G1234! - Enterprise Overflow: How Breached Credentials Impact Us All - Robert Paul

all right thank you for joining us at besides we are in the in the ground one two three four talk and we are here with Robert Paul doing Enterprise overflow how breached credentials impact us all besides we like to thank our inner circle sponsors critical stack and bal mail as well as our stellar sponsors which includes secure code warrior paranoids and Amazon stock SAR being recorded and streamed to YouTube so if you can silence your cellphone's we would appreciate it and if we do have time for questions at the end if you could raise your hand and I'll run the mic to you so that the people listening online will be able to hear your

question as well and with that let's get started with Robert Paul thank you all right thanks everybody so just to start off here there's the github link for the tool that's going to be released in this talk but don't worry as I go through the slides it'll be there at the end as well in case you missed it so let's just get started here as you heard I'm Robert Paul from new ID I'm also a USAF reservist and what we do at new ID is specializing in authentication solutions and really around zero knowledge proof sin and all of that great and great stuff so really my job as the director is heading a project that we call

internally project nebulous and this is to research the weaknesses and credentials and authentications well for our solution but also just as a general weaknesses in the industry so I want to start off today talking about the canonical breech if you haven't heard about it it happened about just about a month ago and this is a pretty significant breach or it could have been if the hacker didn't just deface packages he had gained act sorry he had gained access to about 39,000 packages inside of canonical and for those of you that don't know canonical runs the monkey operating system they and develop it so this could have been a very significant breach and that could have impacted at least 53% of Amazon Web

Services and probably a lot more than that out there on the Internet but I'd like to point out here that right there is canonical owned account on github was compromised so they had a credential comp based compromised on their account someone logged in with past service and was able to access those packages and repositories so a project nebulous is really our internal research project that where we have accumulated leak data out there since about 2009 and so far we have about two and a half billion unique passwords out there and in all its totalling now more than eight billion unique records this includes social security numbers addresses hashes all of that and when we look at the list of data breaches

reported on Wikipedia this contains all of the breaches that has basically a news article associated that only totals to about nine point seven billion records and the majority of the data that we've collected isn't actually in the Wikipedia page so there's actually a massive underreporting of leaked data out there in 2017 Verizon's a data breach investigation report revealed that 81% of hacking related breaches were caused by stolen or weak passwords and Troy hunt of course everyone here may be familiar with him he had found that 86% of the passwords that have been coming out of recent breaches are all previously seen in data so there's what that means is there's a lot of password reuse and I want to point out that in

2019 of Verizon's breach investigation report we have seen that the amount of stolen credentials being used in attacks have appears to have gone down but that isn't really the case it depends on the industry you're in for example it's manufacturing that still as high as 80% and that's because the scope of their report changed quite a bit and there's been a lot more breaches in different types of breaches as more and more techniques and vulnerabilities coming up so I'm going to talk a bit about the life cycle of a credential breach kind of what happens from basically Ground Zero which is going to be hackers of course compromised an organization through any variety of methods and then of course they're going

to gain access to additional credentials usually after they compromised an enterprise or maybe a large network they're gonna gain access to some repository of user credentials or perhaps Active Directory hashes and so forth and what they do next with this is people assume that they immediately like throw this on the dark web and like start selling it but they actually don't what they do is they're gonna cherry-pick each little piece of data out of that leak and use it for themselves to generate further compromised in networks engage in fraud or cryptocurrency theft etc and they share this data actually amongst themselves and this is where you can intercept it and something I like to call the cybercrime holy trinity which

is going to be Tor discord in telegram if you're able to yeah if you're able to embed yourself in these organizations and these groups that's where they're they're at they're actually mostly on telegram and discord they're not even like hiding or anything occasionally they'll be on tour or at least some of them are the more paranoid bunch of them will be and they share it amongst themselves in order to help them conduct sim swapping attacks and so on and only after it's outlived its usefulness to them it could be months or years later sometimes weeks later if it's moved pretty quickly sometimes they just someone gets a hold of it and decides to sell it that's when it will end up on

tour and or any kind of darknet forum being sold for anywhere from $2,000 all the way up to $20,000 and that's when it gets distributed widely that's when it gets picked up in the news that's when we start seeing big ripple effects of people starting to do anything from credential stuffing attacks or just trying to access the users accounts so there's different parts in that that very first part of the compromise in our life cycle there's there's different ways that hackers can can kind of abuse that or get compromised be able to compromise organizations and first one would be like trust relationships with b2b and for example the target was actually everyone knows about that here probably

and they were actually hacked through their HVAC vendor as beat Krebbs here points out its systems to trade trace back to network credentials that were stolen from a third party vendor what had actually happened with the target hack is an HVAC vendor was compromised they're stolen and leaked credentials and then they're able to just pivot through their network with more stolen credentials until they eventually hit the systems that store credit card information within target the second one of course is going to be the shared user base if someone here has a Twitter account they probably have a Facebook account everyone here has a bank account probably with like one of five banks so if there's a major breach of like user

credentials say at Yahoo where a 1 billion user accounts alone were breached people are gonna take that and they're gonna start stuffing not at other websites like Facebook and Twitter so that's you know pretty low-tech solution but it do conduct these attacks especially on cryptocurrency exchanges they've seen huge spikes and fraud after there's been a leak such as collection one and then the third one is again what I just talked about is credential stuffing but it's actually kind of different finish the shared user base because this is just mashing all the data that they can get in its username and password combinations also called combo listing you may have heard it like that and that's when they just try it

across your entire network and this is everything from FTP servers SMTP servers anywhere you can take a username and password on your network they're going to attempt to use combo lists on it and they've been doing it for quite some time there's active development with this tool this one is called a email combo Lister Slayer it's a well-known one in Carter forums they tend to usually use this for fraud but you can actually repurpose it for kind of arbitrarily blasting at like a whole network and they always have great like 90s s graphics or something and I want to point out that the words that you always see up here is is it's always pointing out that they have fresh lists

or for the freshest data and that's because organizations often reset their passwords etc nor intervals and so the more recent your data is the more relevant it is to them so they're always looking to sell the the freshest combo list out there I'm actually going to demonstrate using our internal data set on how easy it is to generate one of these combo lists and two types of organizations one's gonna be a smaller organization and the other ones gonna be a large enterprise and so I'm gonna go ahead and get that ready for you that is the large organization here so I'm gonna get a small one it's full screen that so I'm going to go ahead and paste your so

I'm gonna pause that and the domain there that you see is square up com they did the the keynote for blackhat this year so I'm going to generate a combo this for their stuff just for the heck of it and and output it there there's a variety of command line options there for our internal like red teaming tool but mostly that I'm going to output them and I'm doing a wild card query I'm just saying give me everything related in my in my data related to square up com so I'm gonna let that run takes a second for it to spin up because it's got to go and query elasticsearch and there it goes so within like half a second there or

whatever that was I got 394 results containing everything from hashes to PII and all kinds of stuff and you can see the and right over here you can see that the data the databases this came from so we got everything from altro to dropbox the which is like ancient in terms of leaks now and we ended up with a total of 225 hashes so what we're gonna do is now attempt to crack them I'm just gonna let that run so it's gonna go and do its thing and real quick but pause that so every red thing there is a plaintext credential ivic nice and color coded so it's easy to see and so that that's a

gonna come from obviously these ones are from exploit a in and collection one and collection one is basically it just exploit a dye and in LinkedIn and Dropbox leaks titov and cracked so as it's running and cracking hashes I'm just scrolling up here in the tool to just kind of demonstrate that it's pretty easy to get plaintext passwords out of there and so we already decrypted one hash or cracked one hash and I really say decrypted because we're not actually cracking hashes here what I'm doing is I'm going back over the nebulous data and I'm querying it have I ever seen a hash with this before we have we basically take all the plaintext passwords that that are in our data set

and hashes that have cracked passwords with it and then we generate a big rainbow table for a variety of different hashes and this is everything from sha three to sha 256 so to ntlm and this and as you'll see in our later tool so I'm just gonna go ahead and skip way ahead here because it's just gonna gonna keep going this 200 ashes and takes about you know three or four minutes for it to run so then chilly though there we go so we could see that in a small organization we cracked three out of the 225 hashes which isn't very much but it did yield even on someone who's mostly cloud hosted and a an organization that

doesn't have that many people it yielded a 30 unique username and password combinations on a small target like this it's not really feasible to really just attack them on their network with it chances of a combo list with like 30 combos and it would actually work on their internal organization is small but when I look at all their github accounts if I like stuff these into github and Twitter and like anywhere I can think of that they may use or any of their vendors then it becomes really apparent that that it could get pretty dangerous you could eventually maybe compromise something related to them like what happened with canonical and then the second scenario here that when a

start-up is going to be a large enterprise and this is actually going to be Lockheed Martin corporation so every time that that Scrolls that's ten thousand results and it's just gonna keep going for for a little bit there and so we queried LM Co comm and said hey give me all the data on Lockheed Martin most of this is all old this is all stuff from like LinkedIn collection one and so forth but you'll be able to see the scale actually let me pull screen that for that for you there and I'm gonna let that run for just a couple seconds here and I'm gonna pause that alright so right up here we can quickly

see that we were able to get one hundred and thirty nine thousand four hundred and ninety four results in our continent our initial query to start with and that's everything from dates of birth to like IP addresses to hashes and plaintext passes as you saw the red go by and that yielded a twenty two thousand hashes total and of the 22,000 only about three thousand of them are actually salted so we're seeing that once we get basically once we take combo listing a target like a bigger organization we find that the password security of other people is actually like way worse so Lockheed is probably doing everything they they can do I know from experience in the Air Force that

they use like two fact aren't everything sometimes three factory and you have to use like the smart card and all that to access a lot of their systems so it's uh it's a pretty significant number of hashes and as we'll see here once the combo list completes it's just gonna keep running I'm actually gonna have to skip forward and it's just going to keep going and go going and going no it takes about like four minutes for it to go and get through all these so at the end there what we see is we actually cracked a significantly higher instead of like three out of 200 now he cracks seven thousand out of twenty two thousand and

so this is mostly because the the data that that this the breach that for at least this domain came from is like md5 and sha-1 so they're relatively easy to crack and also they're easy to rainbow table because most of those hashes were unsalted and actually when when I looked at this most of the ones that we did compromise the the hashes there were just raining boat table because they were the unsalted ones we barely got any of the salted ones so do definitely salt your hashes it makes a huge difference and it's a shame that Active Directory doesn't do that so in all we ended up with six thousand three hundred forty nine unique username and password

combinations now when you look at the the scope of a large enterprise that's six thousand something accounts that I can try on every single authentication inside their entire organization that faces the internet that's every FTP server I can find basic auth router big f5 whatever you know load balancers anything yeah and so it gets it because it becomes a really big issue because not only can we do that on their network we could do the same thing we could do with a small organization we can target github accounts vendor accounts if they use a specific fuel supplier might as well try this list on that and so the problem can start spiraling out of control really quickly alright let's get

back to our slide deck here

da-da-dah alright so this really highlights this systemic problem and that is are you triggering your instant response when someone else gets breached and we actually saw the industry do this in the LinkedIn breach there was six and a half million plain text credentials leaked by some other guys some random hackers went compromised LinkedIn and then dumped it out there and they were storing a combination of hashes and plaintext passwords then somebody used then I wouldn't say somebody but then hackers out there started using tools to go ahead and stuff these credentials into like different enterprise networks and it created this huge ripple effect of hacks out there and they're just like news articles at the time way back then

going oh my god reset your passwords now you know because there were there were people actively exploiting this and the entire industry responded by triggering their instant response and resetting their passwords internally inside of their networks and so that's what's required the problem is now that we haven't really as an industry started doing that again what ends up happening and other than maybe like the big one like collection one or something or when Dropbox happened we'll see it happen then but not the little tiny breaches like little PHP v4 BB forums that like end up on tour somewhere and it has 3.4 million users and like sometimes it might contain some enterprise accounts in there and

passwords so and that's really because of the challenges involved with having to trigger your instant response every time there's a big compromise of a company it happens all the time so Incident Response Teams also must be pretty proactive and resetting breach credentials before they are abused and that's not easy to do as we've seen with the Wikipedia page from our from earlier um that I mentioned that the amount of actual reporting on all this is is relatively low so we're not able to really understand when things are being breached and it's also very difficult to be able to audit your passwords faster than they can go ahead and Kris spray them out your network and also

incident response teams must be able to respond anytime someone else gets hacked anywhere obviously that's not very realistic and we have a phrase in Thai and our red team and that's those there's only two types of networks those who have been hacked and those who know they've been hacked and oftentimes as we saw there's a by the time it ends up on tour or any of the darknet forums it's it's the breaches sometimes like years old and that's only when they are discovered so it's not really realistic we need a solution that can basically intercept these dumps as they happen in basically intelligence of getting in and getting these credentials basically made available to the industry so there are

some solutions thankfully the industry does try to collect these dumps that they often pop up for only like sometimes hours and then they're gone and no one ever has them again so you have to like ask someone like hey did you get a copy of this breach collection one had that problem like popped up for like a little while and then it disappeared and then you had to go and find someone who had a torrent of it or a backup of it and then it reappeared once someone else started reselling it for cheaper and so there's a basically a growing community and around collecting breach data and making it available for enterprises to use to audit their

credentials either their user databases or something like Active Directory databases dot today is a great one they host just piles of leaks I think they have about 300 it's a 2300 ish breaches different individual breaches out there that you can just go and download I think it totals about 3.8 billion records or so also there's Troy hunt he has released millions of compromised hashes that you can use for auditing your networking the links to both of those are up there so one thing to note about Troy hunts data though is that it only has 555 million out of it he has like 8 billion records or so same as us but he only about 555 million of those

are actually available in this API he I'm sure he's my probably working on making that available for the rest of his data set but for now workings we've got we've got 8 billion documents ready to go and we also have 2.5 billion unique passwords that we've added to our ring above tables so they're already available on our API and so really this highlights the need for industry tools that can adapt very quickly and basically gain that and make available these this leak data to people in a very quick pipeline and that's what we've built we've out of our research project so nebulous active directory is our free open source tool that anyone can go use

and its purpose is to just automatically audit your active directory for any leaked credentials that's exactly what it does so now some demo that and this is gonna be the help option up there but while I go ahead and get the video ready for you guys

so there I'm just typing into the command line some options and snap would be snapshot that is the easiest way to use this it uses NTDs utils to just go ahead and grab a snapshot of your dit file and your system registry - I'm gonna actually pause that so what I'm actually doing is I'm telling the the tool to grab a snapshot shred the files with seven pass overwrite it uses s delete to do that so it's assist internals tools that's way it's a more trusted method of doing that and then I'm also instructing it to grab users status for the output and also the time their password was last set which could be useful to you it's not optional you

can literally just do snap check and it will go ahead snapshot and check it out at your your network it's pretty much two commands and it's ready to go so I'm just gonna go ahead and let that run there and so what it's doing now is it's going to go into the system registry hive and grab the AES decryption key through your Active Directory database yes it is encrypted but you know any hacker can do this just as easy as someone trying to audit your your stuff so one thing to note there and now it's actually going in and decrypting your your or at least our domains dip file and it'll take a second for that to run

[Music]

it's almost done once it decrypts the debt file has to defragment it and there's lots of techniques about that actually deposit that so I'm gonna want that a little bit so we're using an impact on the internals there and I'm just going to explain a little bit about the color options there the gray users here are going to be the disabled users in the domain and then the blue ones are just what accounts test accounts I loaded into our test domain that are active and if I really don't want to rewind I want to let it play sorry about that guys so as it goes again like the previous tool red is dead those are

compromised accounts user accounts that are in the domain it's actually checking it against nebulous as a API right now and it's identifying that those users actively set password is appearing in leaked data oh sorry I want to get that last bit there so you can see that and so at the very end here we can see that two six out of the two hundred six accounts have been identified as having leaked credentials and then we output the result to a CSV file

[Music] [Music] alright so there's some great benefits with this tool we can integrate it very easily into existing tools like siem syslog etc to alert you in real time about your comp compromised credentials the way we can do that is actually when every time it audited one of those account and created an audit success or audit failure then inside the Windows Event log meaning if you're pushing logs from your domain controller to some kind of logging solution which I don't know anyone here who wouldn't do that unless you don't want to know who is logging in and out of your network you're able to trigger an alert based on that event we can also set this with the TAT scheduler

this was actually designed to run in the task scheduler to be completely automated so it's like set it forget it and you can just audit your network and set intervals of like one day one week or whatever your security policy decides to do with it you can combine it with your own scripts to actually take automated actions so you can actually lock out users accounts or forsreset on next log in etc based on the event so like when you see it you can actually tell the task scheduler to do it when you see this like disable this account we didn't build that into the tool for now because every Enterprise is different and they may not want to

impact their user they automatically like lock the account that user will just every time that tool runs will get like locked out and won't be able to access resources but you can do things like Ted forcing the password reset on their next log in and so forth we built this in Python so it's and it is open source so you can just go and like inspect it do what you need to do make any changes that you want to and if you do make changes be sure to like push the branch up order to be pretty cool to add features and I don't mind and but we can run it without the Python interpreter as well I actually have a

compiled release for this that way you can just download it set it up and task scheduler and I get that running it's pretty sysadmin friendly so you don't need to have any technical skill involved with setting this up and needing to know how to really deal with like coding and everything like you would with auditing say the the torrent file from Troy hunt which contained like 555 million in TLM hashes and there's also no need to store terabytes of hashes dot it like our data set is like 13 terabytes or something in fleet data so it's pretty unwieldy it takes us like almost two weeks to reindex this this thing so in elastic search so takes away having to

have that overhead off you guys of having to manage that also we can output to a universal format we output to either CSV or JSON so if you can develop and you do want to do more with the with the output of this you're able to just once the output is generated just grab that the CSV you the JSON file and feed it into like logstash or something and there's lots of you can do do with that there we also using a familiar library we're we--but built this on top of in packet and so if you've used in packet before you can use our tool so I'm gonna talk now a bit about what actually the

tool did when it ran so first it clones the NTDs diff file on your system registry hive using in NTDs you till that exe that's built into active directory and it's a will create an exact copy of your database so you can't actually go in and like decrypt the live database it's like locked even if you're like in T Authority system you can't getting access to that you have to use a volume Shadow Copy to gain access access to that inside the system registry hive is your decryption key we're actually going to take that and then decrypt the database as I mentioned earlier and iterate through there and be able to gain access to ntlm hashes that are in

there once we have access to those hashes now we can do whatever we need to do to a process that users authentication data and at this point you don't have to use our API you can actually just output the results from CSD or JSON and then audit them yourself with your own data you can go on databases dot today and go ahead and download all the different dumps and everything and create a rainbow table of your own I do want to note though that that is a major pain to do because the way that the data is basically stored it's a very weird different formats every leak is different and sometimes you get like straights equal map outputs

sometimes it's like a CSV that's like with a weird delimiter and so you have to parse each individual data breach and there's like thousands of them so it's a takes a long time to do and so if specified if you specify the check option we will go ahead and check these against new IDs API by wrapping them in sha-256 so obviously you're not gonna have the Intel M hash sent over the network that would be crazy to do that so we created special rainbow table in our Inglot table that has all of our ntlm hashes wrapped and shot to that enables us to check hashes without needing to like send the actual until M hash over the

network and so once we get that we wrap it in sha-2 and then does HTTP get over to the api an api will respond with 200 ok the hash is there for or for hash not found as and it's not found in our data set so if you get a 404 your hash is safe if you get a 200 yeah it's it's compromised it actually has a JSON output saying it's like whether or not it's in there so but you can just do it purely off of the status code that way it's a lot quicker you don't the parse JSON and deal with the serialization d-series at d serialization overhead and then of course once we have the result

we log it to the Windows Event log and then dump all of the results to the specified output if you want an output result of that this is what it looks like in the Windows Event log so you'll see there that the source is nebulous ADT exceeds just the name of the C file we have our event ID which is just 4141 and here I'll go ahead and highlight those for you so I want to point out that if you do make an siem rule what you want to do is grab that extended information because it'll actually that's where we store where they count or which account is compromised in there so if you make it a rule you want to

grab that additional information so that way it's available in your dashboard when you get an alert and and of course we use audit failures or audit successes to view that that's the bottom right arrow and then our event ID there now the user that you see there is just what user in my test domain ran this in this case the local administrator because you know it's just a demo and then the computer in this case the domain controller it's ran on that this is useful so that way you can audit what system is actually auditing all of your passwords they'll tell you the user and the machine that did that so I want to talk a bit about what we're

doing in the future and for now we're stuck on Python 2.7 unfortunately and that's due to limitations within impact we're actually looking at porting to 3.7 soon for that very sweet async functionality and hopefully can get that done before the end of life date but impact it's a massive project and they still haven't ported it so we'll see no promises there but I definitely want it to 3.7 because if we get async we'd be able to audit like 50,000 users in a second I'd be really cool also more data we're always adding data to this we started out at the beginning of December with like 5.4 billion and now we're creeping closer and closer to

10 billion we had like eight point three billion that I mentioned it was the actual document count and elasticsearch but there is a lot of data have an indexed yet so we're always adding more data to this and we're always just gonna keep throwing more stuff into our rainbow table and that's gonna be available to you guys for free next we want to do is actually permutate all the passwords and the reason you want to do this is because hackers are doing it first off but it'll catch policy violations from people who just do really basic stuff like they have my dog spot 2018 and then they set their password next time to my dog spot 2019

you're gonna catch those policy violations you'll catch those users and so we want to permutate the entire data set looking for patterns like that and yeah it's a lot of work and when we test it out doing this before it was like estimated and it's going to end up being like 50 billion additional hashes added to it so it'll be quite a lot but it'll catch any of them the permutated passwords from tools like crunch and so forth also easy mode sim roles I didn't get any built in time for the talk but I definitely want to release some we use security onion internally and so I can release the dashboard and the rule set for that so

that way you could just import it and it's ready to go just and you can also do that same thing and McAfee sim and ArcSight and those are the two that I'm aiming to create a rule set for and if anyone has any other like asam is that they want a rule set for it and then just like message us on just either email us or making it a github issue like raises an issue and github and like I'll totally try to make a easy mode as a rule set for you guys so that way you can just import it and it just works and then for the very thick tinfoil hats in the room uh I also want to mention that

some of you guys don't like the idea of sha-256 wrapping the until him and sending it over Troy hunts API has something called K and honor K anonymity that's where he actually uses the ntlm hash he just takes the first like five characters of it and sends that over what you get back as a result is like a list of four to five hundred hashes then you have to iterate through all of those to figure out if there's a match and that's kind of an inefficient way of doing that and uh you know we at new idea actually kind of specialize in zero knowledge cryptography and hashes are actually really really great for using zero knowledge proof saan so we may go

beyond k and on instead just use instead of just wrapping that in sha-2 we may just see zero knowledge proof to do the check now you're not transmitting either hash or any part of the hash you're just transmitting something that can be used to verify whether or not we have that in our data set and then the last one is mmm hopefully we can get an API to check user credentials during registration this is just for this tool is just really for Active Directory and that's like a very static data set you know you have just your users in your environment and they're not really too many added or removes unless you're a very big

organization so it also doesn't really cover someone out there running like WordPress or something and they have like 3,000 users so there is a way that we could expose a check during registration so that way we can check the users credentials as they're being registered on the site and say no password 1 2 3 is like terrible please don't use that so there is some known issues that I would like to point out because impact it has a bug when dumping and TLM history on some builds not all I have a github issue raised within there it's the links there so you can track it if you want and what that is is it's only for the history so you can still

check the actively set password that works just fine but you won't be able to check the history of the user and I only really encounter this on Server 2016 and 2019 in AWS not when I installed it on hardware so who knows what that bug is but if you do encounter that just let me know you can either raise an issue or yeah or just wait until I can figure that out and also the precompiled binary can be slow to start on some systems and that's just the way it was compiled and I tested this on a dual-core four gigs of RAM AWS instance and honestly unless your domain controllers running on a potato like that then you're not gonna

have any issues cuz it took like five to six seconds for it to start up and then go but that's on a dual core so if you're running actual physical hardware it'll it'll go right away and the application is multi-threaded so it's it'll take advantage of this course and again of course any issues raise them up on github so here's the link to the repository there and I have I don't know if we have time for Q&A or not I think we do think I'm Way ahead of schedule got like 15 minutes [Music]

we have quite a bit of time for Q&A yep and I'll be available after this to come talk to and everything me and my colleague Ibrahim we're oh he's right over there hi how's it going yeah great presentation quick question I had for you was how do you guys feel your database compares to say azure ad pasture protection service that they've recently brought out of beta where they're checking against their own tools but they say they're not using anybody's outside data so I'm assuming they're doing their own magic but does anybody know kind of what their repository looks like in terms of known compromised passwords yeah as far as I know most of the people that I've seen uh they're

collecting stuff from publicly known sources such as database today oh and any the newest stuff when people started building these services so really that's gonna be data dumps that have appeared since like 2017 we've been collecting stuff since like 2009 and we have data that goes back to 2006 and we also have data that hasn't appeared anywhere else that we know of not it's not in Troy hunt it's not in anything like when I checked my own email and everything I see stuff that have I been owned doesn't have in there so in all we the amount of data breaches we have is seven thousand seven hundred and something individual websites those aren't even the pace pins

so it's it's quite a lot of websites that are in there and I'm not sure how many Troy hunt has if I recall was like two to three thousand I I don't know I'd have to go and look he actually has this datasets available one thing we do want to do is make which databases we do have available so that way there will be a list that way you could just compare it to different services but we offer this this API for free you do you need an API key as it'll say on the github page and the reason for that is so we can like enforce the rate limiting and everything but other than that yeah you can use any

of those services since the tool itself does dump to the the ntlm hash this for you into like a JSON or CSV you can make your own tool set or expand the existing one just clone the repo or something and like build your own check against those services question here you mentioned the zero knowledge proof and the distributed ledger for availability my first reaction there was if is is the ledger available publicly because that would be how I would see it being okay are you referring to a new ID solution so this tool doesn't use the the distributed ledger IRA I would just use zero knowledge proof swith in our own internal data set to make it so that

way you can transmit it like the most secure way possible to check if the credential is leaked but new ATS solution yeah we do use a distributed ledger for that that's aetherium but that's kind of out of the scope of this talk I think okay you can come talk to me after we wrap for that

I mean might have yeah yeah right up front here yeah if I'm understanding correctly it's making API calls back to your server to check his this password bit compromised Trent yes how can I trust that you're not doing something nefarious with what I'm basically saying hey these are my passwords yeah so that's the unfortunate thing actually Troy hi made a very good case for that that's why he made Kayne on that's also why we want to either adopt that model just with the sha-256 wrapped version instead so that way I only see like the first five characters of a shot too and that's gonna return quite literally probably ten thousand results um I had to bump it up to like seven there's a

medium in there so that way I'm not aware at all of what the heck hash you queried it could be one of hundreds to thousands now though even Kay and unknown when I looked at it I was like really though that you could be able to figure out you you'd look at the incoming queries right and you'd be able to see that okay you can grab each individual list from the query and now you basically have a combo list a lot of those will fail and some of them won't work entirely because if it's not a direct match of course but you'll have the list of what they queried with kale on what the zero knowledge proof there'd

actually be no way for me to check what the heck you just queried it's just the way that zero knowledge proof work and if we did a doc down into the API then that's what I would have well documented on how that works and how we can't check it but you could just as I said you don't have to use the the check argument in there is is separate so you can actually have that disabled or you can go in code in the repo and when you compile it just literally just remove the argument out there entirely and I put the API callbacks in there into its own separate class that way you can just

literally highlight the class backspace it and there are no more check so yeah hey I have a question over here right over here alright and there so I'm guessing in my experience to get the NTDs di t the only way to get it is from a domain admin do you need to run this tool with the minimun yeah you need to run this tool as a something that has domain admin or as the local something with local administrator privileges on the domain controller will work as well that's just the way that it has to be for NTID su til to have the right privileges [Music]

thank you and this is just a confirmation before I sent the file I can edit and remove certain hashes from known accounts of mine is that possible so I edit the file before checking so for instance cryptid Utes I'm not sending their hash for that huh actually they're the way the check function works is it just grabs the dev file and then just immediately starts checking that's actually a good point what I'll do then is make it so impact has the way to just point to a dit file actually I already have it in there you can point to an offline thing so I I'll probably just actually make that a feature and modify it to be able to do

that it's a good point yeah but I currently know

were there anyone whoa were there any more questions I don't even know where the speaker was up there all right well thank you for coming to b-sides and thank you Robert for his wonderful presentation [Applause]