Credential stuffing like an APT: 10 secrets for credentials harvesting
Lately we heard about many different security breaches to some of the big brands out there, some of them like Microsoft were breached as a result of credentials that APT29 (AKA Midnight Blizzard) found.
As red teamers, just like many other APTs (state-sponsored and crime) we have to find our way to the target’s network and assets, so put a lot of effort in credential stuffing from any resource that we can get.
It doesn’t mean that we are looking only for the classic username and password to log in to a specific service, in many cases we will look also for tokens, API keys and even valid cookies that we might find. Especially in targets that employ best practices and use 2FA/MFA in many different services.
It’s important to say that there are many ways to hunt for target’s credentials and here we will take a look on the top 10 ways that I found extremely useful in my engagements, without any social engineering effort.
For more content and hacking tips — follow me on X.
What kind of credentials we hunt for?
Well, like we mentioned earlier, there are different types and different use cases.
The first kind is of course usernames and passwords. It’s always good to find users, especially if they should hold high permissions that might boost the entire engagement and spare us lateral movement and privilege escalation efforts. Although there are many cases that a good pair of username and password may be enough for us to win the target, there are two points of failure that we must consider:
- Not always we can find good enough username and password
- Even if we found, we all know the feeling of getting stuck because of 2FA that we can’t bypass
So we need to move to other credentials types.
Cookies. We all love them. It’s really hard to get them, but if we manage to think on a way to do so, it’s much more powerful than passwords and in 99% of the time they also can bypass 2FA. Later on we will talk about ways to collect cookies from a target, but for now just keep in mind that cookies are something that we always should look for.
The next and last kind of credentials that we will talk about, is tokens and API keys. This kind of creds is also an excellent way to bypass 2FA since it is usually a token that issued after the authentication process or maybe it’s a token/key that should be for an automatic service. There are many kinds of tokens and keys, and the usage might be different among different kind of tokens (unlike cookies). Take a look at this repo of keyhacks for more information about usage of common types of service tokens.
Let’s dive into some practice methods to harvest as many credentials as we can in our engagements.
Method #1: Info Stealer Products
First, It’s critical to mention that stealers are a huge collection of cyber crimes and we are not recommending on buying them. Buying stealers of stealer products is actually paying money for cyber criminals that harm innocent people and companies. So don’t!
But it is still important to say that there are a lot of stealer products that you can get for free without paying anything, just by downloading those products from cyber crime forums. From obvious reasons I won’t share here these forums here, but keep in mind that you may want to check if your client’s data is “for sale” in the dark side of the industry.
If you manage to stealers that holds your target’s credentials — make sure that your client is changing the exposed credentials.
For your engagement, it can be very useful in order to start with some valid username and passwords that already exposed and demonstrates a real threat actor that hunts for access to this target.
Method #2: Breaches Data
There are a few resources that contain huge amount of collections of usernames and passwords that leaked from different breaches. For example, a Linkedin breach that happened couple years ago. But people like people, usually don’t change passwords unless they are being forced to, and even then many times it will be from “coolcat2023" to “coolcat2024".
We do need to have a premium account to use the good resources, but I find is very beneficial to pay a relatively small amount of money for such a good resource.
Some of my favorite tools:
- breachdirectory.com
- dehashed.com
- leak-lookup.com
In some cases, the results might not be the clear text passwords, it would be a collection of hashed passwords. In this case, in order to take it a step further and to crack them, we can always use hashcat with our wordlist (like a simple rockyou list), or we can use one for the online tools that already contains some huge lists for us:
- cloudcracker.net
- hash-cracker.com
- crackstation.net
- onlinehashcrack.com
- and many more
Method #3: GitHub Dorking
Even though most of us already familiar with this github dorking concept, it is still common that many red teamers and bug hunters overlook this method. Let’s talk a bit about this method’s pros and cons.
pros:
- Publicly available and we can use some smart keywords to make our credentials hunting faster
- Repositories might contain all kinds of creds: passwords, tokens and API keys!
- Finding creds in a program’s code usually can save us time of figuring out where and how exactly to use them
cons:
- In most cases companies don’t expose their sensitive repositories to the public, usually it happens by mistake
- Sometimes this github dorking might takes a lot of time and we may come out with zero creds in hands
Because of the cons, this method might not be one of the first options I’ll choose in my engagements, but it definitely worth a shot when we have nothing else. It’s also worth mentioning that even if there are no creds in the repositories themselves, it’s sometimes helps us to understand better how to use the creds that we find from other places.
Although I said that this method may be a bit of a time consumer, there are some nice tools to automate the dorking process. One of my favorite tools is Trufflehog, which can be either installed or run as a docker container.
Also, for more variety of dorking tools and github keywords, take a look on HackTricks page and keep it in your browser toolbar for quick access when needed.
Method #4: WaybackMachine
Sometimes in order to harvest some good valid credentials from a target, we just need to look at the past. WaybackMachine is the best resource to dig into the archive of our targets. Not only that WaybackMachine restores web pages from different times, it’s also collect URLs from GET requests and let us everything we need.
So many times when I had a blackbox engagement, without any way to register a user of my own, I went to WaybackMachine and searched for some relevant domains and subdomains of my target. After, I opened the URL tab in the results page and sorted by date (newest to latest). At the right corner we have a search box that we can use to find URLs with specific keywords, like user, email, uuid, password, key, secret, token, etc.
I know that it sounds too simple to be true, but I find gold in there all the time. From user/uuid enumeration to valid tokens. Honestly, I even have some good bug reports only by finding IDORs through a simple search here.
Method #5: Postman Collections
Postman is a platform for testing, building and debugging API. According to Postman.com, over 30 million developers use it and without any doubt, this is one of the most common tools for developers that build APIs.
Postman allows you in a nice GUI to craft HTTP requests with everything needed: parameters, body data, headers, tokens and more. Hence this tool is very popular among developers, cause they can concentrate on building the backend and test it easily, without the need for a frontend to deliver the data in the middle.
So why this tool is also important for hackers?
Well, today in order to use Postman, the developers need to create an account in Postman.com. Like in GitHub, after they create the account and start working on a project, they need to configure what kind of a project (“collection”) it is: public or private. You already know where it’s going to, right?
In so many cases, I’ve seen sensitive credentials, mostly API keys and tokens, but also cookies, just waiting in a public collection and holds admin privileges. This is definitely a significant blind spot for many organizations, even for big and (almost) secured companies.
Just by going to Postman.com and searching for our target collection, we may find valuable data that sometimes worth more than username and password. If we find JWT or access tokens, we can bypass 2FA!
The great thing about it, is that these credentials are usually being used by the developers of the app, so in most cases it by design holds admin privileges to the entire app.
Method #6: Special File Paths
It’s a short one. When we do content discovery (ffuf, gobuster, dirbuster, etc), we sometimes miss in our wordlists some important file paths for default files with credentials. I’ll mention specific examples.
VSCode SFTP configuration files. VSCode lets developers do edit files remotely by installing the SFTP extension. If developer installs this extension, he/she can write the code locally in their VSCode and it’s automatically being saved on the remote node, for example — the production server. But where is the catch? there is a small configuration file that many times being left behind. This file holds the IP address, username and password for sending the code automatically to the remote server. If we find something like this, we can probably connect with FTP to the server, and sometimes these are the same passwords for SSH!
Config.json files. These files also tend to be extremely valuable for us, they hold all kinds of creds:
Git files. This is one of my favorites. Fuzz for /.git files and if you manage to find this endpoint, use tools like GitTools to dump and extract the files. Finding a git folder of a website might be useful for many reasons, and in most cases the code holds hard-coded secrets that are useful for us. For automating the secret hunting from a dumped git directory, I recommend on Trufflehog as a great tool.
Method #7: Open Docker Registries
Just like public GitHub repositories and public Postman collections, we can find publicly available Docker registries. I’ve seen many companies that opened their own registry for uploading their Docker images and managing it more privately (instead of paying to DockerHub). The only problem is that they totally forgot that they must configuring a secured password for accessing this registry.
The result is that those companies upload their docker images to these registries and anyone can download these docker images, that contain pure source code of the company. It’s just like finding the target’s code repository!
I already made a writeup about this method, so we won’t dive into the details here, but it’s recommended to read it.
Method #8: Javascript Files
We can learn a lot about a website through its javascript. The javascript holds a part of the frontend logic, it tells us what happens when XHR/AJAX requests are being sent, API paths and more.
Apart from these, javascript may contain some secrets too. In most cases, it’ll be some API keys, Firebase tokens and other third parties key. But in other cases, it might be even JWT of services and passwords that left in the code.
The image above is taken from one of my engagements, where I found a JWT of a “test” user with premium permissions. It was helpful to go further and look for post-auth vulnerabilities.
Method #9: Compromised Assets
Assuming that we already managed to get privileged access to a server of our target and we want to move laterally to get access for other assets, we should consider using these compromised nodes as passwords trap.
In most cases, passwords of servers are shared among other servers in a company. Especially when there are automations such as Ansible, that in order to do the automation thing, it must connect to every node using SSH credentials. If there is a shared password, you can defeat the entire network just by compromising one server.
If we have root user on a random Ubuntu server, we can install a tool such as 3Snake for dumping every SSH password or keylogging SUDO commands. If we wait to the next time a human/automation will log into our compromised server, we will expose the password and be able to password spray it to all the other servers.
Method #10: Malicious Javascript
In this scenario, we can change or inject malicious javascript code to a web page with a login form or cookies. It can be done in two main ways:
- Injecting stored XSS keylogger
- Accessing S3 bucket that holds static files (JS, CSS, images) loaded to the web page
About the second way (with the S3 bucket) I already made a writeup here.
If we manage to put our hands on javascript content loaded to a website, we can steal credentials of all of the users that use this website!
Summary
Credentials play a game-changer in almost every engagement, red team and bug bounty. We invest a lot of effort and time in recon and vulnerability research, but by finding a few valid creds might save us a lot of time and boost the entire operation forward.
Most of the methods I was mentioning here are easy and don’t consume a lot of time. I’m sure that if you adopt these 10 methods for the next 5 engagements that you’ll have, at least in one of them you’ll find your gold.
Let me know if it was helpful for you!
