How to Collect OSINT from Unlisted Pastes on Pastebin

Sometimes the best information is the hardest to find.  We are quick to search Google and social media, finding a quick solution for our OSINT requirements.  We may also run background checks or enter the information we do have into other databases trying to find more.  But sometimes the information we are looking for isn’t indexed, or maybe it’s indexed in a different way that isn’t easy to get through Google search.  Maybe the information we’re looking for doesn’t exactly scream SEO and is buried in the 12th page of Google’s search results. Maybe it isn’t indexed at all.  Without awareness of this reality, we can be missing out on a lot of information.  This post will talk about how you can find unlisted pastes on Pastebin through backdoors using Google Dorks.

Enter Pastebin

“Pastebin is a website where you can store any text online for easy sharing. The website is mainly used by programmers to store pieces of source code or configuration information, but anyone is more than welcome to paste any type of text. The idea behind the site is to make it more convenient for people to share large amounts of text online.”

Pastebin is intended to be a basic Github of sorts where people can share source code with others.  What it’s notorious for is a place to share leaked information from data breaches, different types of malware, ISIS and other terrorist accounts, etc. Due to the anonymous nature of “unlisted” and “private” pastes, criminals of all backgrounds use Pastebin to share information in an easy way.

Users can create a public paste, an unlisted paste, and private pastes.  Only public pastes are indexed by Google and other search engines. This leaves unlisted pastes and private pastes a bit of a grey area that Google and other search engines can’t or won’t index in their search results.  There’s one caveat though.

“You can also create unlisted pastes, these items will be invisible for others unless you share your paste link.”

So, if you want to find an unlisted paste on Pastebin, you just have to find the link.  Sometimes people will share them on the deep web like private chats or emails, but other times they’ll share them in public areas like forums. So how do you find the links?

Enter Google Dorks

If you haven’t read my article about Google Dorks and it’s applications, read it here.  There’s a neat little search operator called “intext:” that will come in handy during this project.  Just because Google won’t index the URL of the Paste doesn’t mean you can’t find if someone has posted the link on a web page that is indexed by Google. For the sake of understanding, go ahead and try this search first. intext:”pastebin.com”. You should get something like this.

paste1

As you can see the domain pastebin.com is still showing up and as we know the unlisted pastes’ URL will not show up in Google’s index.  So what can we do?  Try this instead. intext:”pastebin.com” -inurl:”pastebin.com”.  Make sure to add the “-” before the inurl. Now you will have Google search results that have pastebin.com in the text of the web page, but not in the URL.  This eliminates all pastebin.com URLs from the search results which dominates SEO for most pastebin queries.  Your results, instead, should look something like this.

paste2

We now have a much more narrow search that might actually be useful.  Now that you have a unique search parameter, you can begin entering in queries for things you are looking for in your OSINT investigation. Let’s say you’re looking for bitcoin wallets or related information.  Enter this query. intext:”pastebin.com” AND “send btc” -inurl:”pastebin.com”.  Because we only want recent information, go under the search box and select “tools” and change “any time” to “past year”.  Your results should look something like this.

paste3

The first one that pops out to me in this list is the “25 Hashes or Less Requests” link you see I’ve clicked on in the results.  The reasons it’s interesting to me is because its from forum.hashkiller.co.uk.  Like I stated earlier, Pastes are usually shared in forums or private chats.  The second post in this forum is from August 8th 2018 and mentions an unlisted paste in it.  The forum also posts a lot of bitcoin wallets ripe for the OSINT. Here’s what the post looks like.

paste4

If you copy and paste that url and subtract the /raw from the URL, you’re taken straight to the unlisted Pastebin page.  How do I know it’s unlisted?  Take the URL you now have (https://pastebin.com/fay23LY9) and enter it with quotes into Google’s search engine.  Here’s what you should get as your results.

paste5

No results.  It’s unlisted. To prove this point, I’ll use another search that gives me a public paste.  If you select from the Google Dorks search result the web page titled “6280847 – /b/ – Business and Finance” from warosu.org, you’ll find another forum.  This time you’ll find a post from an Anonymous poster with the URL https://pastebin.com/K0LNsZEa.  This leads you to an affiliate link where a guy hopes you will sign up for the software and he gets a little coin.  If you type (https://pastebin.com/K0LNsZEa) into Google with quotes, you’ll find that the link is indexed by Google.  It’s not unlisted.  Try this out with a few of your search results to get a feel for the process.  Let me know on Twitter if you find anything interesting!

This process can allow you to get OSINT from all sorts of unlisted pastes that may be relevant to your investigation.  Let’s say you have a username, and email, or any other information related on your target; you can use this method to see if there’s any other information found on unlisted Pastebin pages.  This can even lead you into the dark web where you can continue to go down the rabbit hole until you find that smoking gun.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s