WEBVTT

0:00:03.400000 --> 0:00:06.220000
 Leaked password databases.

0:00:06.220000 --> 0:00:11.180000
 In this video, we're going to be exploring
 the process of utilizing pre

0:00:11.180000 --> 0:00:18.120000
-publicly available leaked password
 databases online to essentially try

0:00:18.120000 --> 0:00:23.460000
 and find or identify whether the email
 addresses we've identified in the

0:00:23.460000 --> 0:00:30.180000
 previous video have essentially suffered
 from a potential data breach

0:00:30.180000 --> 0:00:35.740000
 on a website that the owner of
 the email had registered on.

0:00:35.740000 --> 0:00:41.200000
 And the objective here, as I mentioned in
 the previous video, is to essentially

0:00:41.200000 --> 0:00:46.000000
 try and find whether the owner of the email
 address has, as I said, experienced

0:00:46.000000 --> 0:00:50.280000
 a data breach. And if so, we actually
 obtained that password that was

0:00:50.280000 --> 0:00:52.220000
 leaked during the data breach.

0:00:52.220000 --> 0:00:57.080000
 And we can then try and utilize that
 password to perform a password spray

0:00:57.080000 --> 0:01:00.200000
 attack. Now, we're not going to be doing
 that in this video, because we're

0:01:00.200000 --> 0:01:05.720000
 still in the passive information
 gathering phase of this course.

0:01:05.720000 --> 0:01:07.500000
 So let's get started again.

0:01:07.500000 --> 0:01:09.760000
 I'm just going to be using
 my Kali Linux VM.

0:01:09.760000 --> 0:01:12.600000
 So I'm just going to switch
 over really, really quickly.

0:01:12.600000 --> 0:01:18.820000
 All right, so I'm back on my Kali Linux
 VM and the site that I'm going

0:01:18.820000 --> 0:01:22.920000
 to be utilizing for this demonstration
 is a very popular site called have

0:01:22.920000 --> 0:01:28.340000
 I been pond dot com or simply put have
 I been pond now have I been pond

0:01:28.340000 --> 0:01:32.680000
 is a really cool site because it essentially
 aggregates a, you know, the

0:01:32.680000 --> 0:01:38.200000
 whatever data breach happens on in
 the world on, you know, some of the

0:01:38.200000 --> 0:01:42.480000
 most popular websites on the, you know,
 in the world like Facebook, Google,

0:01:42.480000 --> 0:01:47.600000
 really anywhere, any website that has
 a data breach, these guys, more

0:01:47.600000 --> 0:01:52.160000
 specifically Troy Hunt, the individual
 that set up this website aggregates

0:01:52.160000 --> 0:01:57.660000
 that database, you know, and allows users
 anyone in the world to essentially

0:01:57.660000 --> 0:02:02.320000
 check and see whether they, their email
 address or phone number has been,

0:02:02.320000 --> 0:02:07.280000
 you know, leaked in a data breach,
 which is very, very common.

0:02:07.280000 --> 0:02:11.680000
 And, you know, one of the most important
 things that you need to know

0:02:11.680000 --> 0:02:16.840000
 is most users don't really know if their,
 their accounts or their email

0:02:16.840000 --> 0:02:21.080000
 has been leaked or the email and password
 has been leaked as part of a

0:02:21.080000 --> 0:02:24.620000
 data breach. Now, why am
 I referring you to this?

0:02:24.620000 --> 0:02:27.580000
 You know, you might be saying,
 well, do I check my own emails?

0:02:27.580000 --> 0:02:28.580000
 Well, you can do that.

0:02:28.580000 --> 0:02:32.920000
 In fact, I do recommend that you do that
 because you might find that your

0:02:32.920000 --> 0:02:36.440000
 email and password has been leaked
 as, you know, part of a data breach

0:02:36.440000 --> 0:02:41.020000
 on a site that you may still
 be using that password.

0:02:41.020000 --> 0:02:45.220000
 And the worst part about it is attackers
 have access to this, just like

0:02:45.220000 --> 0:02:49.740000
 anyone else. Now, in the context of a
 penetration tester, in the previous

0:02:49.740000 --> 0:02:53.420000
 video, you know, we took a look at
 how to enumerate or how to harvest

0:02:53.420000 --> 0:02:58.020000
 email addresses, right, using publicly
 available, you know, resources

0:02:58.020000 --> 0:03:02.360000
 or databases. If we were targeting an
 organization and we found employee

0:03:02.360000 --> 0:03:05.100000
 email addresses, we could essentially,
 you know, put them in here.

0:03:05.100000 --> 0:03:10.460000
 And if they were leaked as, you know,
 within or as part of a data breach,

0:03:10.460000 --> 0:03:14.580000
 and you know, we were able to obtain
 a password, then we could, you know,

0:03:14.580000 --> 0:03:17.340000
 use that password and perform a password
 spray attack and try and log

0:03:17.340000 --> 0:03:21.100000
 into Google with that same email and
 password, try and log into Facebook,

0:03:21.100000 --> 0:03:24.020000
 Instagram, you know, you get the idea.

0:03:24.020000 --> 0:03:25.220000
 It's really, really dangerous.

0:03:25.220000 --> 0:03:29.540000
 So again, I can just put in my own past,
 my own email here, by the way,

0:03:29.540000 --> 0:03:31.900000
 please don't send me any emails.

0:03:31.900000 --> 0:03:35.800000
 I probably won't respond to them on
 this email, but you can see that no

0:03:35.800000 --> 0:03:39.140000
 phone age has been found, which means,
 you know, all the sites that I've

0:03:39.140000 --> 0:03:43.100000
 registered on with this email have
 not experienced a data breach.

0:03:43.100000 --> 0:03:46.560000
 And as a result, you know, my passwords
 have not been leaked.

0:03:46.560000 --> 0:03:52.060000
 Now if we entered, you know, any, any
 other email address, maybe paper

0:03:52.060000 --> 0:03:56.460000
 at zone transfer.me, I doubt that that
 has been part of any data breach.

0:03:56.460000 --> 0:04:06.160000
 Let's just try and see that
 that works out just fine.

0:04:06.160000 --> 0:04:09.820000
 And again, all you need to do is put
 in the employee email address here.

0:04:09.820000 --> 0:04:13.380000
 And most likely if they've been using
 it for a long time, they might have

0:04:13.380000 --> 0:04:14.440000
 been part of a data breach.

0:04:14.440000 --> 0:04:18.820000
 And of course, that will all tie into
 what sites they registered on.

0:04:18.820000 --> 0:04:22.680000
 At the bottom here, you can see it has
 a summary of the largest breaches.

0:04:22.680000 --> 0:04:28.020000
 And of course, you know, you can see
 we have Facebook accounts, etc.

0:04:28.020000 --> 0:04:31.040000
 So you can click on that there, that'll
 give you more information regarding

0:04:31.040000 --> 0:04:32.480000
 that particular breach.

0:04:32.480000 --> 0:04:37.620000
 So in April 2021, a large data set
 of over 500 million Facebook users

0:04:37.620000 --> 0:04:41.560000
 was made freely available for download
 encompassing approximately 20%

0:04:41.560000 --> 0:04:43.640000
 of Facebook subscribers.

0:04:43.640000 --> 0:04:48.780000
 So, you know, the likelihood of an
 individual, you know, having their

0:04:48.780000 --> 0:04:53.220000
 email and password leaked as part of
 a data breach is very, very common,

0:04:53.220000 --> 0:04:55.840000
 unless your email is really new.

0:04:55.840000 --> 0:04:59.360000
 Like for some of my older emails,
 they have been part of a breach.

0:04:59.360000 --> 0:05:03.060000
 And you know, luckily for me, I do regularly
 check the site just to make

0:05:03.060000 --> 0:05:06.960000
 sure that I'm not using any of those
 passwords that were that were part

0:05:06.960000 --> 0:05:10.860000
 of the breach. So, you know, I just
 wanted to share this resource with

0:05:10.860000 --> 0:05:13.160000
 you. As I said, this will tie
 into the previous video.

0:05:13.160000 --> 0:05:17.600000
 If you were able to identify employee
 emails for the target site that

0:05:17.600000 --> 0:05:23.020000
 you're targeting, then you know, this
 would be a great, a great next step.

0:05:23.020000 --> 0:05:25.660000
 I would definitely recommend
 taking a look at this.

0:05:25.660000 --> 0:05:28.080000
 Not a lot of penetration testers do this.


0:05:28.080000 --> 0:05:32.020000
 But some of the experienced ones,
 the experienced ones do it.

0:05:32.020000 --> 0:05:35.280000
 So definitely do check this out.

0:05:35.280000 --> 0:05:39.640000
 Now, is have I been pwned the only
 place you can get this information?

0:05:39.640000 --> 0:05:42.900000
 No, but again, the great thing about
 this site is you don't need to sign

0:05:42.900000 --> 0:05:45.860000
 up. They have an API.

0:05:45.860000 --> 0:05:50.060000
 And you of course, I would recommend
 donating to this site because they

0:05:50.060000 --> 0:05:52.500000
 really are doing the public
 a great service.

0:05:52.500000 --> 0:05:55.660000
 And, you know, as a penetration tester,
 they're also doing us a service

0:05:55.660000 --> 0:06:00.040000
 because they allow us to, you know,
 identify whether employees have been

0:06:00.040000 --> 0:06:04.440000
 lax with their password security or are
 not in compliance with the company's

0:06:04.440000 --> 0:06:08.020000
 password, you know, password
 security policy.

0:06:08.020000 --> 0:06:13.300000
 And as we already know, you know, it's
 a standard tendency for individuals,

0:06:13.300000 --> 0:06:16.600000
 you know, just normal people
 to reuse passwords.

0:06:16.600000 --> 0:06:19.820000
 And, you know, that's really
 not a fault of their own.

0:06:19.820000 --> 0:06:23.060000
 You know, once they have a password,
 they tend to reuse it.

0:06:23.060000 --> 0:06:27.600000
 And if they have reused a password that
 was part of a data breach on all

0:06:27.600000 --> 0:06:31.660000
 of the sites that they use, then all of
 those sites are in essence compromised

0:06:31.660000 --> 0:06:37.160000
 because all it takes is for one hacker
 or attacker to target you, get

0:06:37.160000 --> 0:06:41.440000
 your email, they go to have I've been
 pwned.com, get that password, and

0:06:41.440000 --> 0:06:45.520000
 then try and log into all of, you know,
 all of the sites you typically

0:06:45.520000 --> 0:06:46.980000
 have registered on.

0:06:46.980000 --> 0:06:50.580000
 So do take a look at have I been pwned.

0:06:50.580000 --> 0:06:53.380000
 As I said, I can't really showcase
 anything here because that would be

0:06:53.380000 --> 0:06:57.740000
 a breach of ethics because if there
 was a password that was leaked here,

0:06:57.740000 --> 0:07:00.860000
 then, you know, that would
 not be a good thing.

0:07:00.860000 --> 0:07:04.600000
 So this was more of an informational
 video where I wanted to showcase

0:07:04.600000 --> 0:07:06.900000
 this really, really important resource.

0:07:06.900000 --> 0:07:10.060000
 With that being said, that's going to
 conclude the practical demonstration

0:07:10.060000 --> 0:07:11.500000
 side of this video.