Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT.

You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned?

Access the Hacked Passwords Systematically

Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article:

• theHarvester
• Maltego
• Have I been Pawned

I have discussed the configuration of Maltego with Have I been Pawned before; so, let’s just skip this part.

Step 1: Getting email addresses using the email harvesting tool, theHarvester

As a starting point, let’s search the google for email address using theHarvester tool.

# theHarvester -d hotmail.com -b google

You can use any organization’s domain or any other specific target, if you have. A basic search gave us lots of information (54 email addresses) to begin. Let’s copy a few of them into the CSV file and import them into Maltego for further analysis. The reason for copying a few is the ease of maintaining the operation because, in the Maltego, you will see a massive connection of just a few email addresses.

Step 2: Importing the Data into Maltego for further analysis

I am selecting the manual option, so no previous connection.

Step 3: Find the breaches where the target email addresses appeared

Select all the email addresses, since I have only imported 11 of them, and run the Have I been Pawned transform to check whether the target email addresses been hacked before or not. If it is not the part of any breach, then just drop it; it’s of no use.

There we can see so many email addresses appeared in many breaches. I have dropped some, two email addresses out of 11 because they did not appear in any breach.  Remember that we are just gathering information, not hacking or directly attacking any server; so, if an email was not got hacked before, it won’t be beneficial for us.

Step 4: Find the Plain Text Passwords of the Hacked Email addresses

The most common practice in the industry is to paste or dump the hacked email addresses details into Pastebin; it is a website where you can store text for some specific time. This time, let’s execute the  second  transform:

Each email addresses appearing in many Pastebin text.

Open any Pastebin URL and analyze the data.

Wahoo, very recent data with the plain text password, email account, and the expiry date of a particular subscription, the blackhat guys use this information to ask a ransom. A common man does not know that someone published his confidential information online.

Step 5: Try to report it to the authority

Being a responsible cybersecurity professional, you should inform the authority or at least make sure that the hacked website or service should notify about changing the password to all its members.

Endnote

As you can see, the power of open-source intelligence gathering (OSINT), and we have started with just a random email acquired from the Google search. Imagine a malicious person with evil intent can do OSINT investigation against any specific target, let say an organization to check the employee details and possible passwords. And once the evil person got the password, he can further dig into the organization confidential information, or he can send his malware and backdoor to hack the entire organization. We have covered a similar story; you should this out.