Dual-purpose hacking tool was demonstrated at the Arsenal track of the security conference this week

An open source tool designed to help organizations identify credential leaks was showcased publicly for the first time at Black Hat USA yesterday

An open source tool designed to help organizations identify credential leaks was showcased publicly for the first time at Black Hat USA yesterday (August 4).

Scrapesy, developed by red team analysists at Standard Industries, was demonstrated as part of the Arsenal track at the conference, which is held both online and in-person in Las Vegas.

The tool, which scrapes both the clear web and dark web for exposed credentials, is designed for use by workers in, but not limited to, security operations, incident response, threat intelligence, and pen testing roles.

Scraping the surface

Speaking to The Daily Swig, Michael Giordano, red team analyst at Standard Industries, said that the tool scrapes credential leaks – sometimes referred to as ‘combolists’ – and will “ingest and parse them against a list of domains and/or explicit email addresses owned by your organization”.

He added: “It targets known sources that contain combolists from numerous phishing campaigns typically targeted around well-known services like Spotify, Facebook, and Twitter.

Read more of the latest news from Black Hat USA 2021

“Many folks may use their corporate email addresses for non-work-related services which can introduce risk in the case of phishing.

“Additionally, there are instances of third-party breaches where these credentials could become exposed, if an organization happens to conduct business with that third party.”

Faster detection

There are already numerous well-established services that can help an individual identify credential leaks, for example Troy Hunt’s Have I Been Pwned?

Giordano that Scrapesy is designed to be used to detect data breaches that affect a wider organization and can be used to help speed up incident response times:

While there are services that will identify potential account compromises, we wanted to develop a platform of our own that will help, for example, security operations members or incident responders by arming them with information such as the exposed password itself, as well as [confirming] if that account was found to be present and active inside the organization to assist in reducing triage time and possibly conduct threat hunting exercises.

The security pro said Scrapesy users can also create and share their own modules of sources they may know to contain leaked credentials and feed it back to the community.

“As time goes on, we would like to develop a framework for Scrapesy that will make it relatively easy for folks to create their own modules.”

Open invitation

The open source tool’s inception began in February of this year, and while Standard Industries is currently the only organization to be actively using it, Giordano has invited other companies to test it out.

Speaking at Black Hat, Giordano and colleague Julie Smith, director of the red team at Standard Industries, introduced the tool as well as a number of new features including a new web user interface, user management capabilities, upload functionality, and email notifications.

Giordano told The Daily Swig: “We would invite individuals and organizations to try it out and determine if it fits any use cases or fill any gaps they may have.”

RELATED Black Hat 2021: WARCannon simplifies web-wide vulnerability research