Skip to main content

How to find the password of hacked email addresses using OSINT

https://youtu.be/JAjVwf5NEOk

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT.

You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned?

Access the Hacked Passwords Systematically

Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article:

  • theHarvester
  • Maltego
  • Have I been Pawned

I have discussed the configuration of Maltego with Have I been Pawned before; so, let’s just skip this part.

Step 1: Getting email addresses using the email harvesting tool, theHarvester

As a starting point, let’s search the google for email address using theHarvester tool.

# theHarvester -d hotmail.com -b google

Getting email addresses using the email harvesting tool, theHarvester

You can use any organization’s domain or any other specific target, if you have. A basic search gave us lots of information (54 email addresses) to begin. Let’s copy a few of them into the CSV file and import them into Maltego for further analysis. The reason for copying a few is the ease of maintaining the operation because, in the Maltego, you will see a massive connection of just a few email addresses.

Step 2: Importing the Data into Maltego for further analysis

Importing the Data into Maltego for further analysis

I am selecting the manual option, so no previous connection.

I am selecting the manual option, so no previous connection. Step 3: Find the breaches where the target email addresses appeared

Select all the email addresses, since I have only imported 11 of them, and run the Have I been Pawned transform to check whether the target email addresses been hacked before or not. If it is not the part of any breach, then just drop it; it’s of no use.

Find the breaches where the target email addresses appeared

There we can see so many email addresses appeared in many breaches. I have dropped some, two email addresses out of 11 because they did not appear in any breach.  Remember that we are just gathering information, not hacking or directly attacking any server; so, if an email was not got hacked before, it won’t be beneficial for us.

email was not got hacked beforeStep 4: Find the Plain Text Passwords of the Hacked Email addresses

The most common practice in the industry is to paste or dump the hacked email addresses details into Pastebin; it is a website where you can store text for some specific time. This time, let’s execute the  second  transform:

Find the Plain Text Passwords of the Hacked Email addressesEach email addresses appearing in many Pastebin text.

Each email addresses appearing in many Pastebin text.Open any Pastebin URL and analyze the data.

Open any Pastebin URL and analyze the dataWahoo, very recent data with the plain text password, email account, and the expiry date of a particular subscription, the blackhat guys use this information to ask a ransom. A common man does not know that someone published his confidential information online.

Step 5: Try to report it to the authority

Being a responsible cybersecurity professional, you should inform the authority or at least make sure that the hacked website or service should notify about changing the password to all its members.

Endnote

As you can see, the power of open-source intelligence gathering (OSINT), and we have started with just a random email acquired from the Google search. Imagine a malicious person with evil intent can do OSINT investigation against any specific target, let say an organization to check the employee details and possible passwords. And once the evil person got the password, he can further dig into the organization confidential information, or he can send his malware and backdoor to hack the entire organization. We have covered a similar story; you should this out.

Comments

Post a Comment

Popular posts from this blog

Hacking Simulator | Geek Prank Hacker Typer Online

Hacking Simulator Do you love the sight from a movie where a masked man sitting in a dark keep hitting the keys on the keyboard and eventually ends up hacking certain organizations’ databases? So, you also want to do that in real life but not sure about how you are going to get your hands-on hacking because Hacking is something that is seen as an illegal practice. So, the developers come up with the idea of “ Hacking Simulator ” that solves all the problems related to legitimacy while practicing hacking in real life. Hacking Simulator can be used by the people who are just practicing hacking for fun and by the  professional hackers  too for continuously practicing and upgrading their skills. Hacking Simulator Online Hack the box: HTB is an online platform for hackers across the globe to test their penetration testing knowledge and It provides the user with the platform as well as resources to test their hacking and penetration testing tools. It has over 276k+ users on its plat...
Post a Comment
Read more

What Is Vishing Attack? How To Prevent Vishing? Brief Guide

Vishing Hello Guys! Today we are going to learn about a very interesting term that is  vishing  that is also known as ‘ Phishing over Voice Call ‘. There are both pros and cons of the digital era we are living in. Peoples are using this technology which indicates their second identity. So, it’s very important to stay safe there also.  We  Hacking Blogs  are here to help you with the black hat hackers. We want our readers to stay safe online. We have discussed the  Phishing Attacks ,  Smishing Attacks , How hackers are able to hack your Instagram Account and many more. You can find interesting posts by  clicking here . But today we want to introduce with a very common attack that is Vishing. This is a very common attack almost everyone knows about this. What Is Vishing Attack? Vishing is made up of two words “ Voice Call ” and “ Phishing “. This is completely a Social Engineering attack. In this, Black Hat Attacker calls to the victim’s device and ...
Post a Comment
Read more

OSINT tutorial to Find Information from a Phone Number – PhoneInfoga Tool

phone number plays a vital role in the social engineering and the open source intelligence investigation. Everyone carry’s phone, the  phone is now linked with an individual life and it has the most important information of a person. In the  OSINT investigation , we need to find-out the line type, carrier, location and other relevant information about the subject’s phone number. The number itself shows some information like country, city (landline pattern) and sometimes carrier; while the other information can be extracted by using the open platform available.   This tutorial is about PhoneInfoga, as the  official doc  says: “PHONEINFOGA IS ONE OF THE MOST ADVANCED TOOLS TO SCAN PHONE NUMBERS USING ONLY FREE RESOURCES. THE GOAL IS TO FIRST GATHER STANDARD INFORMATION SUCH AS COUNTRY, AREA, CARRIER AND LINE TYPE ON ANY INTERNATIONAL PHONE NUMBERS WITH A VERY GOOD ACCURACY. THEN SEARCH FOR FOOTPRINTS ON SEARCH ENGINES TO TRY TO FIND THE VOIP PR...
Post a Comment
Read more