-
Notifications
You must be signed in to change notification settings - Fork 521
Demonstrations
This page helps newcomers quickly setup a demonstration
You can hide the last characters of the passwords using --hide
h8mail was initially developed as a PoC that would ultimately help secure budget for the next quarter.
This also explains why I chose a more colorful approach for outputs.
It has since grown into a full blown data breach investigation tool, but remains a good choice as a demonstration tool.
First, get API keys. Premium keys are optional but increase demo value tenfold. Get a breach service API key from one of the supported services. Save the keys in a configuration file.
Next, gather emails of your firm using TheHarvester. You can use either Kali, ParrotOS or Tsurugi as a VM.
Once you've gathered a fair number of emails, or even extracted emails from your IT department (with the required permissions beforehand), install h8mail.
Run h8mail as you would against a list of emails, using the API keys saved earlier.
Use --hide to hide the last characters of the passwords on-screen.
$ h8mail -t emails.txt -c h8mail_config.ini --hide
***snip***
[>] Showing results for [email protected]
EMAILREP_LEAKS | [email protected] > 46 leaked credentials
EMAILREP_SOCIAL| [email protected] > Pinterest
EMAILREP_SOCIAL| [email protected] > Foursquare
EMAILREP_SOCIAL| [email protected] > Twitter
EMAILREP_SOCIAL| [email protected] > Spotify
EMAILREP_LASTSN| [email protected] > 10/16/2019
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > weki********
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > jane********
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > smit********
__________________________________________________________________________________________
***snip***
[>] Showing results for [email protected]
EMAILREP_LEAKS | [email protected] > 103 leaked credentials
EMAILREP_SOCIAL| [email protected] > Vimeo
EMAILREP_SOCIAL| [email protected] > Pinterest
EMAILREP_SOCIAL| [email protected] > Aboutme
EMAILREP_SOCIAL| [email protected] > Foursquare
EMAILREP_SOCIAL| [email protected] > Spotify
EMAILREP_SOCIAL| [email protected] > Lastfm
EMAILREP_SOCIAL| [email protected] > Twitter
EMAILREP_LASTSN| [email protected] > 10/16/2019
SCYLLA_SOURCE | [email protected] > dropbox.com
SCYLLA_PASSWORD| [email protected] > john********
SCYLLA_USERNAME| [email protected] > 1645673
SCYLLA_PASSWORD| [email protected] > john********
SCYLLA_USERNAME| [email protected] > 1645673
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > 1203********
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > 8772********
SCYLLA_SOURCE | [email protected] > exploit.in
SCYLLA_PASSWORD| [email protected] > 4599********
***snip***
Session Recap:
Target | Status
__________________________________________________________________________________________
[email protected] | Breach Found (63 elements)
__________________________________________________________________________________________
[email protected] | Breach Found (153 elements)
__________________________________________________________________________________________
Execution time (seconds): 13.989517450332642
Done
Or instead you might want to hit all emails from your firm's domain:
$ h8mail -t fcorp.com -q domain -c h8mail_config.ini --hide
***snip***
[~] Target factory started for fcorp.com
[~] [fcorp.com]>[scylla.sh]
__________________________________________________________________________________________
[>] Showing results for fcorp.com
SCYLLA_SOURCE | fcorp.com > exploit.in
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_PASSWORD| fcorp.com > aq1aq1aq1
SCYLLA_SOURCE | fcorp.com > exploit.in
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_PASSWORD| fcorp.com > aq4aq4aq4
SCYLLA_EMAIL | fcorp.com > [email protected],[email protected],[email protected]
SCYLLA_HASH | fcorp.com > 0x1D9E2B624FAF9DFF43A23473A589BA5B839D99CA
SCYLLA_USERNAME| fcorp.com > 75445061
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_LASTIP | fcorp.com > 82.23.109.200
SCYLLA_PASSWORD| fcorp.com > superman123
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_LASTIP | fcorp.com >
SCYLLA_PASSWORD| fcorp.com > mudfish1
***snip***
SCYLLA_PASSWORD| fcorp.com > 1234hoedjevanpapier
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_LASTIP | fcorp.com > 131.107.0.74
SCYLLA_PASSWORD| fcorp.com > 1secret
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > [email protected]
SCYLLA_LASTIP | fcorp.com > 213.239.192.110
SCYLLA_PASSWORD| fcorp.com > birmingham000
__________________________________________________________________________________________
Session Recap:
Target | Status
__________________________________________________________________________________________
fcorp.com | Breach Found (77 elements)
__________________________________________________________________________________________
Execution time (seconds): 3.903327226638794
DoneYou might be having trouble getting the desired output if the number of emails gathered or found data is not enough.
h8mail includes a feature called chasing which hunts down related emails, and automatically scans them for leaked data.
This can be done like so:
$ h8mail -t fcorp.com -q domain --chase 4 --power-chase -c h8mail_config.ini --hide