DEV Community

Cover image for Search for sensitive data using theHarvester and h8mail tools
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

Search for sensitive data using theHarvester and h8mail tools

Today something pleasant and fully automated. We are going to talk about acquiring the password to a given email based on known password leaks. There are situations when, while carrying out attacks, we would like to get the emails associated with the attacked domain. We can use theHarvester tool for this.

theHarvester

TheHarvester is a script written in python used for white intelligence. It collects emails, usernames, subdomains, IP addresses and more from public sources. It uses as many as 40 available tools for passive reconnaissance, however, fourteen of them require API keys to be set up. Well, but let's get to the specifics.

In the example we are discussing, we want to get all the emails in circulation associated with the example.com domain. To do this, we will use the following command.

┌──(figaro㉿kali)-[~/]
└─$ theHarvester -d example.com -b google

*******************************************************************
*  _   _                                            _             *                                  
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *                                  
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *                                  
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *                                  
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *                                  
*                                                                 *                                  
* theHarvester 4.0.0                                              *                                  
* Coded by Christian Martorella                                   *                                  
* Edge-Security Research                                          *                                  
* cmartorella@edge-security.com                                   *                                  
*                                                                 *                                  
*******************************************************************                                  


[*] Target: example.com 

        Searching 0 results.
        Searching 100 results.
        Searching 200 results.
        Searching 300 results.
        Searching 400 results.
        Searching 500 results.
[*] Searching Google. 

[*] No IPs found.

[*] Emails found: 13
----------------------
555-555-0199@example.com
adresa@example.com
anna@example.com
example@example.com
max.mustermann@example.com
osoba@example.com
regemail@example.com
someone@example.com
x22555-555-0199@example.com
x22adresa@example.com
x22anna@example.com
x22regemail@example.com
x22someone@example.com

[*] Hosts found: 13
---------------------
253dwww.example.com
abc.example.com
app.example.com
builder.page.example.com
derid.example.com
stage.example.com
sub.example.com
u003dwww.example.com
vc.example.com
www.example.com:93.184.216.34
x22derid.example.com
x22www.example.com
xyz.example.com
Enter fullscreen mode Exit fullscreen mode

We chose google for the example.com domain as our interview source. In this way we got 13 emails. We save them in a separate targets.txt file and can move on to h8mail.

h8mail

In a word of introduction - h8mail is a tool that detects whether there has been a password leak for the indicated email in the past. Diagnosis is done either through one of the twelve available APIs or based on locally stored collections with leaks. In our example, we will use the Breach compliation database. You can download it via the rtorrent command.

┌──(figaro㉿kali)-[~]
└─$ h8mail -t ./targets.txt -lb ./BreachCompilation       
                  Official h8mail posts: 
                  https://khast3x.club/tags/h8mail/                                                 


          Version 2.5.5 - "ROCKSMASSON.5"  

        ._____. ._____.     ;____________;
        | ._. | | ._. |     ;   h8mail   ;
        | !_| |_|_|_! |     ;------------;
        !___| |_______!  Heartfelt Email OSINT
        .___|_|_| |___.    Use responsibly
        | ._____| |_. | ;____________________;
        | !_! | | !_! | ; github.com/khast3x ;
        !_____! !_____! ;--------------------;

[>] h8mail is up to date
[~] Reading from file ./targets.txt
[~] Parsing emails from./targets.txt
[~] Removing duplicates
[>] Targets:
[>] x22regemail@example.com
[>] max.mustermann@example.com
[>] regemail@example.com
[>] x22anna@example.com
[>] x22adresa@example.com
[>] x22someone@example.com
[>] someone@example.com
[>] example@example.com
[>] anna@example.com
[>] 555-555-0199@example.com
[>] adresa@example.com
[>] x22555-555-0199@example.com
[>] osoba@example.com
Enter fullscreen mode Exit fullscreen mode

Such a simple way, after a few minutes of checking breaches and available services we get the results.

 __________________________________________________________________________________________

[>] Showing results for adresa@example.com

[~] No results founds

 __________________________________________________________________________________________

[>] Showing results for someone@example.com
LOCALSEARCH    |      someone@example.com > [r] Line 1411935: arcanjel-someone@example.com:j092289
LOCALSEARCH    |      someone@example.com > [s] Line 5317894: asomeone@example.com:123456789
LOCALSEARCH    |      someone@example.com > [f] Line 79228: alfa146someone@example.com:123456
LOCALSEARCH    |      someone@example.com > [u] Line 4460618: busy_someone@example.com:dalakli

(...)
__________________________________________________________________________________________

                                   Session Recap:  


                 Target                  |                   Status                  
__________________________________________________________________________________________

       max.mustermann@example.com        |               Not Compromised              
__________________________________________________________________________________________

          regemail@example.com           |               Not Compromised              
__________________________________________________________________________________________

         x22adresa@example.com           |               Not Compromised              
__________________________________________________________________________________________

           adresa@example.com            |               Not Compromised              
__________________________________________________________________________________________

          someone@example.com            |          Breach Found (79 elements)        
__________________________________________________________________________________________

      x22555-555-0199@example.com        |               Not Compromised              
__________________________________________________________________________________________

           osoba@example.com             |          Breach Found (2 elements)         
__________________________________________________________________________________________

          example@example.com            |         Breach Found (704 elements)        
__________________________________________________________________________________________

            anna@example.com             |          Breach Found (46 elements)        
__________________________________________________________________________________________

        555-555-0199@example.com         |          Breach Found (2 elements)         
__________________________________________________________________________________________

        x22regemail@example.com          |               Not Compromised              
__________________________________________________________________________________________

         x22someone@example.com          |               Not Compromised              
__________________________________________________________________________________________

          x22anna@example.com            |               Not Compromised              
__________________________________________________________________________________________
Enter fullscreen mode Exit fullscreen mode

Sources

https://github.com/khast3x/h8mail
https://github.com/laramies/theHarvester
https://gist.github.com/saturn99/c31727bc1b849fa1c2ba1d72d4ab9ecb
https://null-byte.wonderhowto.com
https://cli-ck.io/transmission-cli-user-guide/

Top comments (0)