-
Be the first to like this
Upcoming SlideShare
Related Books
Free with a 30 day trial from Scribd
From email address to phone number, a new OSINT approach
- 1. From email address to phone number A new OSINT approach Martin Vigo @martin_vigo | martinvigo.com
- 2. Martin Vigo Prodsec | Red team | Triskel Security Founder From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128
- 3. Privacy email address SSN phone number profile picture home addressage
- 4. Security EMAIL ADDRESS PHONE NUMBER Spam / Phishing Spam / Phishing Spoofing Spoofing Password dumps HLR registers Voicemail hacking Fake cell towers SS7 attacks SIM Swapping
- 5. Useful for: Private investigators Stalkers OSINT professionals Doxxers Red teams Spammers
- 6. Classic methodologies Google dorks People search engines Phone books Data leaks Social engineering Public records
- 7. Purpose of this talk A new OSINT method for your bag of tricks A new OSINT tool for your toolset
- 8. Harvesting digits abusing password reset 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass XXX-XXX-XX89 Google, Twitter, Microsoft, Steam
- 9. No masking standards Password reset (attacker needs email) Leaks 5 digits 2FA challenge (attacker needs email+password) Leaks 3 digits
- 10. Combining accounts 012-XXX-6789 Ebay + Paypal Ebay + Lastpass 0XX-XXX-6789 Yahoo + Lastpass That’s 7 out of 10 digits from just the email address!! 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass XXX-XXX-XX89 Google, Twitter, Microsoft, Steam
- 11. Let’s focus on which digits we know, not how many 012-XXX-6789 Area code or NPA Exchange or NXX Subscriber 1000 possible numbers left…
- 12. NANPA (North American Numbering Plan Administration) Maintains a public list of area codes and its exchanges San Francisco’s 415 area code has 784 exchange numbers Tacoma’s 253 area code has only 458 exchanges https://nationalnanpa.com
- 13. National Pooling Administration Number block area assignment in the 10 thousands Area code + Exchange + 4 digits subscriber number Sausalito has 7k residents. No need for 10 thousand block assignment NPA manages smaller block number assignments in growth areas Per FCC, first digit of the subscriber number is used for this purpose 012-345-6789 Area code or NPA Exchange or NXX Subscriber Block#
- 14. https://www.nationalpooling.com
- 15. 253-XXX-9123 tacoma_resident@victim.com with ebay and Paypal account 1. ebay gives us area code 2. Paypal gives us subscriber number 3. NANPA gives us 458 valid exchange numbers for the area code ‘253’ 4. NPA gives us 13 unassigned exchange numbers for the block number ‘9’ Only 445 possible numbers left!! ————— —
- 16. Still… 445 possible numbers… We reduced the possible victim’s phone number from 10 billion to 445 just with an email address and publicly available information 🤔
- 17. Same attack vector… reversed! Initially, we used the email address to harvest phone digits Now we use the remaining numbers to reset passwords and harvest masked email addresses!
- 18. Target: victimusa@martinvigo.com Amazon v*******a@martinvigo.com # of * matches remaining chars Twitter vi*******@m*********.*** # of * matches remaining chars And more…
- 19. Attack vector 1. Harvest phone number digits initiating password resets with victim’s email 2. Use Phone Numbering Plan data to reduce the list of possible phone numbers 3. Harvest and correlate masked emails by initiating password reset with the remaining possible phone numbers
- 20. email2phonenumber.py A new OSINT tool that automates the entire process
- 21. email2phonenumber features Harvest phone number digits from major sites Generate valid phone number lists from partial numbers based on the country’s Phone Numbering Plan Bruteforce phone number password reset and correlate masked emails with victim’s support for proxies to avoid captchas / IP banning Easily extendable to support more online services Available on Github https://github.com/martinvigo/email2phonenumber
- 22. What about other countries?
- 23. It get’s worst… Many do not adjust the PII mask for customers from other countries Ebay, Lastpass, … Some countries have 7 digits mobile numbers Estonia, San Salvador, Iceland, Åland islands (Finland), … Ebay + Lastpass exposes the ENTIRE phone number Estonian victim’s number: (+372) 588 1179 😱
- 24. Countries by phone number length
- 25. phonerator An online service to generate phone number lists multi-country support | detailed info | advanced filters | historic records Stay tuned on twitter for updates and release date: @martin_vigo
- 26. Recommendations For online services: Use customizable labels instead of PII tidbits “An SMS will be sent to 415-***-**12” “An SMS will be sent to [CUSTOMLABEL]” For you: Never provide your real phone number to online services Usually not required to use the service If required, use VOIP numbers or dedicated SIMs Use different email addresses or aliases
- 27. Responsible disclosure 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass 0XX-XXX-XX89 Ebay 0XX-XXX-6789 Paypal “The team has assessed this to be an acceptable risk” ?XX-XXX-XX?? Yahoo Still assessing the risk and mitigations XXX-XXX-XX89 LastPass
- 28. Attackers can use your email address to obtain phone number digits from online services due to a lack of standardization in PII masking. Combined with publicly available information and an understanding of the country’s phone numbering plan, it is possible to recover the entire phone number TL;DR Security & Privacy Online Services UX
- 29. THANK YOU! @martin_vigo martinvigo.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo
Be the first to comment
Login to see the comments
Email addresses are one of our most public piece of PII. We are confortable sharing it with strangers, publishing it on the internet and it is generally our public way of communicating. However, when it comes to phone numbers things change. We are more selective with who we share it with, mostly because receiving unsolicited phone calls is much more invasive. There are also security implications when making your phone number publicly available. SS7 attacks, SIM swapping, phishing and scam calls are just a few of the threats that originate from the target’s phone number. What if it were possible to obtain someone’s phone number by only knowing their email address? Beyond the criminal advantage, it could be very useful to investigators, red teams and OSINT lovers. In this talk, I will discuss techniques which when combined will let you discover someone’s phone number via their email address. I will also demo and release a tool that helps automate the process.
Views
Total views
1,933
On Slideshare
0
From embeds
0
Number of embeds
21
Actions
Downloads
54
Shares
0
Comments
0
Likes
0
Be the first to comment