Welcome back, my aspiring OSINT Investigators!
In the course of OSINT or forensic investigations, there are often times when you will need an email password of the subject of your investigation. In a security assessment or pentest, you may want to check to see whether you can obtain the passwords of users in the target organization. Nearly everyday, another data breach takes place and those email addresses and other credentials are sold and exchanged on the dark web. If you can obtain those credentials, it will likely make your job much easier.
In previous tutorials, we have demonstrated a number of tools for finding breached email addresses and passwords including h8mail. In this tutorial, we will look at what may be the best tool for finding breached emails, passwords and other credentials, www.dehashed.com.
Step #1: Open a Browser and Navigate to www.dehashed.com
Open a browser and go to www.dehashed.com. Like many other sites such as haveIbeenpwned.com, dehashed collects emails and credentials from data dumps on the dark web that have been compromised by hackers. Unlike those other sites, dehashed provides you all the credentials for a particular email address from the various dumps.
For instance, as part of a forensics investigation of a scammer Instagram account (a legitimate IG account was taken over and used to scam men out of their money), I found the email address that the scammers were using, a.rushubirwa@gmail.com (Note: this was the account the scammers were using, but actually belongs to another person and had been taken over by the scammers). From there, I entered the email address into dehashed.com .
Dehashed finds that the email address appeared in at least 3 data dumps. When we click on one of the dumps, dehashed tells us that we need a subscription to get the passwords or password hashes or other info.
Dehashed is relatively inexpensive and if you are working as an investigator or pentester, its simply a small cost for some key info.
Now that we have subscribed and logged into account, we do the search again. This time when we click on one of the dumps, the hashed password is revealed.
From there, we can then attempt to crack the hash using sites such as;
and
or use such hash cracking tools as John the Ripper or hashcat.
In some cases, the data dumps include other key information. In this dump, the account name, username and IP address are revealed.
This dump from Mathway, included names, Google and Facebook ID's, email addresses, salted hashes and IP addresses.
Step #2: Try Another Email
Let's now try another. This one belongs to a colleague, Mick Scott. His email address, as you might expect, is mick.scott@gmail.com. When we enter it into dehashed, it returns numerous results. When we click on the first result from a data dump of CouponMom.com from 2014, we can see that his password was dumped in plaintext "redinuzi17".
Other dumps reveal another password "fender8".
In another dump, his password was dumped as a hash.
Of course, the user is probably no longer using these passwords but human beings--as we know--tend to use a version of their old passwords. That is where tools such as crunch are so useful in creating variations of a password.
Summary
Whether you are doing an OSINT investigation or a penetration test, finding the credentials of your target can be critical to your success. Although a number of tools are available for obtaining breached credentials from data dumps, dehashed.com may be the best and fastest. Although it is not free, it is inexpensive and may very well be a good investment if you are working as an investigator or information security assessor/pentester.
