Using spambots to find leaks and password lists.

Recently I have been getting into looking for password lists for hash cracking. Starting out can be tough as you end up with just getting some basic pastebin scraper off the net and running it. Then realizing that it is just looking for any post with plaintext password and user.

This is great if you want a bunch of pastes that have very little to do with password lists and more to do with broken code developers are trying to shuffle around. In my nieveness I was in hopes of it just working.

Good news is the code was well documents and easy for my to read and edit. Now comes the question of what do I put in for it to search for. There is a very good write up on hunting for password lists here . One line that did stand out to me was:

…hackers frequently use to create accounts such as Cucum01:Ber02, zolushka:natasha, and many others. These combos are so common in password lists they always lead to more passwords.

So I thought to myself how can I take data I already have and use that to make my own password finder. Well thats when I came up with this idea when studying some leaks in order to find more passwords.

What do all forums have? Spam bots. Now pay attention this is key, if I was a spammer I would not be using the same username across all sites since this would allow admins to keep a list and block me out same goes for email or domain. So instead I would use variations of a specific username / email. However this is not good enough for me to track in case they changed username / emails. However one thing I did notice while doing pattern tracking was that most of the accounts I would disregard since they are spam bots (generally banned accounts in leaked DBs) had the same password. For this example I give you:

aerorlugcubrempie or as I use to track this bot Zk7oz89sfE

This account uses a veriety of emails to register such as:

a.ero.r.l.u.gcu.b.r.e.m.p.ie@gmail.com
ae.r.orl.u.g.c.u.b.r.em.pie@gmail.com
aer.orlug.c.u.b.r.e.mpie@gmail.com
aer.orl.ugcu.b.rempi.e@gmail.com

and so on and so fourth. This is important but also unimportant. Remember the spam bot can always register with a new gmail at any time. However the one thing that never fails is that the bot always uses the password Zk7oz89sfE .

Searching google and pastebin for the decrypted password often lead to sites that have this password listed along with thousands of other decrypted human passwords. I also found the bot commonly rotated usernames as well so really the password was the only way to tell if it was the same bot or not.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *