−Table of Contents
Introduction
Pastebin allows users to share text in the form of public posts called "pastes." Since the launch of Pastebin,many similar web applications called "paste sites" have developed. Pastebin sites are usually used for sharing code. However, any data in text form can also be uploaded and shared. The Pastebin search tool allows users to find relevant content based on keywords. Pastebin also relies on users to report abuse, which means non-compliant ones are rarely removed. This allows hackers to easily and anonymously penetrate data in an accessible location. Pastebin and similar websites are hosted on the Deep Web. This means that they can be viewed in a normal Internet browser, but the content is not indexed by Google and other traditional search engines. Users have to use the internal keyword search function to find specific content, or get paste links directly from other users. There are also paste sites on the dark web that offer increased anonymity via a Tor browser and are focused exclusively on illegal activities. For example, DeepPaste on the Dark Web is mainly used for advertising illegal goods or services. So, hackers use paste sites to prepare attacks or even to anonymously publish data from successful attacks. Therefore, it is important to monitor them.
Git is a free and open source distributed version control system designed to handle everything from small to large projects and share code among developers. Publishing sensitive information to version control systems like GitHub is a common risk for organizations. There have been documented cases of developers accidentally publishing secrets such as API keys only to have them scraped and used by attackers moments later. Thats why ist important to monitor Github repositories.
How are hackers using paste sites?
- Sharing stolen data: Hackers may use paste sites to share stolen data, such as login credentials, personal information, or confidential business information, with other members of their group or with the public.
- Storing malware: Hackers may use paste sites to store malware, such as viruses, trojans, or ransomware, that they have created or obtained. This allows them to easily share the malware with others or to distribute it through infected websites or email attachments.
- Communicating with other hackers: Hackers may use paste sites to communicate with other members of their group or with the public. They may use these sites to share information about vulnerabilities, tools, or techniques, or to coordinate attacks on specific targets.
- Hiding command and control infrastructure: Hackers may use paste sites to host Command and Control (C&C) infrastructure, which is used to control and manage malware infections. This allows them to easily update malware or to exfiltrate data from infected systems without being detected.
- Doxxing: Hackers may use paste sites to share personal information about individuals or organizations, known as doxxing, as a form of harassment or intimidation.
- Phishing Schemes: Hackers might use paste sites to host phishing pages, which they could then use to steal login credentials or other sensitive information from unsuspecting victims.
It's important to note that many paste sites have implemented anti-abuse measures and policies and will remove illegal content when notified
How does this work?
You can monitor Github and Paste Sites in 2 different ways:
About 1)
The technique we use in deepweb.leak.center is slightly different to control.leak.center and will catch different results. In this platform we offer the ability to use custom google queries to find your keyword in combination with paste sites and a direct API connection to Pastebin. You see under "sources" on the result page which technique was used to grab the according result:
About 2)
We use a simple http crawler for +50 pages
These pages publish their latest pastes on their website, allowing us to index them.
Please enter you search term under the navigation item "pastebin". You could for example search for pwd AND jpmorgan and you will see all data that contains BOTH search terms in the same result:
In general we recommend you start monitoring your company name and domain to start with. If your Company is aclled bank365 and your domain is bank365.com then you could create seperate queries for both words. Of course you can monitor anything that seems to be a valuable asset (a patent name, a brand or a person)
Search Syntax
On the Kaduu search page you can search in a database of indexed pastebin documents. Usually pastebin-like websites are used to share code snippets, logs, stack traces, and other pieces of technical information. These text pieces may contain sensitive information related to your organization.
The index is updated every minute using automated crawlers.
Available Fields:
| Field | Details |
|---|---|
| createdAt | Creation date & time. |
| publishedAt | Publish date & time. |
| text | Paste text (default field). |
| url | Paste document URL. |
| title | Paste title. |
| sourceId | Source ID, where the paste has been found. |
Detailed Syntax:
| Field | Details |
|---|---|
| test | Search pastes containing test as a separate word or as a part of other word (delimited by punctuation characters). The following will match: test@gmail.com, test.love@mail.com, god_test@nice.org, "this is a test data", hey@test.org, bye@test-data.org. |
| test.com | Search pastes containing test.com as a separate word or as a part of other word (delimited by punctuation characters). The following will match: boss@test.com, hr@this-is-test.com, test.com, data.test.com, super-test.com. |
| john@test.com | Search pastes containing john@test.com email. The search will only match that exact email and nothing else. |
| @test.com | Search pastes containing emails on test.com domain. |
| test AND sourceId:158dd4b2-7672-3492-95f6-019479cb4552 | XXXXXXXXX |
| createdAt | Search pastes containing test, in source with ID 158dd4b2-7672-3492-95f6-019479cb4552. |
| "bank hack"~2 | Search pastes using a fuzzy search. The matching paste should contain bank word, followed by hack word within 2 words distance. |
| quick brown | Search for quick or brown in paste text. This is the equivalent of quick OR brown search query. |
| quick OR brown | Search for quick or brown in paste text. OR keyword is case-sensitive. This is the equivalent of quick brown search query. |
| quick AND brown | Search for quick and brown - the paste should have both. AND keyword is case-sensitive. |
| quick AND NOT brown | Search for pastes containing quick and not brown. AND and NOT keywords are case-sensitive. |
| quick -brown | Search for pastes, with quick and containing no brown. This is the equivalent of quick AND NOT brown query. |
| createdAt:2020-03-05 | Search for pastes indexed on 5th of March, 2020. |
| createdAt:[2019-01-01 TO 2020-01-01] | Search for pastes created between 1st of January, 2019 and 1st of January, 2020. |
| createdAt:[* TO 2020-01-01] | Search for pastes created until 1st of January, 2020. |
