Find hacked email addresses

Data breaching in these days have been common. Many of the popular websites are targeted in data breach. This process of data breaching is still continue as many anonymous attackers are using open source tools. There is a popular tool called h8mail which is used to check breach mails.

According ethical hacking researcher of International Institute of Cyber Security h8mail is used in initial phase of penetration testing.

H8mail is an OSINT tool used to search emails and passwords. This tool find breached emails through different sites. This tool uses data breached emails. For showing you we have tested this tool on Kali Linux 2018.4

Before installing tool you must install nodejs and update python in Kali Linux. This tool only works with python3, according to ethical hacking courses.

  • For installing python type sudo apt-get update
  • Then type sudo apt-get install python3
  • For checking python version type python –version
  • Then type sudo apt-get install nodejs
  • After installing all the above pre-requisites clone h8mail.
  • For cloning type git clone https://github.com/khast3x/h8mail.git
  • Type cd h8mail
  • Type pip install -r requirements.txt
root@kali:/home/iicybersecurity/Downloads/h8mail# pip install -r requirements.txt
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) (2.18.4)
Collecting python-cli-ui (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/71/76/4772ff1c2c982c3e5cd75f5e01ae575adb979afc3473d267915de39813f4/python-cli-ui-0.7.4.tar.gz
Complete output from command python setup.py egg_info:
Error: Please upgrade to Python3
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-oC2WCX/python-cli-ui/
  • While installing pip if it shows the above error that means you have to upgrade pip in your Linux Distros.
  • For that type sudo apt-get update python3-pip
root@kali:/home/iicybersecurity/Downloads/h8mail# sudo apt-get install python3-pip
Reading package lists… Done
Building dependency tree
Reading state information… Done
python3-pip is already the newest version (18.1-4).
The following packages were automatically installed and are no longer required:
golang-1.10 golang-1.10-doc golang-1.10-go golang-1.10-src golang-src
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1554 not upgraded.
  • After upgrading pip, type pip install -r requirements.txt
root@kali:/home/iicybersecurity/Downloads/h8mail# pip3 install -r requirements.txt
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.18.4)
Collecting python-cli-ui (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/fc/32/e63370450c69ccc06aefb8e55926011a7eeb3824787fed8d3d12149b4e09/python_cli_ui-0.7.4-py3-none-any.whl
Collecting cfscrape (from -r requirements.txt (line 3))
Downloading https://files.pythonhosted.org/packages/ee/5e/6f36d5305b4c5abe793a7a057003f342300e9b853384a11fee8dc58e6816/cfscrape-1.9.5.tar.gz
Collecting unidecode (from python-cli-ui->-r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/31/39/53096f9217b057cb049fe872b7fc7ce799a1a89b76cf917d9639e7a558b5/Unidecode-1.0.23-py2.py3-none-any.whl (237kB)
100% |████████████████████████████████| 245kB 576kB/s
Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from python-cli-ui->-r requirements.txt (line 2)) (0.8.2)
Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from python-cli-ui->-r requirements.txt (line 2)) (0.3.7)
Building wheels for collected packages: cfscrape
Running setup.py bdist_wheel for cfscrape … done
Stored in directory: /root/.cache/pip/wheels/4b/7d/70/32db6ba6ac95be8d24d5563436fc4ffe52f271adb2da153531
Successfully built cfscrape
Installing collected packages: unidecode, python-cli-ui, cfscrape
Successfully installed cfscrape-1.9.5 python-cli-ui-0.7.4 unidecode-1.0.23
  • Then type python3 h8mail.py –help
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 h8mail.py --help
usage: h8mail.py [-h] -t TARGET_EMAILS [-c CONFIG_FILE] [-o OUTPUT_FILE]
[-bc BC_PATH] [-v] [-l] [-k CLI_APIKEYS]


Email information and password finding tool

optional arguments:
-h, --help show this help message and exit
-t TARGET_EMAILS, --targets TARGET_EMAILS
Either single email, or file (one email per line).
REGEXP
-c CONFIG_FILE, --config CONFIG_FILE
Configuration file for API keys
-o OUTPUT_FILE, --output OUTPUT_FILE
File to write output
-bc BC_PATH, --breachcomp BC_PATH
Path to the breachcompilation Torrent.

https://ghostbin.com/paste/2cbdn
-v, --verbose Show debug information
-l, --local Run local actions only
-k CLI_APIKEYS, --apikey CLI_APIKEYS
Pass config options. Format is "K:V,K:V"
  • The above queries are used to gather breached email addresses and passwords.

H8mail Uses Various APIs To Search For Breached Email Addresses :-

  • HaveIBeenPwned (https://haveibeenpwned.com/) : This website checks if the email id has been pwned or not. This website collects large no, of databases dumps and paste containing information about all billions of leak accounts.
  • Shodan (https://www.shodan.io/) : Shodan is an search engine for web. This website pings all the available IP address that are currently using the internet.
  • Hunter.io (https://hunter.io/) : Hunter is an source of h8mail. In hunter is used to find and verify professional email address. For using these services you have to pay some of the amount in hunter.io
  • Weleakinfo (https://weleakinfo.com/api/public) : Weleakinfo is another breached database search engine.
  • Snusbase (https://snusbase.com/) : Snusbase is a database search engine which collects data of sites that have been hacked. And provide those data to their users. For using these services you have to pay some of the amount in snusbase.

Finding Breached Email Address :-

  • Type python3 h8mail.py -t puti@reddcoin2.com
  • -t is used to enter target email address.
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 h8mail.py -t puti@reddcoin2.com

.. .. ;;
| .
. | | .. | ; h8mail.py ; | !| |||! | ;-----------; !| |_! Heartfelt Email OSINT
.||| |. Use responsibly etc
| .| |. | ;____________
;
| !! | | !! | ; github.com/khast3x ;
!! !! ;--------------------;

Targets

=> puti@reddcoin2.com

Lookup Status

Result puti@reddcoin2.com

=> not breached ❌
Target hostname: reddcoin2.com

✓ Done
  • The above query shows, email which has been scanned is not breached of any databases mentioned above.
  • It shows that HIBP (HaveIBeenPwned) could not find email address in any database. Nor its password is available in HIBP database.

Find bulk Email Ids for testing:-

  • For getting bulk email addresses. You can use TheHarvester is a popular tool to find mail addresses or details of the employees.
root@kali:/home/iicybersecurity/Downloads# theharvester -d testsites.com -b pgp


Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.


*
| || |_ _ /\ /__ _ _ _ | |_ _ __ *
| | '_ \ / _ \ / // / ` | '\ \ / / _ \/ | / _ \ '__| *
| || | | | / / / (| | | \ V / /__ \ || / | *
__|| ||___| \/ // _,|| _/ ___||/__|_| *
*
TheHarvester Ver. 2.7.2 *
Coded by Christian Martorella *
Edge-Security Research *
cmartorella@edge-security.com *


[-] Starting harvesting process for domain: testsites.com

[-] Searching in PGP key server..

Harvesting results

[+] Emails found:
mariot.chauvin@testsites.com
lauren.emms@testsites.com
danny.daly@testsites.com
amy.hughes@testsites.com
jon.norman@testsites.com
tom.forbes@testsites.com
niko.kommenda@testsites.com
sam.jones@testsites.com
regis.kuckaertz@testsites.com
hannah.devlin@testsites.com
joseph.smith@testsites.com
calum.campbell@testsites.com
jacob.riggs@testsites.com
michael.barton@testsites.com
akash.askoolum@testsites.com
peter.colley.freelance@testsites.com
nicolas.long@testsites.com
alex.hern@testsites.com
thomas.bonnin@testsites.com
richard.tynan@testsites.com
mat.heywood@testsites.com
nathaniel.bennett@testsites.com
sally.goble@testsites.com
jennifer.sivapalan@testsites.com
michael.safi@testsites.com
justin.pinner@testsites.com
jonathan.soul@testsites.com
jasper.jackson@testsites.com
oliver.holmes@testsites.com
hilary.osborne@testsites.com
rupert.bates@testsites.com
caelainn.barr@testsites.com
christopher.lloyd@testsites.com
susie.coleman@testsites.com
chris.whitworth@testsites.com
andi.elsner@testsites.com
calla.wahlquist@testsites.com
paul.farrell@testsites.com
james.gorrie@testsites.com
simon.bowers@testsites.com
  • The above is the list of the email addresses which can be used in scanning if the above email addresses are breached or not.
  • Save the above list. Type nano emaillist.txt
  • Then copy paste whole email addresses. Then save the list.
  • Type python3 h8mail.py -t /home/iicybersecurity/Downloads/testsites.txt -bc /Downloads/breachcompilation/ -k “snusbase_url: https://snusbase.com ,snusbase_token: 5sxxxxxxxxxxxxxxxxxxxBuXQ”
  • -t is used to enter tartgets.
  • -bc is used to give path for pwned targets.
  • -k is used to enter snusbase API key.
root@kali:/home/iicybersecurity/Downloads/h8mail# python3 h8mail.py -t /home/iicybersecurity/Downloads/testsites.txt -bc /Downloads/breachcompilation/ -k "snusbase_url: https://snusbase.com ,snusbase_token: 5sxxxxxxxxxxxxxxxxxxxBuXQ"

.. .. ;;
| .
. | | .. | ; h8mail.py ; | !| |||! | ;-----------; !| |_! Heartfelt Email OSINT
.||| |. Use responsibly etc
| .| |. | ;____________
;
| !! | | !! | ; github.com/khast3x ;
!! !! ;--------------------;

Targets
mariot.chauvin@testsites.com
lauren.emms@testsites.com
danny.daly@testsites.com
amy.hughes@testsites.com
jon.norman@testsites.com
tom.forbes@testsites.com
niko.kommenda@testsites.com
sam.jones@testsites.com
regis.kuckaertz@testsites.com
hannah.devlin@testsites.com
joseph.smith@testsites.com
calum.campbell@testsites.com
jacob.riggs@testsites.com
michael.barton@testsites.com
akash.askoolum@testsites.com
peter.colley.freelance@testsites.com
nicolas.long@testsites.com
alex.hern@testsites.com
thomas.bonnin@testsites.com
richard.tynan@testsites.com
mat.heywood@testsites.com
nathaniel.bennett@testsites.com
sally.goble@testsites.com
jennifer.sivapalan@testsites.com
michael.safi@testsites.com
justin.pinner@testsites.com
jonathan.soul@testsites.com
jasper.jackson@testsites.com
oliver.holmes@testsites.com
hilary.osborne@testsites.com
rupert.bates@testsites.com
caelainn.barr@testsites.com
christopher.lloyd@testsites.com
susie.coleman@testsites.com
chris.whitworth@testsites.com
andi.elsner@testsites.com
calla.wahlquist@testsites.com
paul.farrell@testsites.com
james.gorrie@testsites.com
simon.bowers@testsites.commariot.chauvin@testsites.com
lauren.emms@testsites.com
danny.daly@testsites.com
amy.hughes@testsites.com
jon.norman@testsites.com
tom.forbes@testsites.com
niko.kommenda@testsites.com
sam.jones@testsites.com
regis.kuckaertz@testsites.com
hannah.devlin@testsites.com
joseph.smith@testsites.com
calum.campbell@testsites.com
jacob.riggs@testsites.com
michael.barton@testsites.com
akash.askoolum@testsites.com
peter.colley.freelance@testsites.com
nicolas.long@testsites.com
alex.hern@testsites.com
thomas.bonnin@testsites.com
richard.tynan@testsites.com
mat.heywood@testsites.com
nathaniel.bennett@testsites.com
sally.goble@testsites.com
jennifer.sivapalan@testsites.com
michael.safi@testsites.com
justin.pinner@testsites.com
jonathan.soul@testsites.com
jasper.jackson@testsites.com
oliver.holmes@testsites.com
hilary.osborne@testsites.com
rupert.bates@testsites.com
caelainn.barr@testsites.com
christopher.lloyd@testsites.com
susie.coleman@testsites.com
chris.whitworth@testsites.com
andi.elsner@testsites.com
calla.wahlquist@testsites.com
paul.farrell@testsites.com
james.gorrie@testsites.com
simon.bowers@testsites.com

=========== SNIPPED =================
  • The above query shows that above email addresses has not been in data breach in HIBP.
  • If you see snusbase error, it means you have to purchase their services to search in their database.

Using Single Query :-

  • Type python3 h8mail.py -t targets.txt -c config.ini -o pwned_targets.csv
  • -t is used to select target file. You have to create target.txt file.
  • -c is used to select config file where APIs has been entered.
  • -o is used where data will be saved in .csv form.
root@kali:/home/iicybersecurity/Downloads/h8mail#  
python3 h8mail.py -t targets.txt -c config.ini -o pwned_targets.csv
tuckerkaren2000@yahoo.com
tuckersadie@yahoo.com
tucko100@yahoo.com
tucktunes@yahoo.com
tucsonclint2008@yahoo.com
tucu.ionut@yahoo.com

Lookup Status
======== SNIPPED ===============
  • If the email addresses has been pwned data breach.
  • This information can be used in other hacking activities, mention ethical hacking teachers.