Credential Stuffing
Login with leaked credentials (But how to find the leaked credentials of the specific company ๐ค? ) - How to get the plain text passwords of the compa
You have enumerated subdomains and you have come acrossed admin panels.
You tried brute forcing credentials from public sources but no success.
What should you do now ?
You need to check the breached credentials of the specific company.
which site you need to check ?
dehashed.com
Goto dehashed.com give the query <domain:company.com\>
If there is any breaches happend in the past it shows you the credentials of the company
To download them you need to have a active subscription
They charge 7$ for week + you need to buy the api query credits
i.e 3$ for 100 api queries
You need to have both of them to use the api from the bash using the apikey
Query goes like
curl 'https://api.dehashed.com/search?query=domain:"company.com"'
-u dehashed-registerd-email@mail.com:api-key -H 'Accept: application/json'
Get The Data from the above queries.
You can also use jq for processing the json output from the above liner.
Query to get the Data (it will be in json format)
curl 'https://api.dehashed.com/search?query=domain:"swiggy.com"' \
-u email@email.com:api-key \
-H 'Accept: application/json' | tee dehashed_company_output.txt
But how to format the output json to get only usernames,emails and passwords
cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(โ,โ)'
To get only emails
cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(โ,โ)' | cut -dโ,โ -f1
To get only passwords
cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(โ,โ)'
You can change it to a way how you need it.
test is for matching the regex.
you can play with jq to understand it better.
After you get the credentials from the above query you can bruteforce the login panels using pitchfork in intruder / ffuf.
Iโll keep the posts short and straight to the point.
Any queries?
Comment or contact me on twitter. @_thesecurityguy
The single jq line above took me 3 hours to figure out how to process the output in a detailed way.
The time invested by me = Time you saved.