-
Notifications
You must be signed in to change notification settings - Fork 505
Demonstrations
This page helps newcomers quickly setup a demonstration
You can hide the last characters of the passwords using --hide
h8mail was initially developed as a PoC that would ultimately help secure budget for the next quarter.
This also explains why I chose a more colorful approach for outputs.
It has since grown into a full blown data breach investigation tool, but remains a good choice as a demonstration tool.
First, get API keys. Premium keys are optional but increase demo value tenfold. Get a breach service API key from one of the supported services. Save the keys in a configuration file.
Next, gather emails of your firm using TheHarvester. You can use either Kali, ParrotOS or Tsurugi as a VM.
Once you've gathered a fair number of emails, or even extracted emails from your IT department (with the required permissions beforehand), install h8mail.
Run h8mail as you would against a list of emails, using the API keys saved earlier.
Use --hide
to hide the last characters of the passwords on-screen.
$ h8mail -t emails.txt -c h8mail_config.ini --hide
***snip***
[>] Showing results for jane.smith@fcorp.com
EMAILREP_LEAKS | jane.smith@fcorp.com > 46 leaked credentials
EMAILREP_SOCIAL| jane.smith@fcorp.com > Pinterest
EMAILREP_SOCIAL| jane.smith@fcorp.com > Foursquare
EMAILREP_SOCIAL| jane.smith@fcorp.com > Twitter
EMAILREP_SOCIAL| jane.smith@fcorp.com > Spotify
EMAILREP_LASTSN| jane.smith@fcorp.com > 10/16/2019
SCYLLA_SOURCE | jane.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| jane.smith@fcorp.com > weki********
SCYLLA_SOURCE | jane.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| jane.smith@fcorp.com > jane********
SCYLLA_SOURCE | jane.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| jane.smith@fcorp.com > smit********
__________________________________________________________________________________________
***snip***
[>] Showing results for john.smith@fcorp.com
EMAILREP_LEAKS | john.smith@fcorp.com > 103 leaked credentials
EMAILREP_SOCIAL| john.smith@fcorp.com > Vimeo
EMAILREP_SOCIAL| john.smith@fcorp.com > Pinterest
EMAILREP_SOCIAL| john.smith@fcorp.com > Aboutme
EMAILREP_SOCIAL| john.smith@fcorp.com > Foursquare
EMAILREP_SOCIAL| john.smith@fcorp.com > Spotify
EMAILREP_SOCIAL| john.smith@fcorp.com > Lastfm
EMAILREP_SOCIAL| john.smith@fcorp.com > Twitter
EMAILREP_LASTSN| john.smith@fcorp.com > 10/16/2019
SCYLLA_SOURCE | john.smith@fcorp.com > dropbox.com
SCYLLA_PASSWORD| john.smith@fcorp.com > john********
SCYLLA_USERNAME| john.smith@fcorp.com > 1645673
SCYLLA_PASSWORD| john.smith@fcorp.com > john********
SCYLLA_USERNAME| john.smith@fcorp.com > 1645673
SCYLLA_SOURCE | john.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| john.smith@fcorp.com > 1203********
SCYLLA_SOURCE | john.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| john.smith@fcorp.com > 8772********
SCYLLA_SOURCE | john.smith@fcorp.com > exploit.in
SCYLLA_PASSWORD| john.smith@fcorp.com > 4599********
***snip***
Session Recap:
Target | Status
__________________________________________________________________________________________
jane.smith@fcorp.com | Breach Found (63 elements)
__________________________________________________________________________________________
john.smith@fcorp.com | Breach Found (153 elements)
__________________________________________________________________________________________
Execution time (seconds): 13.989517450332642
Done
Or instead you might want to hit all emails from your firm's domain:
$ h8mail -t fcorp.com -q domain -c h8mail_config.ini --hide
***snip***
[~] Target factory started for fcorp.com
[~] [fcorp.com]>[scylla.sh]
__________________________________________________________________________________________
[>] Showing results for fcorp.com
SCYLLA_SOURCE | fcorp.com > exploit.in
SCYLLA_EMAIL | fcorp.com > ......@fcorp.com
SCYLLA_PASSWORD| fcorp.com > aq1aq1aq1
SCYLLA_SOURCE | fcorp.com > exploit.in
SCYLLA_EMAIL | fcorp.com > ......@fcorp.com
SCYLLA_PASSWORD| fcorp.com > aq4aq4aq4
SCYLLA_EMAIL | fcorp.com > www.dirtymac01@fcorp.com,www.dirtymac01@fcorp.com,www.dirtymac01@fcorp.com
SCYLLA_HASH | fcorp.com > 0x1D9E2B624FAF9DFF43A23473A589BA5B839D99CA
SCYLLA_USERNAME| fcorp.com > 75445061
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > moes@fcorp.com
SCYLLA_LASTIP | fcorp.com > 82.23.109.200
SCYLLA_PASSWORD| fcorp.com > superman123
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > fred@fcorp.com
SCYLLA_LASTIP | fcorp.com >
SCYLLA_PASSWORD| fcorp.com > mudfish1
***snip***
SCYLLA_PASSWORD| fcorp.com > 1234hoedjevanpapier
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > alogan@fcorp.com
SCYLLA_LASTIP | fcorp.com > 131.107.0.74
SCYLLA_PASSWORD| fcorp.com > 1secret
SCYLLA_SOURCE | fcorp.com > 000webhost.com
SCYLLA_EMAIL | fcorp.com > crap46@fcorp.com
SCYLLA_LASTIP | fcorp.com > 213.239.192.110
SCYLLA_PASSWORD| fcorp.com > birmingham000
__________________________________________________________________________________________
Session Recap:
Target | Status
__________________________________________________________________________________________
fcorp.com | Breach Found (77 elements)
__________________________________________________________________________________________
Execution time (seconds): 3.903327226638794
Done
You might be having trouble getting the desired output if the number of emails gathered or found data is not enough.
h8mail includes a feature called chasing which hunts down related emails, and automatically scans them for leaked data.
This can be done like so:
$ h8mail -t fcorp.com -q domain --chase 4 --power-chase -c h8mail_config.ini --hide