Door op ‘Alle cookies accepteren’ te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de sitenavigatie te verbeteren, het sitegebruik te analyseren en te helpen bij onze marketinginspanningen. Bekijk ons privacyverklaring voor meer informatie.
VoorkeurenNeeAccepteer
DeepBlue White box pentesting
May 20, 2025
READING TIME
6
MINUTen

Leaked Credentials

Leaked credentials are one of the most effective attack vectors for malicious actors. Whether obtained through a data breach, a successful phishing email, or a brute-force attack on an insecure API, the outcome is typically the same: direct access to internal systems as was the case in the hack on TU Eindhoven:

…The attackers exploited TU Eindhoven’s VPN system using three different user accounts that had previously been involved in a data breach. Two of the three accounts were successfully used to gain access to internal systems. The third account was targeted, but the intrusion attempt failed. The login credentials were likely acquired via the dark web, and the users had reportedly not changed their passwords. Additionally, the university’s VPN did not have two-factor authentication enabled.

Organizations often underestimate not only the likelihood of credentials leaking, but also how far an attacker can actually go once they are inside. This is exactly where a well-executed manual penetration test plays a critical role.

At DeepBlue Security & Intelligence, our pentests routinely simulate realistic attacks that begin with pre-compromised access. Think of credentials obtained via the dark web, or accounts from former employees that remain active. This phase not only reveals what systems are reachable but also evaluates the effectiveness of internal segmentation, logging, privilege separation, and response mechanisms.

How Credentials Are Obtained

Leaked login credentials are relatively easy to acquire. Every day, millions of new credentials are shared, sold, or published on platforms like Intelligence_X, Telegram channels, or dark web marketplaces. These credentials are typically obtained through the following methods:

1. Mass Data Breaches:

Well-known breaches at companies like LinkedIn, Dropbox, Adobe, and even government entities have resulted in the exposure of billions of credential pairs. These are often stored and reused for years, especially when passwords are not rotated in time.

2. Credential Harvesting via Phishing:

Attackers use spoofed emails, cloned login portals, or even MFA-fatigue tactics to trick users into revealing credentials. Widely used phishing kits such as Evilginx2 or Modlishka make it easy to intercept login credentials including session tokens.

3. Infostealers and Malware:

Malware families such as RedLine, Raccoon, and Vidar are deployed at scale to exfiltrate browser caches, saved passwords, cookies, and session tokens. The extracted logs are traded daily or bundled for sale to other threat actors.

4. Credential Stuffing & Brute Force:

Attackers leverage automated tools like Snipr, OpenBullet, and Hydra to test stolen credentials across multiple services, especially in environments where password reuse is common.

5. Third-Party Exposures:

Vendors, partners, and external service providers are also potential risk points. A compromised login at a supplier may still provide access to internal portals or shared environments within your organization.

Recent threat intelligence indicates that more than 24 billion unique credentials are currently circulating on the dark web, with a significant portion still valid.

What attackers do with valid credentials

Once an attacker has valid login credentials, many traditional security controls are immediately bypassed. Think firewalls, IP restrictions, and conventional SIEM rules that focus on unauthorized access attempts.

With a valid account, the attacker can:

  • Authenticate through legitimate channels such as VPN, OWA, or SaaS platforms
  • Move laterally to other systems via RDP, SMB, or PSExec
  • Escalate privileges by abusing local admin rights or misconfigured Group Policy
  • Maintain persistence using scheduled tasks, registry entries, or cloud app tokens
  • Exfiltrate data through legitimate channels like OneDrive, email, or reverse HTTPS shells

White Box Pentesting

A core component of our penetration tests includes the use of authenticated credentials to gain access to the target environment. This means the ethical hacker operates with credentials for a regular user, a service account, or a system identity. The strength of this approach lies in its realism: we don’t focus on how the credentials were obtained but on what is possible once the attacker is “inside”.

This phase evaluates, among other things:

  • Access rights and privilege boundaries
  • Internal network segmentation and microsegmentation
  • SIEM/SOC logging and detection capability
  • Abuse potential of Single Sign-On or federated identity systems
  • Credential reuse across systems and platforms (cloud/on-prem)

This method is highly efficient and produces actionable technical insights.

A Realistic Scenario

Many organizations invest heavily in perimeter defenses to keep attackers out but often neglect to assess what happens after an initial compromise. A pentest based on leaked credentials forces you to confront the worst-case scenario: a legitimate account being exploited for internal escalation. It gives a precise view of your exposure, your detection capabilities, and the resilience of your incident response processes.

Additionally, this form of testing supports:

  • Justification for Zero Trust architecture investments
  • Tightening of Identity & Access Management (IAM) policies
  • Hardening MFA implementations (and identifying MFA bypass risks)
  • Crafting response playbooks for “suspicious authenticated access” events

The bottom line

Leaked credentials are a structural risk and represent the starting point of a significant portion of targeted attacks. The real question is not if your organization will encounter stolen credentials but how well prepared you are when it happens.

A pentest must always include a phase in which leaked credentials are tested as a scenario. This provides a clear, technical evaluation of your security posture post-access. It validates your detection stack, privilege boundaries, and network architecture in a way no other form of pentesting can match.

At DeepBlue, we can perform any type of penetration test to assess risks and provide concrete, actionable recommendations.

If you would like to know more about this service or any of our other tailored offerings, feel free to contact us at info@deepbluesecurity.nl or call us at +31 70 800 2025.

NEDERLANDSE VERSIE
Back to Resources

Ready to start?

When it comes to cyber security, we are your best choice

Contact