h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt's "Collection1" and the infamous "Breach Compilation" torrent.
- π Email pattern matching (reg exp), useful for reading from other tool outputs
- π Pass URLs to directly find and target emails in pages
- π« Loosey patterns for local searchs ("john.smith", "evilcorp")
- π¦ Painless install. Available through pip, only requiresrequests
- β Bulk file-reading for targeting
- π Output to CSV file
- πͺ Compatible with the "Breach Compilation" torrent scripts
- π  Search cleartext and compressed .gz files locally using multiprocessing
- π Compatible with "Collection#1"
 
- π₯ Get related emails
- π² Chase related emails by adding them to the ongoing search
- π Supports premium lookup services for advanced users
- π Custom query premium APIs. Supports username, hash, ip, domain and password and more
- π Regroup breach results for all targets and methods
- π Includes option to hide passwords for demonstrations
- π Delicious colors
| Service | Functions | Status | 
|---|---|---|
| HaveIBeenPwned(v3) | Number of email breaches | β π | 
| HaveIBeenPwned Pastes(v3) | URLs of text files mentioning targets | β π | 
| Hunter.io - Public | Number of related emails | β | 
| Hunter.io - Service (free tier) | Cleartext related emails, Chasing | β π | 
| Snusbase - Service | Cleartext passwords, hashs and salts, usernames, IPs - Fast β‘ | β π | 
| Leak-Lookup - Public | Number of search-able breach results | β (π) | 
| Leak-Lookup - Service | Cleartext passwords, hashs and salts, usernames, IPs, domain | β π | 
| Emailrep.io - Service (free) | Last seen in breaches, social media profiles | β π | 
| Scylla.sh - Service (free) | Cleartext passwords, hashs and salts, usernames, IPs, domain | β | 
| Dehashed.sh - Service | Cleartext passwords, hashs and salts, usernames, IPs, domain | π§ π | 
| π IntelX.io - Service (free trial) | Cleartext passwords, hashs and salts, usernames, IPs, domain, Bitcoin Wallets, IBAN | β π | 
π - API key required
usage: h8mail [-h] [-t USER_TARGETS [USER_TARGETS ...]]
              [-u USER_URLS [USER_URLS ...]] [-q USER_QUERY] [--loose]
              [-c CONFIG_FILE [CONFIG_FILE ...]] [-o OUTPUT_FILE]
              [-bc BC_PATH] [-sk] [-k CLI_APIKEYS [CLI_APIKEYS ...]]
              [-lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]]
              [-gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]] [-sf]
              [-ch [CHASE_LIMIT]] [--power-chase] [--hide] [--debug]
              [--gen-config]
              
Email information and password lookup tool
optional arguments:
  -h, --help            show this help message and exit
  -t USER_TARGETS [USER_TARGETS ...], --targets USER_TARGETS [USER_TARGETS ...]
                        Either string inputs or files. Supports email pattern
                        matching from input or file, filepath globing and
                        multiple arguments
  -u USER_URLS [USER_URLS ...], --url USER_URLS [USER_URLS ...]
                        Either string inputs or files. Supports URL pattern
                        matching from input or file, filepath globing and
                        multiple arguments. Parse URLs page for emails.
                        Requires http:// or https:// in URL.
  -q USER_QUERY, --custom-query USER_QUERY
                        Perform a custom query. Supports username, password,
                        ip, hash, domain. Performs an implicit "loose" search
                        when searching locally
  --loose               Allow loose search by disabling email pattern
                        recognition. Use spaces as pattern seperators
  -c CONFIG_FILE [CONFIG_FILE ...], --config CONFIG_FILE [CONFIG_FILE ...]
                        Configuration file for API keys. Accepts keys from
                        Snusbase, WeLeakInfo, Leak-Lookup, HaveIBeenPwned,
                        Emailrep, Dehashed and hunterio
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        File to write CSV output
  -bc BC_PATH, --breachcomp BC_PATH
                        Path to the breachcompilation torrent folder. Uses the
                        query.sh script included in the torrent
  -sk, --skip-defaults  Skips HaveIBeenPwned and HunterIO check. Ideal for
                        local scans
  -k CLI_APIKEYS [CLI_APIKEYS ...], --apikey CLI_APIKEYS [CLI_APIKEYS ...]
                        Pass config options. Supported format: "K=V,K=V"
  -lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...], --local-breach LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]
                        Local cleartext breaches to scan for targets. Uses
                        multiprocesses, one separate process per file, on
                        separate worker pool by arguments. Supports file or
                        folder as input, and filepath globing
  -gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...], --gzip LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]
                        Local tar.gz (gzip) compressed breaches to scans for
                        targets. Uses multiprocesses, one separate process per
                        file. Supports file or folder as input, and filepath
                        globing. Looks for 'gz' in filename
  -sf, --single-file    If breach contains big cleartext or tar.gz files, set
                        this flag to view the progress bar. Disables
                        concurrent file searching for stability
  -ch [CHASE_LIMIT], --chase [CHASE_LIMIT]
                        Add related emails from hunter.io to ongoing target
                        list. Define number of emails per target to chase.
                        Requires hunter.io private API key if used without
                        power-chase
  --power-chase         Add related emails from ALL API services to ongoing
                        target list. Use with --chase
  --hide                Only shows the first 4 characters of found passwords
                        to output. Ideal for demonstrations
  --debug               Print request debug information
  --gen-config, -g      Generates a configuration file template in the current
                        working directory & exits. Will overwrite existing
                        h8mail_config.ini file$ h8mail -t [email protected]$ h8mail -t targets.txt -c config.ini -o pwned_targets.csvQuery a list of targets against local copy of the Breach Compilation, pass API keys for Snusbase from the command line
$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -k "snusbase_url=$snusbase_url,snusbase_token=$snusbase_token"$ h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk$ h8mail -t targets.txt -gz /tmp/Collection1/ -skCheck a cleartext dump for target. Add the next 10 related emails to targets to check. Read keys from CLI
$ h8mail -t [email protected] -lb /tmp/4k_Combo.txt -ch 10 -k "hunterio=ABCDE123"$ h8mail -t JSmith89 -q username -k "[email protected]" "dehashed_key=ABCDE123"$ h8mail -t 42.202.0.42 -q ip -c h8mail_config_priv.ini -ch 2 --power-chase$ h8mail -u "https://pastebin.com/raw/kQ6WNKqY" "list_of_urls.txt"- Snusbase for being developer friendly
- kodykinzie for making a nice introduction and walkthrough article and video on installing and using h8mail
- Leak-Lookup for being developer friendly
- WeLeakInfo for being developer friendly
- h8mail's Pypi integration is strongly based on the work of audreyr's CookieCutter PyPackage
- Logo generated using Hatchful by Shopify
- Jake Creps for his h8mail v2 introduction
- Alejandro Caceres for making scylla.sh available. Be sure to support him if you can
- IntelX for being developer friendly
π h8mail can be found in:
- WhatBreach by Ekultek
- HashBuster by s0md3v
- BaseQuery by g666gle
- LeakLooker by woj-ciech
- buster by sham00n
- Scavenger by ndinfosecguy
- pwndb by davidtavarez
- Service providers that wish being integrated can send me an email at k at khast3x dot club(PGP friendly)
- h8mail is maintained on my free time. Feedback and war stories are welcomed.
- Licence is BSD 3 clause
- My code is signed with my Keybase PGP key. You can get it using:
# curl + gpg pro tip: import ktx's keys
curl https://keybase.io/ktx/pgp_keys.asc | gpg --import
# the Keybase app can push to gpg keychain, too
keybase pgp pull ktxIf you wish to stay updated on this project: