I hope this article can give you a basic introduction to the world of ‘breach hunting’ something I have recently come to enjoy (wierd right?). This is by no means an exhaustive list of tools and methodologies but more a primer to get you going in the exhilarating world of spending hours trawling through other peoples lists, spreadsheets and datasets for the greater good.
With all the different methods I find it is more manageable to split my searches by country. Normally I will focus initially on the main AWS regions (IE / US / DE) then move on to the smaller AWS regions (GB / CA / AU) and finally move on to other countries (NL / SE / NO / BE / IN / JP / and many more). I often filter out CN from my results as such a high number of devices in China tends to pollute my set.
Take a look at this ranked list of database flavours to see what is worth searching for https://db-engines.com/en/ranking/relational+dbms
The most popular and well know serch engine for finding things rather than content. Extremely powerful search filters and well worth paying the initial fee if you don’t have a .edu email address.
Combine filters together to hone in on unauthenticated database web admin panels or a simple search for
title:"index of /" http.html:"sql" will return surprising results. Limited to 200 pages of results via the web.
A lesser known search engine very much like Shodan, run by Chinese security team Knownsec. Has a huge list of predefined dorks that have been submitted by users. Again very powerful search filters. As both Shodan and ZoomEye are scanning the same Internet your are going to get overlapping results, but I find as the results are ordered differently something on page 200 of Shodan might be on page 2 of ZoomEye.
I wont go in to much detail here as there are many resources out there on Google dorking but it’s safe to say that google is still a great resource to find things that shouldn’t be there. Take the following search for example
If you can get access to regularly updated Internet wide scan data then you can start to build up your own index exposed services and run a diff on the data every few days to see if any new services have appeared online. You could also conduct your own Internet wide surveys but be warned, most networks won’t react well to being probed you’ll spend a lot of time answering abuse emails, don’t do this from home you will end up on a blacklist
OK, so you have found some juicy data and it’s time to disclose this to the organization, but how can be be sure who actually owns this data?
I use the following template for the first email.
Potential Data Breach
Please pass this email to your IT team ASAP I believe I have found an unauthenticated database instance routed to the Internet that belongs to <company>. The dataset contains <a rough overview of the contents without disclosing any actual data> Please can someone get in touch to confirm the technical details. Best Regards <email signature>
If this is a high priority dataset normally I’ll send 3 emails similar to this over 3 to 5 days. If I don’t get a response then I would consider contacting the media to help, an email from a journalist will often cause a company to jump and get things fixed.
There are always going to be risks involved in this kind of work, it is up to you if you want to accept the risk. I’m not a lawyer, this is not legal advice, though I have a few rules that I try to always follow.