ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors have announced as targets
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /asm |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| assets | filter results to only display assets | |
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/asm?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/asm?search=[DomainName] | |
| pphish | filter results to only display potential phishing domains | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the combo database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output* :
| JSON Key | Value | ||
|---|---|---|---|
| cname | The CNAME of the domain name identified | ||
| dom | The domain name found | ||
| found | The date (in YYYYMMDD or unixtime format) the domain was found | ||
| ip | The IP address of the domain name identified | ||
| type | The type of asset identified ns represents a nameserver mx represents a mail server ast represents a domain name asset. pphish represents a potential phishing domain found. | ||
| * Output based on domain names configured in the monitor API endpoint. |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /combo |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/combo?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/combo?search=[DomainName] | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the combo database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output* :
| JSON Key | Value | ||
|---|---|---|---|
| cnt | The number of results available for the searched target | ||
| fle | The file name the credential was found in | ||
| fnd | The date (in YYYYMMDD or unixtime format) the credentials were found | ||
| pwd | The password used to authenticate | ||
| src | The target URL or IP that the victim authenticated to | ||
| usr | The username used to authenticate | ||
| * Output dependant on which values were present in the original leak. |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | [email protected] |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /creds |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| attr | display a short description of the breach | |
| count | display the number of results available for a given target | |
| csv | display results in CSV format (default is JSON) | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| hash | return a 0 if the password is in hashed format and a 1 if the password has been decrypted | |
| import | display the date the breach was imported into the database | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/creds?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/creds?search=[DomainName] | |
| list | list the breaches and dates they were imported | |
| limit | increase / decrease the number of records returned in the response | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. results are limited to 500 credentials per request (by default). | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the creds database was last updated | |
| uniq | return a list of all unique email addresses and plaintext passwords | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output :
| JSON Key | Value | ||
|---|---|---|---|
| atr | The attribution data associated with the breach | ||
| cnt | The number of results available for the searched target | ||
| eml | The email address used to authenticate | ||
| imp | The date (in YYYYMMDD format) the breach was found | ||
| pwd | The password used to authenticate | ||
| src | The name of the breached website or collection |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | [email protected] |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /darkweb |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| desc | display a short description of the victim | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/darkweb?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/darkweb?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| range | range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit) | |
| search | search term - accepts a domain name | |
| tadesc | display a short description of the threat actor | |
| update | return the Unix timestamp the darkweb database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output :
| JSON Key | Value | ||
|---|---|---|---|
| data | The domain name associated with the victim | ||
| desc | A short description of the victim | ||
| found | The date the data was indexed (in YYYYMMDD format) | ||
| name | The company name of the victim | ||
| site | The name of the threat actor | ||
| src | A URL containing data associated with the target | ||
| tadesc | A short description of the threat actor |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /monitor |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| action | manage monitored assets must be set to add, del or list | |
| ast | add/delete the asset you wish to monitor per asset notifications can be set using the :: seperator, e.g.: example.com::[email protected] or example.com::https://user:[email protected]/Path/To/Webhook must be used in conjunction with the action parameter | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/monitor?lic=[YourLicenseKey]&action=add&ast=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/monitor?action=add&ast=[DomainName] | |
| notify | add/delete the default email address or webhook you wish to receive alerts at this is used when a per asset notification is not set must be used in conjunction with the action parameter | |
| creds | add/delete the basic auth credentials you wish to use when sending an alert to a webhook must be used in conjunction with the action parameter |
Output :
| JSON Key | Value | ||
|---|---|---|---|
| ast | asset that will be monitored | ||
| notify | email or webhook that will be notified |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /radar |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/radar?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/radar?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name | |
| update | return the Unix timestamp the radar database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output :
| JSON Key | Value | ||
|---|---|---|---|
| data | The domain name associated with the victim | ||
| found | The date the data was indexed (in YYYYMMDD format) | ||
| src | A URL containing data associated with the target |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /sessions |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/sessions?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/sessions?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name, email address or IP address | |
| update | return the Unix timestamp the sessions database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output :
| JSON Key | Value | ||
|---|---|---|---|
| dom | The domain name associated with the victim | ||
| expires | The date (in unixtime) that the cookie is set to expire | ||
| fnd | The date the data was found (in YYYYMMDD format) | ||
| name | The name of the cookie | ||
| path | The cookie path | ||
| val | The value of the cookie |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint :
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /stealer |
Supported Parameters :
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/stealer?lic=[YourLicenseKey]&search=[DomainName] curl -H “lic: YourLicenseKey” https://api.breachsense.com/stealer?search=[DomainName] | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234) | |
| update | return the Unix timestamp the stealer database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output* :
| JSON Key | Value | ||
|---|---|---|---|
| ccn | The disclosed credit card number | ||
| ccx | The exposed credit card number’s expiration date | ||
| cnt | The number of results available for the searched target | ||
| cwa | The exposed crypto wallet address | ||
| bid | The build ID of the malware | ||
| fle | The file name the credential was found in | ||
| fnd | The date the credential was found | ||
| hid | The hardware ID of the infected device | ||
| iip | The IP address of the infected device | ||
| inf | The date the machine was infected on | ||
| mac | The name assigned to the infected device | ||
| mal | The type of malware infected on the device | ||
| nme | The user logged in on the infected device | ||
| os | The operating system installed on the infected device | ||
| pth | The filesystem path for the malware executable | ||
| pwd | The password used to authenticate | ||
| src | The target URL or IP that the victim authenticated to | ||
| usr | The username used to authenticate to the target | ||
| * Output dependant on which values were present in the original leak. |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | [email protected] 411111-1111 |