To jump to the important parts, look for the small blue diamonds 🔹
In early February, a massive credential dump titled COMB (Combination Of Many Breaches) started leaking on several forums.
To quote the news:
On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked. (Source)
The COMB contains the same
query.sh script as in the first Breach Compilation back in 2017, which h8mail knows how to leverage 🔍.
In this blog post, we’ll be looking into using the COMB with h8mail.
💡 Advanced users, you can use a VPS with Docker to download the COMB faster and use a h8mail container to search through it, similar to this previous blog post.
query.sh script is in bash, you’ll need to be on a UNIX system or using WSL for Window.
You’ll need the original COMB 7zip archive, and to have h8mail installed.
Launch h8mail with bash if you’re having issues, as the query script uses a BASH environment variable.
The original COMB archive is encrypted, so we’re going to decrypt and extract it.
🔹 Once you’re in the same directory as the downloaded archive, run the following:
# > bash # > apt install p7zip-full > 7z x CompilationOfManyBreaches.7z -p"+w/P3PRqQQoJ6g" > ls -la CompilationOfManyBreaches/ total 24 drwx------ 3 root root 4096 Feb 4 15:13 . drwxr-xr-x 3 root root 4096 Feb 17 03:07 .. -rw-r--r-- 1 root root 472 Apr 5 2020 count_total.sh drwx------ 30 root root 4096 Feb 16 2019 data -rwxr--r-- 1 root root 1066 Apr 5 2020 query.sh -rw-r--r-- 1 root root 1718 Apr 5 2020 sorter.sh
query.sh script should be at the root of the extracted archive as show above.
OSX users might want to look into replacing the default
query.sh script with an OSX friendly version. Make sure you rename it to
query.sh to replace the original script. - Thanks sumgr0!
query.sh script is meant to be used with emails, we’ll look into the domain and password search further down.
🔹 To search for emails, run the following:
> h8mail -t [email protected] -sk -bc ./CompilationOfManyBreaches/
-skparam tells h8mail to skip online checks using scylla.so and hunter.io.
-bcparam tells h8mail where to find the breach compilation
🔹 We can also use files with emails as targets (h8mail will look for email patterns):
> h8mail -t targets.txt -sk -bc ./CompilationOfManyBreaches/
Targeting passwords and domains
query.sh script only handles searching for strings that are the first part of the combo.
To search for passwords and domains, we’ll use h8mail’s integrated file search, which uses multiprocessing to speed up the search. Since the breach is about 20GB, it will still take some time. On an ARM CPU, it takes about 3:30:00 for all the data to be processed.
We replace the previous
-bc param with
-lb, and add
🔹 To search for patterns such as domain names or passwords, run the following:
> h8mail -t example.com fcorp.com -sk -lb ./CompilationOfManyBreaches/ --loose > h8mail -t "Yourefired" "[email protected]" -sk -lb ./CompilationOfManyBreaches/ --loose
-lbparam tells h8mail to perform a standard local breach search using multiprocessing.
--looseparam tells h8mail to accept any type of input, instead of enforcing the email pattern.
🔹 We can also use files with patterns as targets (one per line):
> h8mail -t target_domains.txt -sk -lb ./CompilationOfManyBreaches/ --loose
Finding the COMB
I’m not going to link it of course, but infosec practitioners should know there are websites and forums to monitor those things. You can check out MisterCh0c’s CrimeBoards list or look into more infosec publications.
From what I have seen, the same password is used for decryption across mirrors.
I’ve temporarly activated the “Discussions” feature on Github.
It’s a less formal way than issues to discuss ideas, bugs, or just show and tell.
A discussion will be created in regards to this blog post.
📬 Follow me on Twitter to stay updated
Can confirm that it works! h8mail is compatible with the Compilation Of Many Breaches using -bc.— khast3x 📡 (@kh4st3x) February 17, 2021
Might write a blog post to help newcomers :) https://t.co/rFbKWmOY6G