what they are which you can look into the next um so that's what the machine does and produce sort of aut now in previous versions of multigo you used to be able to run machines against the import enties themselves um under Corine um that is not possible using the context menu anymore but I'll get on to that later on

um the other thing is too with um have home there is a account deep link so when multigo produces those results if you go to the detail view it will produce a uh deep link back to have I been home so you can send that link to an end user and have I been home actually render um on their web application so um where the uh where the account has been comom where it's been found um so just to reuse the former have I been found

example

so we just run it [Applause]

again I'll just on quickly because I started thr a time but the detailed view here is if you click this l um down here it will actually redirect you back to the account from there um the next one being breach alarm breach alarm is fairly simple in what they do um so the endut that they provided us largely only adds the number of breaches that the email address has been involved in and when it was last breached um so what we what I had decided to do from there um was essentially inserted in um as a KN so you can run this against like have I been pay all the email addresses and then run the breach

alarm transform on those email addresses itself and get some more additional information from there um the final one being abic umusic are are an interesting M um if you look at the left side of this diagram you'll see a number of phrases here um these are actual passwords that people have encoded um through examples I've taken from the music themselves um and we run the transforms against them and what it gives us back is the clear text password but also the en coding that was used on the password itself um so if you're able to split um the password Fields you get what the clear text password is um that this text uses if you click on

the entity itself you find that sh 512 um that was used to encrypt the password which is this one above it here um so that's quite good if you want to just send a whole ton of of passwords off and see if they've me um broken in the past um and then sort of work it from there well I mean we going off for one okay so the other service that the musics provide is obviously um just to check an email address um so this is again one that we can combine um against all of them now I quite like the musics because they say my email address has never been compromised I can tell you that's FAL um

this is the one I use on 12C P um so I know for a fact um that it is been compromised but again this goes back to the various vendors that produce these breach databases could actually do it um but just to present a case study um cig Davids who's the CSO for Alysia um stated that he was going to come to blackhe yeah um so just as a bit of fun I said to him well we would look at what Alysia had done in terms of um if they had been broken into and these are generally the cases as to what you would actually use them for so you can see we start running the transforms there so we

start kicking them all off in one go and this is what it looks like um if you're actually running all three use cases um or all three apis against thealist itself now as you can see Craig himself here is not compromised so that's obviously a good sign um but as we get down to here we find that prach alarm has listed some of these email addresses preached so obviously to find out which ones those are um we click on the the child entity and then select parents um but we find that they have both listed a um as part of the Adobe breach um and the hacking te brid so that's essentially what you could use to run it against your entire

um active directory list that kind of thing um to work out quite quickly where your brides are um or if you've got any Brides that are coming on board um tomorrow at black hat I'll actually be demonstrating how you can use it as a time machine um so essentially it runs every hour um so you just don't end up hammering the M take a transport um does anyone have any questions on just I'm just wondering if there any of these sorts queries to the system uh are there any ways of doing so in a privacy protecting manner that is could I ask about my email address without letting you know my email address uh yeah sure um could you find

out who are actually on Ashley Madison that's your real question no no um so um I think um for each alarm take sh one hashing of your email address um music um impl sh um have I been ped um doesn't Implement anything and the reason that Troy doesn't very reverse that BYT and all those are uned okay so there's no sort of homomorphic kind of yeah thank you it's to give people peace of mind but it doesn't really change that a lot of them go into explanations as to why they do it do it but you no one has a solution for that the market yeah you have for chrisan I see this that's really really

interesting both from attacking and defending side because basically one of the things that would really really know about users is that their next password is going to be the current password just qu so if as an attacker if you can figure out like the naming scheme being used you can use transforms like this to look up employees of a certain company organization online to see if they have been breached already in a very easy way then you can find out what kind of passwords were they using and chances are that the passwords they use at some site they don't compromised are pretty are revealing about what kind of passwords and password structures they are using at the time being so

using this it becomes easier to break in and as a Defender you can also use this to defend to have a look at how any of your users been breached in Exel reaches and eventually do something about that there's going to be a 1our breakout there's chill out uh in the chill out room uh you know happy hour pretty much and at 5:00 uh we will have a young uh uh female uh Master student from Norway I've been co-supervising her for the past year for a master thesis and it's basically tell me who you are and I will tell you your Android lock patter it's a cool talk so be back at five see you

there

yeah