Find hacked email addresses

Data breaching in these days have been common. Many of the popular websites are targeted in data breach. This process of data breaching is still continue as many anonymous attackers are using open source tools. There is a popular tool called h8mail which is used to check breach mails.

According ethical hacking researcher of international institute of cyber security h8mail is used in initial phase of penetration testing.

H8mail is an OSINT tool used to search emails and passwords. This tool find breached emails through different sites. This tool uses data breached emails. For showing you we have tested this tool on Kali Linux 2018.4

Before installing tool you must install nodejs and update python in Kali Linux. This tool only works with python3.

  • For installing python type sudo apt-get update
  • Then type sudo apt-get install python3
  • For checking python version type python –version
  • Then type sudo apt-get install nodejs
  • After installing all the above pre-requisites clone h8mail.
  • For cloning type git clone
  • Type cd h8mail
  • Type pip install -r requirements.txt
root@kali:/home/iicybersecurity/Downloads/h8mail# pip install -r requirements.txt
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) (2.18.4)
Collecting python-cli-ui (from -r requirements.txt (line 2))
Complete output from command python egg_info:
Error: Please upgrade to Python3
Command "python egg_info" failed with error code 1 in /tmp/pip-install-oC2WCX/python-cli-ui/
  • While installing pip if it shows the above error that means you have to upgrade pip in your Linux Distros.
  • For that type sudo apt-get update python3-pip
root@kali:/home/iicybersecurity/Downloads/h8mail# sudo apt-get install python3-pip
Reading package lists… Done
Building dependency tree
Reading state information… Done
python3-pip is already the newest version (18.1-4).
The following packages were automatically installed and are no longer required:
golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-src golang-src
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1554 not upgraded.
  • After upgrading pip, type pip install -r requirements.txt
root@kali:/home/iicybersecurity/Downloads/h8mail# pip3 install -r requirements.txt
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.18.4)
Collecting python-cli-ui (from -r requirements.txt (line 2))
Collecting cfscrape (from -r requirements.txt (line 3))
Collecting unidecode (from python-cli-ui->-r requirements.txt (line 2))
Downloading (237kB)
100% |████████████████████████████████| 245kB 576kB/s
Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from python-cli-ui->-r requirements.txt (line 2)) (0.8.2)
Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from python-cli-ui->-r requirements.txt (line 2)) (0.3.7)
Building wheels for collected packages: cfscrape
Running bdist_wheel for cfscrape … done
Stored in directory: /root/.cache/pip/wheels/4b/7d/70/32db6ba6ac95be8d24d5563436fc4ffe52f271adb2da153531
Successfully built cfscrape
Installing collected packages: unidecode, python-cli-ui, cfscrape
Successfully installed cfscrape-1.9.5 python-cli-ui-0.7.4 unidecode-1.0.23
  • Then type python3 –help
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 --help
[-bc BC_PATH] [-v] [-l] [-k CLI_APIKEYS]

Email information and password finding tool

optional arguments:
-h, --help show this help message and exit
Either single email, or file (one email per line).
Configuration file for API keys
File to write output
-bc BC_PATH, --breachcomp BC_PATH
Path to the breachcompilation Torrent.
-v, --verbose Show debug information
-l, --local Run local actions only
Pass config options. Format is "K:V,K:V"
  • The above queries are used to gather breached email addresses and passwords.

H8mail Uses Various APIs To Search For Breached Email Addresses :-

  • HaveIBeenPwned ( : This website checks if the email id has been pwned or not. This website collects large no, of databases dumps and paste containing information about all billions of leak accounts.
  • Shodan ( : Shodan is an search engine for web. This website pings all the available IP address that are currently using the internet.
  • ( : Hunter is an source of h8mail. In hunter is used to find and verify professional email address. For using these services you have to pay some of the amount in
  • Weleakinfo ( : Weleakinfo is another breached database search engine.
  • Snusbase ( : Snusbase is a database search engine which collects data of sites that have been hacked. And provide those data to their users. For using these services you have to pay some of the amount in snusbase.

Finding Breached Email Address :-

  • Type python3 -t
  • -t is used to enter target email address.
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 -t

.. .. ;;
| .
. | | .. | ; ; | !| |||! | ;-----------; !| |_! Heartfelt Email OSINT
.||| |. Use responsibly etc
| .| |. | ;____________
| !! | | !! | ; ;
!! !! ;--------------------;



Lookup Status


=> not breached ❌
Target hostname:

✓ Done
  • The above query shows, email which has been scanned is not breached of any databases mentioned above.
  • It shows that HIBP (HaveIBeenPwned) could not find email address in any database. Nor its password is available in HIBP database.

Find bulk Email Ids for testing:-

  • For getting bulk email addresses. You can use TheHarvester is a popular tool to find mail addresses or details of the employees.
root@kali:/home/iicybersecurity/Downloads# theharvester -d -b pgp

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

| || |_ _ /\ /__ _ _ _ | |_ _ __ *
| | '_ \ / _ \ / // / ` | '\ \ / / _ \/ | / _ \ '__| *
| || | | | / / / (| | | \ V / /__ \ || / | *
__|| ||___| \/ // _,|| _/ ___||/__|_| *
TheHarvester Ver. 2.7.2 *
Coded by Christian Martorella *
Edge-Security Research * *

[-] Starting harvesting process for domain:

[-] Searching in PGP key server..

Harvesting results

[+] Emails found:
  • The above is the list of the email addresses which can be used in scanning if the above email addresses are breached or not.
  • Save the above list. Type nano emaillist.txt
  • Then copy paste whole email addresses. Then save the list.
  • Type python3 -t /home/iicybersecurity/Downloads/testsites.txt -bc /Downloads/breachcompilation/ -k “snusbase_url: ,snusbase_token: 5sxxxxxxxxxxxxxxxxxxxBuXQ”
  • -t is used to enter tartgets.
  • -bc is used to give path for pwned targets.
  • -k is used to enter snusbase API key.
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 -t /home/iicybersecurity/Downloads/testsites.txt -bc /Downloads/breachcompilation/ -k "snusbase_url: ,snusbase_token: 5sxxxxxxxxxxxxxxxxxxxBuXQ"

.. .. ;;
| .
. | | .. | ; ; | !| |||! | ;-----------; !| |_! Heartfelt Email OSINT
.||| |. Use responsibly etc
| .| |. | ;____________
| !! | | !! | ; ;
!! !! ;--------------------;


=========== SNIPPED =================
  • The above query shows that above email addresses has not been in data breach in HIBP.
  • If you see snusbase error, it means you have to purchase their services to search in their database.

Using Single Query :-

  • Type python3 -t targets.txt -c config.ini -o pwned_targets.csv
  • -t is used to select target file. You have to create target.txt file.
  • -c is used to select config file where APIs has been entered.
  • -o is used where data will be saved in .csv form.
python3 -t targets.txt -c config.ini -o pwned_targets.csv

Lookup Status
======== SNIPPED ===============
  • If the email addresses has been pwned data breach.
  • This information can be used in other hacking activities.