Dehashed passwords not alongside the username they should match

[Cyb3rC3lt]

Describe the bug
Dehashed passwords come back in random order

Expected behavior
Dehashed passwords come back alongside the username

BBOT Command
Example: bbot -t test.com -f email-enum

I would have hoped that the passwords would be returned alongside the actual username it belongs to but it doesnt so it becomes not very useful. I checked this by querying for an individual too on dehashed then searched the bbot output for the password and it was nowhere near the email address. Unless I am missing a flag or something.....

[TheTechromancer]

Every event raised by BBOT has a source/parent event. The parent of password and hash events is the associated email address.

This can be seen in Neo4j.

Where you could do something like this to see the relationship between emails and passwords:

MATCH (e:EMAIL_ADDRESS)->(p:PASSWORD) RETURN e,p

If you don't want to use Neo4j, you can still correlate them using the source attribute in output.ndjson. On a practical note, I realize this is kind of annoying to have to do. We should probably include the email address in the data for these types of events. @SpamFaux might have thoughts.

[Cyb3rC3lt]

The NEO4J is very cool, must try that, hadn't realised you could do that. This is such a powerful tool!

Whilst I have you guys and although it is slightly off topic but when you get Postman requests back in the output with things like:

{'host': 'www.postman.com', 'description': 'Possible secret in JS [password="password123,(KS"] Signature [possible_creds_var]', 'url': 'https://www.postman.com/_api/request/coderemovedhere'} httpx->excavate (distance-1)

When I look at the postman link it has a url of: "url":"localhost:8091/api/v1/journals/refunds/transactions?serviceName=CA SnAPI PDQ Payment Poller 1

Where were these requests sent to and what are these passwords for?
Maybe Neo4j is the answer here too....
Thanks

[TheTechromancer]

Where were these requests sent to and what are these passwords for?

Events from postman are the result of a search on postman.com for the target domain. If you look in the body of the response, somewhere you should see your target or something closely matching it.

Recently there have been some false positives for postman but we have been working to fix them. There is a bugfix already in dev that should make its way into stable soon.

[Cyb3rC3lt]

Thank you, just checked on postman.com and I can see where the requests came from now. Maybe it was affiliates of my target that postman picked up as the request seems to go to them.

[TheTechromancer]

Fix has been merged :)

To benefit, make sure to use the bleeding edge version.

[Cyb3rC3lt]

Excellent, very quick turnaround, thanks very much