Password Breaches with Docker and h8mail

on under h8mail
5 minute read

In this tutorial, we’re going to move downloading and searching operations to the cloud to speed things up.
We’ll achieve this using a torrent downloader container, the h8mail container and a shared volume. For demonstration purposes, we’ll be studying the Breach Compilation.

Getting started

You’ll first need a working Docker environment on a remote server. This can be achieved by:

  • choosing to boot into a ready-made Docker “image” with your cloud service provider
  • installing Docker on a vanilla Ubuntu server.
    Here is the documentation for installing docker on Ubuntu.
    Here is a detailed community tutorial for getting started with Docker on DigitalOcean.

Make sure the server you’re renting has enough storage space for our downloads. In this tutorial ~60GB should be okay.

To test that everything is working correctly, SSH into your new instance and run this docker “hello-world”:

$ docker run -it hello-world

And get the following output:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1eda109e4da: Pull complete 
Digest: sha256:0e11c388b664df8a27a901dce21eb89f11d8292f7fca1b3e3c4321bf7897bffe
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

We’re set for the next steps.


Downloading the breach

We’re first going to launch our torrent container with basic password protection, a volume and a port.

$ docker run -d --name ct -p 3000:3000 -e AUTH='h8admin:h8p4ss' -v dl:/downloads jpillora/cloud-torrent
  • In case some of you are discovering Docker
Argument Description
-d daemon mode
–name ct container name is ct
-p 3000:3000 map container port 3000 with host port 3000
-e AUTH=”admin:pass” this is where you set authentication details
-v dl:/downloads we’re mapping a volume called dl to /downloads in the container

Once the command is executed, you can check your running containers with docker ps.

Head over to your browser and navigate to http://your-docker-ip:3000, authenticate and paste the BreachCompilation magnet link.

If unsure of your IP, you can run curl icanhazip.com.

Tip: Since the torrent has a huge directory tree, I suggest you shrink the web interface’s torrent directory list to avoid loading them in your browser window

dl

Volume sharing

We are using a shared volume to allow h8mail to parse the downloaded torrent. You can read more about it, basically we create a volume called dl when running the -v argument for the torrent container.
You can view more information about this volume by typing:

$ docker volume inspect dl 

Which you give you something like this:

[
    {
        "CreatedAt": "2019-06-07T42:02:30Z",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/dl/_data",
        "Name": "dl",
        "Options": null,
        "Scope": "local"
    }
]

You’ll notice the “Mountpoint” path. You can cd to that directory to interact directly with your data.

For the purpose of demonstration we’ll be using the volume through Docker’s abstraction layer, but you know where to find your files on the Docker host.


Searching the breach

Once the BreachCompilation is downloaded, you can stop the torrent container:

$ docker rm -f ct

At this point, the BreachCompilation torrent lives in the “dl” volume we created & mounted to the torrent download path.

You can check it out by going to the previously mentioned Mountpoint path:

[email protected]:$ docker volume inspect dl
[
    {
        "CreatedAt": "2019-06-07T01:02:30Z",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/dl/_data",
        "Name": "dl",
        "Options": null,
        "Scope": "local"
    }
]
[email protected]:$ cd /var/lib/docker/volumes/dl/_data
[email protected]:$ ls -la
total 644
drwxr-xr-x 3 root root    4096 Jun  7 01:02 .
drwxr-xr-x 3 root root    4096 Jun  7 01:00 ..
drwxr-x--- 4 root root    4096 Jun  7 01:27 BreachCompilation

We’re going to run the auto-built h8mail docker container, mount the dl volume with the BreachCompilation, and seamlessly search for our targets:

docker run -it -v dl:/dl kh4st3x00/h8mail -t [email protected] -bc /dl/BreachCompilation/ -sk

If all goes well, you’ll be searching through the BreachCompilation torrent like a real cloud ninja

Done.

h8mail-docker-torrent2.gif Searching the BreachCompilation using a shared docker volume with the torrent-downloader container


Downloading files instead of torrents

This also works with generic files.

You can use JDownloader as a Docker image, and share its volume with h8mail.

More advanced but worth looking into, you can also use aria2 with a Web UI, and share the download volume with h8mail.


Closing remarks

Using the cloud to move around those large datasets is increasingly necessary.

You can find free hosting tiers with most cloud providers.
Be sure to get comfortable with cloud services, as these skills will definitely boost your scope of actions.

If you’re looking for more offensive deployments using Docker, be sure to check my other project: Redcloud.
It contains more than 30 offensive templates to deploy, and a comfy UI to manage them!

Finally, this is meant to help infosec students and professionals educate themselves and their peers on credential leaks.

Thank you for reading through, I hope you enjoyed it.
If thats the case, be sure to support the project by sharing this page!


h8mail, OSINT, password, breach, haveibeenpwned, leak, docker, cloud