Awesome
<h1 align="center"> <a href="https://github.com/khast3x/h8mail/releases/"><img src="https://i.postimg.cc/LXR6Jq8Y/logo-transparent.png" width="420" title="h8maillogo"></a> </h1>
h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt's "Collection1" and the infamous "Breach Compilation" torrent.
<h1 align="center"> <a href="https://github.com/khast3x/h8mail/wiki?ref=readmebutton"><img src="https://i.postimg.cc/htg6xGmm/button.png" width="420" title="To the Wiki!"></a> </h1>
:book: Table of Content
:tangerine: Features
- :mag_right: Email pattern matching (reg exp), useful for reading from other tool outputs
- :earth_africa: Pass URLs to directly find and target emails in pages
- :dizzy: Loosey patterns for local searchs ("john.smith", "evilcorp")
- :package: Painless install. Available through
pip
, only requiresrequests
- :white_check_mark: Bulk file-reading for targeting
- :memo: Output to CSV file or JSON
- :muscle: Compatible with the "Breach Compilation" torrent scripts
- :house: Search cleartext and compressed .gz files locally using multiprocessing
- :cyclone: Compatible with "Collection#1"
- :fire: Get related emails
- :dragon_face: Chase related emails by adding them to the ongoing search
- :crown: Supports premium lookup services for advanced users
- :factory: Custom query premium APIs. Supports username, hash, ip, domain and password and more
- :books: Regroup breach results for all targets and methods
- :eyes: Includes option to hide passwords for demonstrations
- :rainbow: Delicious colors
:package: pip3 install h8mail
APIs
Service | Functions | Status |
---|---|---|
HaveIBeenPwned(v3) | Number of email breaches | :white_check_mark: :key: |
HaveIBeenPwned Pastes(v3) | URLs of text files mentioning targets | :white_check_mark: :key: |
Hunter.io - Public | Number of related emails | :white_check_mark: |
Hunter.io - Service (free tier) | Cleartext related emails, Chasing | :white_check_mark: :key: |
Snusbase - Service | Cleartext passwords, hashs and salts, usernames, IPs - Fast :zap: | :white_check_mark: :key: |
Leak-Lookup - Public | Number of search-able breach results | :white_check_mark: (:key:) |
Leak-Lookup - Service | Cleartext passwords, hashs and salts, usernames, IPs, domain | :white_check_mark: :key: |
Emailrep.io - Service (free) | Last seen in breaches, social media profiles | :white_check_mark: :key: |
scylla.so - Service (free) | Cleartext passwords, hashs and salts, usernames, IPs, domain | :construction: |
Dehashed.com - Service | Cleartext passwords, hashs and salts, usernames, IPs, domain | :white_check_mark: :key: |
IntelX.io - Service (free trial) | Cleartext passwords, hashs and salts, usernames, IPs, domain, Bitcoin Wallets, IBAN | :white_check_mark: :key: |
:new: Breachdirectory.org - Service (free) | Cleartext passwords, hashs and salts, usernames, domain | :construction: :key: |
:key: - API key required
:tangerine: Usage
usage: h8mail [-h] [-t USER_TARGETS [USER_TARGETS ...]]
[-u USER_URLS [USER_URLS ...]] [-q USER_QUERY] [--loose]
[-c CONFIG_FILE [CONFIG_FILE ...]] [-o OUTPUT_FILE]
[-j OUTPUT_JSON] [-bc BC_PATH] [-sk]
[-k CLI_APIKEYS [CLI_APIKEYS ...]]
[-lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]]
[-gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]] [-sf]
[-ch [CHASE_LIMIT]] [--power-chase] [--hide] [--debug]
[--gen-config]
Email information and password lookup tool
optional arguments:
-h, --help show this help message and exit
-t USER_TARGETS [USER_TARGETS ...], --targets USER_TARGETS [USER_TARGETS ...]
Either string inputs or files. Supports email pattern
matching from input or file, filepath globing and
multiple arguments
-u USER_URLS [USER_URLS ...], --url USER_URLS [USER_URLS ...]
Either string inputs or files. Supports URL pattern
matching from input or file, filepath globing and
multiple arguments. Parse URLs page for emails.
Requires http:// or https:// in URL.
-q USER_QUERY, --custom-query USER_QUERY
Perform a custom query. Supports username, password,
ip, hash, domain. Performs an implicit "loose" search
when searching locally
--loose Allow loose search by disabling email pattern
recognition. Use spaces as pattern seperators
-c CONFIG_FILE [CONFIG_FILE ...], --config CONFIG_FILE [CONFIG_FILE ...]
Configuration file for API keys. Accepts keys from
Snusbase, WeLeakInfo, Leak-Lookup, HaveIBeenPwned,
Emailrep, Dehashed and hunterio
-o OUTPUT_FILE, --output OUTPUT_FILE
File to write CSV output
-j OUTPUT_JSON, --json OUTPUT_JSON
File to write JSON output
-bc BC_PATH, --breachcomp BC_PATH
Path to the breachcompilation torrent folder. Uses the
query.sh script included in the torrent
-sk, --skip-defaults Skips Scylla and HunterIO check. Ideal for local scans
-k CLI_APIKEYS [CLI_APIKEYS ...], --apikey CLI_APIKEYS [CLI_APIKEYS ...]
Pass config options. Supported format: "K=V,K=V"
-lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...], --local-breach LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]
Local cleartext breaches to scan for targets. Uses
multiprocesses, one separate process per file, on
separate worker pool by arguments. Supports file or
folder as input, and filepath globing
-gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...], --gzip LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]
Local tar.gz (gzip) compressed breaches to scans for
targets. Uses multiprocesses, one separate process per
file. Supports file or folder as input, and filepath
globing. Looks for 'gz' in filename
-sf, --single-file If breach contains big cleartext or tar.gz files, set
this flag to view the progress bar. Disables
concurrent file searching for stability
-ch [CHASE_LIMIT], --chase [CHASE_LIMIT]
Add related emails from hunter.io to ongoing target
list. Define number of emails per target to chase.
Requires hunter.io private API key if used without
power-chase
--power-chase Add related emails from ALL API services to ongoing
target list. Use with --chase
--hide Only shows the first 4 characters of found passwords
to output. Ideal for demonstrations
--debug Print request debug information
--gen-config, -g Generates a configuration file template in the current
working directory & exits. Will overwrite existing
h8mail_config.ini file
:tangerine: Usage examples
Query for a single target
$ h8mail -t target@example.com
Query for list of targets, indicate config file for API keys, output to pwned_targets.csv
$ h8mail -t targets.txt -c config.ini -o pwned_targets.csv
Query a list of targets against local copy of the Breach Compilation, pass API key for Snusbase from the command line
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -k "snusbase_token=$snusbase_token"
Query without making API calls against local copy of the Breach Compilation
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk
Search every .gz file for targets found in targets.txt locally, skip default checks
$ h8mail -t targets.txt -gz /tmp/Collection1/ -sk
Check a cleartext dump for target. Add the next 10 related emails to targets to check. Read keys from CLI
$ h8mail -t admin@evilcorp.com -lb /tmp/4k_Combo.txt -ch 10 -k "hunterio=ABCDE123"
Query username. Read keys from CLI
$ h8mail -t JSmith89 -q username -k "dehashed_email=user@email.com" "dehashed_key=ABCDE123"
Query IP. Chase all related targets. Read keys from CLI
$ h8mail -t 42.202.0.42 -q ip -c h8mail_config_priv.ini -ch 2 --power-chase
Fetch URL content (CLI + file). Target all found emails
$ h8mail -u "https://pastebin.com/raw/kQ6WNKqY" "list_of_urls.txt"
:tangerine: Thanks & Credits
- Snusbase for being developer friendly
- kodykinzie for making a nice introduction and walkthrough article and video on installing and using h8mail
- Leak-Lookup for being developer friendly
- Dehashed for being developer friendly
- h8mail's Pypi integration is strongly based on the work of audreyr's CookieCutter PyPackage
- Logo generated using Hatchful by Shopify
- Jake Creps for his h8mail v2 introduction
- Alejandro Caceres for making scylla.so available. Be sure to support him if you can
- IntelX for being developer friendly
- Breachdirectory.tk for being developer friendly
:purple_heart: h8mail can be found in:
:tangerine: Related open source projects
- WhatBreach by Ekultek
- HashBuster by s0md3v
- BaseQuery by g666gle
- LeakLooker by woj-ciech
- buster by sham00n
- Scavenger by ndinfosecguy
- pwndb by davidtavarez
:tangerine: Notes
- Service providers that wish being integrated can send me an email at
k at khast3x dot club
(PGP friendly) - h8mail is maintained on my free time. Feedback and war stories are welcomed.
- Licence is BSD 3 clause
- My code is signed with my Keybase PGP key. You can get it using:
# curl + gpg pro tip: import ktx's keys
curl https://keybase.io/ktx/pgp_keys.asc | gpg --import
# the Keybase app can push to gpg keychain, too
keybase pgp pull ktx
If you wish to stay updated on this project:
<h1 align="center"> <a href="https://twitter.com/kh4st3x"><img src="https://i.imgur.com/S79Nimd.png" width="420" title="Twitter"></a> </h1>