-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding leaked credentials freestyle talk sebastian
- Loading branch information
1 parent
736e35a
commit fd51da7
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
50 changes: 50 additions & 0 deletions
50
2019_07_17_39th/leaked_credentials_freestyle_talk/Leaked Credentials Freestyle Talk.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| Leaked Credentials Freestyle Talk | ||
|
|
||
| #$ id | ||
| #/uid=0(Sebastian) gid=0(Brabetz) Gruppen=0(https://itunsecurity.wordpress.com) | ||
| #/Vorträge, Metasploit+mimikatz Workshops/Bücher, Schwachstellenmanagement, IT-Security Dienstleistungen, uvm.... | ||
|
|
||
| Credential Leaks { | ||
| - [ ] 1.4 billion combo - Dez 2018 - 44gb | ||
| - [ ] https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14 | ||
| - [ ] Torrent Magnet Links: https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3 | ||
| - [ ] Collections Leaks 1-5 Feb 19 - 1TB | ||
| - [ ] https://www.troyhunt.com/the-race-to-the-bottom-of-credential-stuffing-lists-and-collections-2-through-5-and-more/ | ||
| - [ ] https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPublic-Latest-120GB-1TB-TOTAL-Leaked-Download | ||
| - [ ] Was ist Credential Stuffing | ||
| - [ ] https://www.wired.com/story/what-is-credential-stuffing/ | ||
| } | ||
|
|
||
| Was wird geklaut { | ||
| - [ ] Username/E-Mail Adresse+Hash war gestern! | ||
| - [ ] Username/E-Mail Adresse+Klartextpasswort ist heute! | ||
| - [ ] manchmal auch mehr (Bsp: Ashley Madison) | ||
| } | ||
|
|
||
| Beispiel { | ||
| - [ ] 1.4 bln beispiel - Bash | ||
| - [ ] Collections 1-5 grep | ||
| - [ ] Datenqualität, wie alt ist das zeug, repackaging… | ||
| } | ||
|
|
||
| Wie schützen? { | ||
| - [ ] have i been pwned | ||
| - [ ] 2FA | ||
| - [ ] sms no no no! | ||
| - [ ] OTP App - Wo liegt die restgefahr - Beispiel Authy + Applewatch | ||
| - [ ] PW Manager und 2FA App in einem? Oder doch lieber 2 getrennte? | ||
| - [ ] Einzelapps (Bsp: Google, Microsoft Authenticator, Wordpress, Gemalto, uvm….) - Online Bestätigung sicherer als OTP Eingabe | ||
| - [ ] Best: yubikey: u2f (oder andere) | ||
| - [ ] Firmen: Professionelle Dienste wie Recorded Futures | ||
| - [ ] Firmen: Daten besorgen und auswerten | ||
| } | ||
|
|
||
| Addon: Umgang mit großen Datenmengen (wenn genügend Zeit) { | ||
| - [ ] Datenbanken bauen? Schönes Hobbyprojekt - Wer Zeit dafür hat... -> Indexgröße? | ||
| - [ ] Schnelle CPU mit vielen Kernen | ||
| - [ ] 10gbit vs 40gbit usbc/thunderbolt3 hdd cases + Samsung Evo -> Achtung Strom | ||
| - [ ] egrep vs. fgrep | ||
| - [ ] egrep langsamer mit jedem einezlnen oder verknüpften Suchstring! | ||
| - [ ] LC_ALL=C | ||
| - [ ] Cuda grep? Bisher nicht vernünftig zum laufen bekommen! | ||
| } |