Many online users are worried that their accounts are being breached by a master hacker. However, the likely scenario will fall prey to a bot written to use leaked data breach passwords from companies such as LinkedIn, MySpace and Tumblr. For example, a tool called H8mail can search more than a billion leaked credentials to identify passwords that may still be in use today.
How Your Password Ends Data Breaks
Data breaches often make headlines, but are often not obvious to end users as they endanger them. Violations are not all the same and can contain everything from credit reports to a simple email address. The information in a violation can also be stored in several ways, with the worst-case scenario being passwords stored in plain text.
The most common alternative to plaintext is saving the information as plain text in a more secure form such as a hash Unfortunately, a hash does not solve the problem because many hashes can be brutally enforced themselves. Password violations that have been hashed with SHA-1 can include plain-text passwords if they are used frequently or are easy to guess.
Hackers exploit these issues by buying and selling stolen user data lists with credit card numbers and passwords at the top of the list. Over time, many of the most heavily traded lists became public knowledge.
In one case, a colossal aggregate file named "Breach Compilatio" found that 1.4 billion credentials exist because of violations of various company data. After the Internet leaked, the aggregated database of credentials provided the basis for widescreen usage of accounts belonging to the accounts of users reusing passwords between accounts. This massive privacy violation is only done through a person's email. This is especially useful when combined with OSINT tactics. For example, you can search all e-mail addresses in an organization using tools such as TheHarvester, and then type the resulting list in H8mail. I found it extremely effective to find plain text passwords for at least one person in a large organization, and the passwords were usually horrible.
root @ nickles: ~ / h8mail # python3 h8mail.py -t XXXXXXXXX @ gmail. com -bc & # 39; / media / root / R3DL34D3R / BreachCompilation & # 39; --local ._____. ._____. ; ___________; | ._. | | ._. | ; h8mail.py; | | _ | | _ | _ | _ | | ; -----------; | ___ | | _______ | Happy E-Mail OSINT .___ | _ | _ | | ___. Use responsibly etc | ._____ | | _. | ____________________; | | _ | | | | _ | | ; github.com/khast3x; | _____ | | _____ | ; --------------------; aims ---------- => XXXXXXXXX@gmail.com Result XXXXXXXXX@gmail.com ----------------------------- => violated ✓ --- Violations found HIBP: 0 Infringements detected: 12 Destination host name: gmail.com --- Passwords for compilation: ssa123 123456789 18796-0em 1882564 3982262 6 6,91459E + 11 asdf1234 jhedgeland kelly23 qwasqw12 rjyatnf777 ------------------------------- ✓ Done
The passwords stored in the database may be prone to poor passwords because data stores with hashed passwords probably still contain many passwords that are too strong to be brutally enforced. Because of this, most e-mail and password pairs extracted from hash-hash offenses are the worst passwords.
What you need
To use a tool like H8mail The tool itself and a data source. A perfectly acceptable method of using H8mail is to connect to one API, but another is to download the entire compilation file for violations and configure H8mail to search locally.
As mentioned earlier, the Compile Bugs Compilation database has 1.4 billion credentials in a list with no duplicate passwords and folders that allow easy and quick search. This database also forms the core of the database, even though you only know that this email address has encountered a violation and what the source of the violation is.
Before we start, we'll be & # 39; You must have Python3 installed and be ready to install some prerequisites. I recommend using Kali Linux and make sure you run apt get to update your system before starting. Failure to do so may cause problems later in the installation.
Step 1: Download H8mail & Data Sources
After navigating to the GitHub repository clone the repository with the following command.
git clone https://github.com/khast3x/h8mail.git[19659010DriveNodeJSwithH8mailtooperateintoinstallthefollowinginiteminalwindow
apt-get install nodejs
Next you need to change the directory to the directory just downloaded and then install the requests with pip , I recommend using pip3 because pip3 worked for me, but pip did not. To do this, enter the following in a terminal window and wait for the installation to complete.
cd h8mail pip3 install -r Requirements.txt
If the prerequisites are met, you can run h8mail.py to see the available options. In the downloaded h8mail folder, run the Python script with the following command, which opens the Help menu. Here are the available options in H8mail.
python3 ./h8mail.py -h python3 h8mail.py -h Usage: h8mail.py -h -t TARGET_EMAILS -c CONFIG_FILE -o OUTPUT_FILE -bc BC_PATH -v -l -k CLI_APIKEYS Email information and password search tool optional arguments: -h, --help View and exit this help message -t TARGET_EMAILS, --targets TARGET_EMAILS Either single e-mail or file (one e-mail per line). REGEXP -c CONFIG_FILE, --config CONFIG_FILE Configuration file for API key -o OUTPUT_FILE, --output OUTPUT_FILE File for writing the output -bc BC_PATH, --breachcomp BC_PATH Path to Breakthrough Compilation Torrent. [https://ghostbin.com/paste/2cbdn] -v, --verbose Show debug information -l, --local Perform local actions only -k CLI_APIKEYS, --apikey CLI_APIKEYS Pass the configuration options. Format is "K: V, K: V"
Step 2: Use H8mail against a single e-mail
We will use the local option. This means that you download the compilation compilation for this demonstration. If you prefer the API option, you must follow the instructions in GitHub to add the API key for the service you want.
Downloading the compilation of violations is relatively easy to do and has just taken a Google search and torrenting a 44 GB magnet file. I will not refer directly to the file, but any hacker worthy can find the break compilation in public sources. Once you receive the compilation file for the violation, you can do a simple search with the following string:
python3 h8mail.py -t email@example.com -bc & # 39; location_of_your_file / BreachCompilation & # 39; --local Calls Python3 on h8mail.py with the arguments set to target firstname.lastname@example.org as search email, v. Chr. for compilation of fractions, and then the location of the folder for compensation of fractions your computer with - local at the end, to indicate that the files are stored locally. With this command you can check the desired e-mail address. If you get a hit, it looks like this:
Goals ---------- => email@example.com Result firstname.lastname@example.org --------------------------- => violated ✓ --- Violations found HIBP: 0 Infringements detected: 1 Destination host name: gmail.com --- Breaking passwords: Hand banana tonight ... you ------------------------------- ✓ Done
Step 3: Search for passwords in groups of e-mail accounts
Now that you can search for individual accounts, let's combine what you learned in the previous instructions to search for all the emails you can find for an organization. For my example, I use priceline.com. First, we'll use TheHarvester to get email addresses from the priceline.com domain.
For some reason, many Priceline employees use PGP. So, if you run TheHarvester against the PGP keyserver, you've got enough email addresses to create a sizeable address. List the company's email addresses.
theharvester -d priceline.com -l 1000 -b pgp
After copying the returned list, you can create a destination file by typing the following and then insert the found emails into the text editor that opens.
If you did, type Ctrl-X and select Y to save the changes. Then you can run them H8Mailen against all emails in your destination list at the same time. Use the following command:
python3 h8mail.py -t & # 39; /root/h8mail/targets.txt' -bc & # 39; ~ / BreachCompilation & # 39; --local
The command may take some time. When this is done, you will probably find at least some violated passwords from the list of employee emails. Surprisingly, we did not find any from the Priceline list, but otherwise I probably could not publish the results anyway.
These examples are just the beginning of what you can do with H8mail and you. You can use your imagination to think about how finding passwords belonging to long lists of people's email addresses is useful can be.
Recycling passwords is the biggest threat to the average user
Now we've shown how easy it is to use a list of organizational email addresses to search for password violations, it's easy to see how It is important not to reuse passwords between websites. The biggest cause for concern is that some of your online accounts are using the same old passwords that have already been breached, leaving you at risk of creating bots with your email address and an old password that puts you in control of your online account. Accounts takes over.  The best protection against this vulnerability is that unique passwords are used for each Web site. This also means not using predictable patterns, as a single email address often violates multiple passwords that indicate that a hacker recognizes an obvious pattern for your passwords.
Password managers such as LastPass can help in creating and storing strong passwords, and the ultimate way of countering these attacks is to use two-factor authentication, preferably with a hardware key. Using a FIDO security key, any device that wants to log in to your account and your password is known requires the physical key to log in, making the attacker much less useful to the attacker.
You can set up two-factor authentication on most online accounts, and I highly recommend doing so if you are guilty of the bad habit of reusing passwords. Between two-factor authentication and the use of password managers to manage and store strong, unique passwords, the average user can significantly reduce their risk against this type of attack.
I hope you liked this guide on how to use H8mail to find broken passwords for a targeted e-mail! If you have questions about this H8mail tutorial or have a comment, feel free to contact me at the following comments or on Twitter @KodyKinzie .
Buy from Amazon: Feitian MultiPass FIDO Security Key