SlideShare a Scribd company logo
 Phonerator


An advanced *valid* phone number
generator for your OSINT/SE needs
Martin Vigo


@martin_vigo | martinvigo.com
Red teamer | Podcaster | Founder de Triskel Security

Galicia, Spain

Research | Bug bounties | Gin tonics

@martin_vigo - martinvigo.com
Amstrad CPC 6128
Martín Vigo
La abadía del crimen
Background
Why
012-XXX-XX89
Ebay


0XX-XXX-6789
Paypal


0XX-XXX-XX89
Yahoo


XXX-XXX-6789
LastPass


XXX-XXX-XX89
Google, Twitter, Microsoft, Steam
Phone number digits scrapping from password resets
012-XXX-6789
Ebay + Paypal


Ebay + Lastpass


0XX-XXX-6789
Yahoo + Lastpass
How
253-XXX-9123
1. ebay gives us area code


2. Paypal gives us subscriber number


3. NANPA gives us 458 valid exchange numbers for the area code ‘253’


4. NPA gives us 13 unassigned exchange numbers for the block number ‘9’


Only 445 possible numbers left!!
————— —
tacoma_resident@victim.com with ebay and Paypal account
Leverage the country’s “Phone numbering plan” public data
What
email2phonenumber
1. Harvests phone number digits from major sites


2. Generates valid phone number lists from partial numbers based on the country’s
Phone Numbering Plan


3. Bruteforces phone number password reset and correlate masked emails with victim’s
github.com/martinvigo/email2phonenumber
1. Harvests phone number digits from major sites


2.Generates valid phone number lists from partial numbers
based on the country’s Phone Numbering Plan


3. Bruteforces phone number password reset and correlate masked emails with victim’s
Phonerator
An advanced *valid* phone number generator
Phonerator
1. Cleans, formats, sorts and categorizes
phone numbering plan data


2. Multi-country support


3. Extended phone number information


4. Advanced data
fi
ltering


5. Multi-format download
martinvigo.com/tools/phonerator
Use cases
OSINT
Got your target’s email and you want the phone number

Obtain digits via password reset and use
phonerator to reduce the list of possible numbers


Optionally, reduce the list even further with
additional intel


Bruteforce password resets over phone numbers
and compare emails
Investigations
Want to
fi
nd the identity of a target but you just
have some phone digits

Use phonerator to obtain a list of
possible numbers


Export as txt and feed into into Twilio’s
lookup API with reverse lookup add-on
Contact discovery
abuse
Your target uses Signal to
communicate.

Use phonerator to reduce the
list of valid phone number and
download list in VCF format to
import contacts in burner phone
Wardialing
Target company owns 415-202 numbers

Use phonerator to obtain a list of
valid numbers for that particular
area code + exchange, download
as txt and feed it into your
favorite wardialing tool
Research
Want to dig into carriers

Use phonerator to find
unknown and obscure
carriers together with their
assigned phone numbers
CTF
Where in the world is Carmen Sandiego?
Carmen has escaped again and I need your help to locate her. Thanks to my friends at NSA I got
access to the SS7 network and I can find her if we obtain her phone number. They were able to
obtain a leak from a secure communications service she was using that contained her email address
and a hashed version of her phone number + city she connected from. Unfortunately, it was hashed
with 5 million rounds of PBKDF2. We estimate that bruteforcing in a reasonable amount of time is
only feasible having the correct city and less than 500 numbers. The NSA warned me that OPSEC is
utterly important. Do not attempt to reset any passwords. It won’t help you find any useful
information and she will know we are tracking her. Find her phone number!


carm3n5andi3go@martinvigo.com


a599f5e85a15799c5fa0a11887dbfc9ebd4de92e0ebbac6768dec60377454ab1


#!/usr/bin/python3


import hashlib


import binascii


##


# Takes phonenumber without country code nor spaces. Example: 5551234567


# Takes city lowercase without spaces. Example: sanfrancisco


##


def get_phone_hash(phonenumber, city):


	
stringInput = phonenumber + city;


	
binhash = hashlib.pbkdf2_hmac('sha256', stringInput.encode("utf-8"), b'',
5000000);


	
return binhash.hex();
Thanks!
@martin_vigo
martinvigo.com
linkedin.com/in/martinvigo
github.com/martinvigo
youtube.com/martinvigo
tierradehackers.com

More Related Content

More from Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
Martin Vigo
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
Martin Vigo
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
Martin Vigo
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 

More from Martin Vigo (13)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs

  • 1.  Phonerator An advanced *valid* phone number generator for your OSINT/SE needs Martin Vigo @martin_vigo | martinvigo.com
  • 2. Red teamer | Podcaster | Founder de Triskel Security Galicia, Spain Research | Bug bounties | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Martín Vigo La abadía del crimen
  • 4. Why 012-XXX-XX89 Ebay 0XX-XXX-6789 Paypal 0XX-XXX-XX89 Yahoo XXX-XXX-6789 LastPass XXX-XXX-XX89 Google, Twitter, Microsoft, Steam Phone number digits scrapping from password resets 012-XXX-6789 Ebay + Paypal Ebay + Lastpass 0XX-XXX-6789 Yahoo + Lastpass
  • 5. How 253-XXX-9123 1. ebay gives us area code 2. Paypal gives us subscriber number 3. NANPA gives us 458 valid exchange numbers for the area code ‘253’ 4. NPA gives us 13 unassigned exchange numbers for the block number ‘9’ Only 445 possible numbers left!! ————— — tacoma_resident@victim.com with ebay and Paypal account Leverage the country’s “Phone numbering plan” public data
  • 6. What email2phonenumber 1. Harvests phone number digits from major sites 2. Generates valid phone number lists from partial numbers based on the country’s Phone Numbering Plan 3. Bruteforces phone number password reset and correlate masked emails with victim’s github.com/martinvigo/email2phonenumber
  • 7. 1. Harvests phone number digits from major sites 2.Generates valid phone number lists from partial numbers based on the country’s Phone Numbering Plan 3. Bruteforces phone number password reset and correlate masked emails with victim’s
  • 8. Phonerator An advanced *valid* phone number generator
  • 9. Phonerator 1. Cleans, formats, sorts and categorizes phone numbering plan data 2. Multi-country support 3. Extended phone number information 4. Advanced data fi ltering 5. Multi-format download martinvigo.com/tools/phonerator
  • 11. OSINT Got your target’s email and you want the phone number Obtain digits via password reset and use phonerator to reduce the list of possible numbers Optionally, reduce the list even further with additional intel Bruteforce password resets over phone numbers and compare emails
  • 12. Investigations Want to fi nd the identity of a target but you just have some phone digits Use phonerator to obtain a list of possible numbers Export as txt and feed into into Twilio’s lookup API with reverse lookup add-on
  • 13. Contact discovery abuse Your target uses Signal to communicate. Use phonerator to reduce the list of valid phone number and download list in VCF format to import contacts in burner phone
  • 14. Wardialing Target company owns 415-202 numbers Use phonerator to obtain a list of valid numbers for that particular area code + exchange, download as txt and feed it into your favorite wardialing tool
  • 15. Research Want to dig into carriers Use phonerator to find unknown and obscure carriers together with their assigned phone numbers
  • 16. CTF
  • 17. Where in the world is Carmen Sandiego? Carmen has escaped again and I need your help to locate her. Thanks to my friends at NSA I got access to the SS7 network and I can find her if we obtain her phone number. They were able to obtain a leak from a secure communications service she was using that contained her email address and a hashed version of her phone number + city she connected from. Unfortunately, it was hashed with 5 million rounds of PBKDF2. We estimate that bruteforcing in a reasonable amount of time is only feasible having the correct city and less than 500 numbers. The NSA warned me that OPSEC is utterly important. Do not attempt to reset any passwords. It won’t help you find any useful information and she will know we are tracking her. Find her phone number! carm3n5andi3go@martinvigo.com a599f5e85a15799c5fa0a11887dbfc9ebd4de92e0ebbac6768dec60377454ab1 #!/usr/bin/python3 import hashlib import binascii ## # Takes phonenumber without country code nor spaces. Example: 5551234567 # Takes city lowercase without spaces. Example: sanfrancisco ## def get_phone_hash(phonenumber, city): stringInput = phonenumber + city; binhash = hashlib.pbkdf2_hmac('sha256', stringInput.encode("utf-8"), b'', 5000000); return binhash.hex();