High Severity | T1566
🔓 Credential Leak Detection
🧠 Description
Credential leaks are exposed passwords, hashes, and authentication tokens from data breaches, paste sites, and leaked databases that can be used for credential stuffing and account takeover attacks.
🔍 Search Databases
# Have I Been Pwned https://haveibeenpwned.com/ # Check if email was in breach # DeHashed (requires subscription) https://dehashed.com/ # Search by email, username, domain # LeakCheck https://leakcheck.io/ # Free tier available # Scylla.sh https://scylla.sh/ # Database search # Hunter.io (email enumeration) hunter.io/search?email=@target.com
📝 Paste Site Monitoring
# Search Pastebin https://pastebin.com/ # Use search operators # Archive.org search site:archive.org "target.com" # Google dorking for leaked creds site:pastebin.com "@target.com" site:pastebin.com "password" site:hastebin.com "api_key" # Monitoring with Holehe holehe --email target@gmail.com # Checks if email has linked accounts
🛠️ OSINT Tools
# sherlock - username search across sites python3 sherlock.py targetuser # holehe - email breach checker holehe email@example.com # leuk - credential check leuk --email user@target.com # breach-checker python3 breach-checker.py -e email@target.com # snoop - search social media snoop --email user@target.com
💣 Credential Spraying
# Spray passwords against target service # Use found creds on other services # Password reuse is common # hydra http form spray hydra -l user@target.com -P passwords.txt target.com https-post-form "/login:user=^USER^&pass=^PASS^:Invalid" # credspray python3 credspray.py --passwords wordlist.txt --domain target.com --users emails.txt