h8mail – an OSINT Tool for Finding Passwords in Data Breaches

Introduction

h8mail is a powerful, user-friendly OSINT tool that allows you to hunt for passwords through different breach and reconnaissance services. It’s open source and written in Python with one of the most robust README files I’ve ever seen. This tool is loaded with features including:

  • 🔎 Email pattern matching (reg exp), useful for reading from other tool outputs
  • 💫 Loosey patterns for local searchs (“john.smith”, “evilcorp”)
  • 📦 Painless install. Available through pip, only requires requests
  • 🐳 Small and fast Alpine Dockerfile available
  • ✅ CLI or Bulk file-reading for targeting
  • 📝 Output to CSV file
  • 💪 Compatible with the “Breach Compilation” torrent scripts
  • 🏠 Search .txt and .gz files locally using multiprocessing
    • 🌀 Compatible with “Collection#1”
  • 🔥 Get related emails
  • 🐲 Chase and target related emails in ongoing search
  • 👑 Supports premium lookup services for advanced users
  • 📚 Regroup breach results for all targets and methods
  • 👀 Includes option to hide passwords for demonstrations
  • 🌈 Delicious colors

It’s easy to install and the developer has been kind enough to provide a plethora of demos for clarity, understanding, and use case. It’s really designed for the absolute OSINT beginner in mind. It leverages 10 APIs including HaveIBeenPwned and Hunter for its data set.

Data Breaches

It seems like every week there is news of a massive data breach or leak: Yahoo, Experian, Marriot, you name it. What you don’t hear about are the seemingly infinite number of minor data breaches/leaks and the various ways it is exposed on the internet. You can find these dumps on Pastebin, in Discord channels, on dark web marketplaces, Twitter, and more. Identifying when your information has been breached, whether at a personal or enterprise level is of great importance and the risk only continues to rise. h8mail lets you begin the process of identifying that exposure, mitigating risk, and protecting your assets.

h8mail Setup

h8mail has made it very simple to get up and running.  You only need a few things: clone the repo, install the requirements (pip), configure your API keys (config.ini), and test. If you’re an experienced OSINT collector, analyst, or investigator, you likely already have the required API keys from previous use cases.  If not, they’re free and easy to obtain. h8mail has been tested on Linux, Mac, and Windows for ease of operation among a variety of users. The developer is very responsive on Twitter if you have any questions.

h8mail Demo

h8mail2demo6-1

Use Cases

Query for a single target
$ h8mail -t target@example.com
Query for list of targets, indicate config file for API keys, output to pwned_targets.csv
$ h8mail -t targets.txt -c config.ini -o pwned_targets.csv
Query a list of targets against local copy of the Breach Compilation, pass API keys for Snusbase from the command line
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -k "snusbase_url=$snusbase_url,snusbase_token=$snusbase_token"
Query without making API calls against local copy of the Breach Compilation
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk
Search every .gz file for targets found in targets.txt locally
$ h8mail -t targets.txt -gz /tmp/Collection1/ -sk
Check a cleartext dump for target. Add the next 10 related emails to targets to check. Read keys from cli
$ h8mail -t admin@evilcorp.com -lb /tmp/4k_Combo.txt -ch 10 -k "hunterio=ABCDE123"

OSINT Insight

h8mail is an out of the box solution for finding passwords in breach or reconnaissance services. Whether your new to OSINT tools or an advanced user, you will find value using it. When it comes to data collection at scale, the larger and more robust your data set, the more opportunity for analysis. h8mail’s ability to read from a .txt, output to a .csv, find similar emails, and retarget using its output enables you to massively grow your database and OSINT capability.

Combining h8mail with the output of other tools, such as Scavenger, buster, or BaseQuery, allows you to develop a free, powerful, in-house credential threat hunting program. Try building a data set using a username:password dump from the Scavenger Twitter page and running it through h8mail. If you want to take this to scale, use Twint to scrape all tweets from Scavenger that contain “username:password”, mine the data from each connected Pastebin and output into a .txt, then run that through h8mail. Check out this detailed write up to get started immediately.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s