Credential leak hunting using h8mail and the new COMB (Combination Of Many Breaches)

• Abstract
• Setup
• Targeting emails
• Targeting passwords and domains
• Finding the COMB
• Notes

Abstract

To jump to the important parts, look for the small blue diamonds 🔹

In early February, a massive credential dump titled COMB (Combination Of Many Breaches) started leaking on several forums.

To quote the news:

On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked. (Source)

The COMB contains the same query.sh script as in the first Breach Compilation back in 2017, which h8mail knows how to leverage 🔍.

In this blog post, we’ll be looking into using the COMB with h8mail.

Setup

💡 Advanced users, you can use a VPS with Docker to download the COMB faster and use a h8mail container to search through it, similar to this previous blog post.

Since the query.sh script is in bash, you’ll need to be on a UNIX system or using WSL for Window. You’ll need the original COMB 7zip archive, and to have h8mail installed.

Launch h8mail with bash if you’re having issues, as the query script uses a BASH environment variable.

The original COMB archive is encrypted, so we’re going to decrypt and extract it.

🔹 Once you’re in the same directory as the downloaded archive, run the following:

# > bash
# > apt install p7zip-full
> 7z x CompilationOfManyBreaches.7z -p"+w/P3PRqQQoJ6g"
> ls -la CompilationOfManyBreaches/
total 24
drwx------  3 root     root     4096 Feb  4 15:13 .
drwxr-xr-x  3 root     root     4096 Feb 17 03:07 ..
-rw-r--r--  1 root     root      472 Apr  5  2020 count_total.sh
drwx------ 30 root     root     4096 Feb 16  2019 data
-rwxr--r--  1 root     root     1066 Apr  5  2020 query.sh
-rw-r--r--  1 root     root     1718 Apr  5  2020 sorter.sh

The query.sh script should be at the root of the extracted archive as show above.

OSX users might want to look into replacing the default query.sh script with an OSX friendly version. Make sure you rename it to query.sh to replace the original script. - Thanks sumgr0!

Targeting emails

The query.sh script is meant to be used with emails, we’ll look into the domain and password search further down.

🔹 To search for emails, run the following:

> h8mail -t [email protected] -sk -bc ./CompilationOfManyBreaches/

• The -sk param tells h8mail to skip online checks using scylla.so and hunter.io.
• The -bc param tells h8mail where to find the breach compilation query.sh script.

🔹 We can also use files with emails as targets (h8mail will look for email patterns):

> h8mail -t targets.txt -sk -bc ./CompilationOfManyBreaches/

Targeting passwords and domains

The query.sh script only handles searching for strings that are the first part of the combo.
To search for passwords and domains, we’ll use h8mail’s integrated file search, which uses multiprocessing to speed up the search. Since the breach is about 20GB, it will still take some time. On an ARM CPU, it takes about 3:30:00 for all the data to be processed.
We replace the previous -bc param with -lb, and add --loose.

🔹 To search for patterns such as domain names or passwords, run the following:

> h8mail -t example.com fcorp.com -sk -lb ./CompilationOfManyBreaches/ --loose
> h8mail -t "Yourefired" "[email protected]" -sk -lb ./CompilationOfManyBreaches/ --loose

• The -lb param tells h8mail to perform a standard local breach search using multiprocessing.
• The --loose param tells h8mail to accept any type of input, instead of enforcing the email pattern.

🔹 We can also use files with patterns as targets (one per line):

> h8mail -t target_domains.txt -sk -lb ./CompilationOfManyBreaches/ --loose

Finding the COMB

I’m not going to link it of course, but infosec practitioners should know there are websites and forums to monitor those things. You can check out MisterCh0c’s CrimeBoards list or look into more infosec publications.
From what I have seen, the same password is used for decryption across mirrors.

Notes

I’ve temporarly activated the “Discussions” feature on Github.
It’s a less formal way than issues to discuss ideas, bugs, or just show and tell.

💬 h8mail discussions

A discussion will be created in regards to this blog post.

📬 Follow me on Twitter to stay updated

Can confirm that it works! h8mail is compatible with the Compilation Of Many Breaches using -bc.
Might write a blog post to help newcomers :) https://t.co/rFbKWmOY6G

— khast3x 📡 (@kh4st3x) February 17, 2021