How To: Exploit Recycled Credentials with H8mail to Break into User Accounts

Many online users worry about their accounts being breached by some master hacker, but the more likely scenario is falling victim to a bot written to use leaked passwords in data breaches from companies like LinkedIn, MySpace, and Tumblr. For instance, a tool called H8mail can search through over 1 billion leaked credentials to discover passwords that might still be in use today.

How Your Password Ends Up in a Data Breach

Data breaches frequently make headlines, but it's often not apparent to the users impacted how this puts them at risk. Breaches are not all the same and can contain anything from credit reports to a simple email address. The information in a breach can also be stored in different ways, with the worst-case scenario being passwords stored in cleartext.

The most common alternative to cleartext is storing the information as plaintext in a more secure form like a hash. Unfortunately, a hash does not solve the problem, because many hashes themselves can be brute-forced. Password breaches involving passwords hashed with SHA-1 can still reveal plaintext passwords if they're common or easy-to-guess passwords.

Hackers take advantage of these issues by buying and selling lists of stolen user details, with credit card numbers and passwords at the top of the list. Over time, many of the most-traded lists become publicly known.

• Don't Miss: Use Leaked Password Databases to Create Brute-Force Wordlists

In one instance, a colossal aggregate file called the "Breach Compilatio" was discovered to hold 1.4 billion credentials from various company data breaches. Once leaked to the internet, its aggregated credentials database provided the foundation for widescreen exploitation of accounts belonging to the accounts of users who reuse passwords between accounts.

Attacking Recycled Credentials with H8mail

H8mail is a tool for finding plaintext passwords from this massive data breach using only a person's email. This is most useful when combined with OSINT tactics like finding all the email addresses in an organization using tools like TheHarvester, then feeding the resulting list into H8mail. I found this to be extremely effective at finding plaintext passwords for at least one person in a large organization, and the passwords tended to be terrible.

• Don't Miss: Scrape Target Email Addresses with TheHarvester

root@nickles:~/h8mail# python3 h8mail.py -t XXXXXXXXX@gmail.com -bc '/media/root/R3DL34D3R/BreachCompilation'  --local

        ._____. ._____.     ;___________;
        | ._. | | ._. |     ; h8mail.py ;
        | |_| |_|_|_| |     ;-----------;
        |___| |_______|  Heartfelt Email OSINT
        .___|_|_| |___.   Use responsibly etc
        | ._____| |_. | ;____________________;
        | |_| | | |_| | ; github.com/khast3x ;
        |_____| |_____| ;--------------------;

 Targets
----------

=> XXXXXXXXX@gmail.com

 Result XXXXXXXXX@gmail.com
-----------------------------

=> breached ✓
---
Breaches found HIBP: 0
Breaches found breachcompilation: 12
Target hostname: gmail.com

---
breachcompilation passwords: ssa123 123456789 18796-0em 1882564 3982262 6 6,91459E+11 asdf1234 jhedgeland kelly23 qwasqw12 rjyatnf777
-------------------------------

✓ Done

The passwords stored in the database may be somewhat skewed towards bad passwords because data dumps with hashed passwords would likely still contain many passwords too strong to be easily brute-forced. Because of this, most of the email and password pairs extracted from hashed data breaches tend to be the absolute worst passwords.

What You'll Need

To use a tool like H8mail, we'll need the tool itself, and a data source. One perfectly acceptable way of using H8mail is to connect it to an API, but another is to download the entire breach compilation file and configure H8mail to search it locally.

As I mentioned previously, the breach compilation database is 1.4 billion credentials organized into a list with no duplicated passwords and split into folders that make it easy and fast to search through. This database also forms the core of the Have I Been Pwned database, although that service merely lets you know a breach has occurred on that email address and what the source of the breach is.

Before we start, we'll need to have Python3 installed and be ready to install some prerequisites. I recommend using Kali Linux, and make sure to run apt get update to update your system before starting. If you don't, it could cause problems later in the installation.

Step 1: Download H8mail & Data Sources

After navigating to the GitHub repository, clone the repository with the following command.

git clone https://github.com/khast3x/h8mail.git

You'll need NodeJS installed for H8mail to work properly, so install it by typing the following in a terminal window.

apt-get install nodejs

Next, you'll need to change the directory to the one just downloaded, and then install the requirements with pip. I recommend using pip3, as pip3 did work for me while pip did not. To do so, type the following into a terminal window and wait for the requirements to finish installing.

cd h8mail
pip3 install -r requirements.txt

Once the prerequisites are taken care of, you can run h8mail.py to see the options available. From inside the h8mail folder downloaded, run the Python script with the following command, which will bring up the help menu. Here, you'll see the options available in H8mail.

python3 ./h8mail.py -h

python3 h8mail.py -h
usage: h8mail.py -h -t TARGET_EMAILS -c CONFIG_FILE -o OUTPUT_FILE
-bc BC_PATH -v -l -k CLI_APIKEYS

Email information and password finding tool

optional arguments:
-h, --help show this help message and exit
-t TARGET_EMAILS, --targets TARGET_EMAILS
Either single email, or file (one email per line).
REGEXP
-c CONFIG_FILE, --config CONFIG_FILE
Configuration file for API keys
-o OUTPUT_FILE, --output OUTPUT_FILE
File to write output
-bc BC_PATH, --breachcomp BC_PATH
Path to the breachcompilation Torrent.
[https://ghostbin.com/paste/2cbdn ]
-v, --verbose Show debug information
-l, --local Run local actions only
-k CLI_APIKEYS, --apikey CLI_APIKEYS
Pass config options. Format is "K:V,K:V"

Step 2: Use H8mail Against a Single Email

We'll be using the local option, which means downloading the breach compilation for this demonstration. If you prefer to use the API option, you'll need to follow the instructions on GitHub for adding the API keys for whatever service you wish to use.

Downloading the breach compilation is relatively easy to do and only took one Google search and torrenting a 44 GB magnet file. I won't link to the file directly, but any hacker worth their salt can find the breach compilation available from public sources. Once you have the breach compilation file, a basic search can be conducted by using the following string.

python3 h8mail.py -t email@tosearch.com -bc 'location_of_your_file/BreachCompilation' --local

This calls Python3 to execute h8mail.py, with the arguments set for targeting email@tosearch.com as the email for searching, bc for breach compilation, and then the location of the breach compilation folder on your computer with --local at the end to denote that the files are saved locally. With this command, you can check any email address you want. If you get a hit, it looks like this:

Targets
----------

=> aquaunitpatrolsquad@gmail.com

Result aquaunitpatrolsquad@gmail.com
---------------------------

=> breached ✓
---
Breaches found HIBP: 0
Breaches found breachcompilation: 1
Target hostname: gmail.com

---
breachcompilation passwords: handbanana tonight...you
-------------------------------

✓ Done

Step 3: Search for Passwords from Groups of Email Accounts

Now that you can search for individual accounts, let's combine what you've learned in previous guides to search for all the emails you can find for an organization. For my example, I'm using priceline.com. First, we'll use TheHarvester to gather email addresses from the priceline.com domain.

• Don't Miss: Use the Buscador OSINT VM for Conducting Online Investigations

For whatever reason, a sizable number of Priceline employees use PGP, so running TheHarvester against the PGP keyserver gave me enough email addresses to create a sizable list of company email addresses.

theharvester -d priceline.com -l 1000 -b pgp

After copying the list that is returned, you can create a target file by typing the following and then pasting the found emails into the text editor that opens.

nano targets.txt

Once you've done this, type Ctrl-X and select Y to save your changes, then you can run H8mail against all the emails in your target list at once. To do so, use the following command.

python3 h8mail.py -t '/root/h8mail/targets.txt' -bc '~/BreachCompilation' --local

The command may take some time to complete. When it's done, you're likely to find at least some breached passwords from the list of employee emails. Stunningly, we didn't find any from the Priceline list, but if I did, I probably wouldn't be able to publish the results anyway.

These examples are just the start of what you can do with H8mail, and you can use your imagination to think of how being able to search for passwords belonging to long lists of people's email addresses might be useful.

Password Recycling Is the Biggest Threat to the Average User

Now that we've demonstrated how easy it is to use a list of organizational email addresses to search for password breaches, it's easy to see how important it is not to reuse passwords between websites. The biggest cause for concern is that some of your online accounts may use the same old passwords that have been breached already, opening you up to the risk of bots armed with your email address and an old password taking control of your online accounts.

• Don't Miss: Use Google's Advanced Protection Program for Extra Security

The best way to protect against this vulnerability is to use strong, unique passwords for each website. This also means not using patterns that are predictable, because often there are multiple breached passwords for a single email address, meaning a hacker will know if there is an obvious pattern to your passwords.

Password managers like LastPass can help create and store strong passwords, and the ultimate way of defending against these attacks is two-factor authentication, preferably with a hardware key. By using a FIDO security key, any device wanting to log into your account and knowing your password will still need the physical key to log in, making the password the attacker has much less useful.

You can set up two-factor authentication on most online accounts, and I highly recommend doing so if you've been guilty of the bad habit of reusing passwords. Between two-factor authentication and using password managers to maintain and remember strong, unique passwords, the average user can reduce their risk substantially against this kind of attack.

I hope you enjoyed this guide to using H8mail to find breached passwords belonging to a targeted email! If you have any questions about this tutorial on H8mail or you have a comment, feel free to reach me in the comments below or on Twitter @KodyKinzie.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard