loading
loading
Social Engineering
Email OSINT and breach hunting across multiple breach and reconnaissance services.
overview
h8mail takes an email address, or a file of them, and checks it against breach datasets and OSINT services to find where the owner has been exposed. Each hit ties a target to leaked credentials, the breach that leaked them, and related accounts worth chasing.
It runs online or offline. With a config file of API keys for HaveIBeenPwned, Snusbase, Dehashed, hunter.io, and others, it pulls live results from each service. Pointed at local breach files instead, including the BreachCompilation torrent or your own cleartext and gzip dumps, it searches offline so sensitive lookups never leave your environment. Chase mode widens the sweep by pulling related emails from the services back into the target list.
On Trickest, h8mail is a Social Engineering node that takes a target or a list and writes a file and a folder of results. Reach for it during OSINT to map a person's breach exposure, then feed the hits into reporting or follow-up enumeration.
source github.com/khast3x/h8mail
use cases
Query configured breach services for a target address to surface leaked credentials and the breaches that exposed them.
Point h8mail at the BreachCompilation folder or your own cleartext and gzip dumps so sensitive lookups run entirely in your environment.
Use chase to pull related emails from hunter.io and other services into the ongoing target list, widening an OSINT sweep from one address.
Query by username, password, ip, hash, or domain with -q so a single run covers more than email-to-breach lookups.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-input | STRING | -t | Target string input, such as an email address. |
| target-file-input | FILE | -t | File of targets to check in one run. |
| config-file | FILE | -c | Config file of API keys (Snusbase, Dehashed, HaveIBeenPwned, hunter.io, and more). |
| local-breach | FILE | -lb | Local cleartext breach file to scan for targets. |
| breachcomp | FOLDER | -bc | Path to the BreachCompilation torrent folder for offline search. |
| user-query | STRING | -q | Custom query by username, password, ip, hash, or domain. |
| chase | STRING | -ch | Add related emails from hunter.io to the target list, per-target count. |
| hide-passwords | BOOLEAN | --hide | Show only the first four characters of found passwords. |
Showing key inputs. h8mail exposes 17 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| keys | STRING | -k | Pass config options inline. Supported format: K=V,K=V |
| chase | STRING | -ch | Add related emails from hunter.io to the ongoing target list; sets how many emails per target to chase. Needs a hunter.io key unless used with power-chase. |
| debug | BOOLEAN | --debug | Print request debug information. |
| gzip-src | FILE | -gz | Local tar.gz (gzip) compressed breach to scan for targets. |
| url-input | STRING | -u | URL string input (requires http:// or https://). |
| breachcomp | FOLDER | -bc | Path to the BreachCompilation torrent folder; uses the bundled query.sh script. |
| user-query | STRING | -q | Run a custom query by username, password, ip, hash, or domain; searches loosely when run locally. |
| config-file | FILE | -c | Config file of API keys: Snusbase, WeLeakInfo, Leak-Lookup, HaveIBeenPwned, Emailrep, Dehashed, and hunter.io. |
| power-chase | BOOLEAN | --power-chase | Add related emails from all API services to the target list; use with chase. |
| single-file | BOOLEAN | -sf | For big cleartext or tar.gz breaches, show a progress bar; disables concurrent file search for stability. |
| local-breach | FILE | -lb | Local cleartext breach file to scan for targets. |
| loose-search | BOOLEAN | --loose | Allow loose search by disabling email pattern recognition. |
| target-input | STRING | -t | Target string input, such as an email address. |
| skip-defaults | BOOLEAN | -sk | Skip the HaveIBeenPwned and hunter.io checks. |
| hide-passwords | BOOLEAN | --hide | Show only the first four characters of found passwords. |
| url-file-input | FILE | -u | File of URLs to use as input. |
| target-file-input | FILE | -t | File of targets to check in one run. |
example
# scan a list of emails against configured breach services, mask passwordsh8mail -t targets.txt -c config.ini --hide -o exposure.jsonh8mail 2.5.6 >> alice@example.com ├── hibp - compromised in: LinkedIn, Dropbox, Canva ├── emailrep - reputation: none, blacklisted: false └── hunter.io (public) - related emails found: 4>> bob@example.com ├── hibp - compromised in: Adobe └── local file - line: bob@example.com:Su5f****[+] Found 6 results, writing to exposure.jsonguidance
Use h8mail to map a target's breach exposure during OSINT, online via API keys or offline against local dumps. It needs configured services or breach files to return much. For broad OSINT across people and accounts beyond breaches, pair it with theharvester or sherlock.
Gathers emails, hosts, and names from public sources. h8mail focuses on breach data for a known address.
Searches for leaked secrets and credentials. A sibling angle on exposed-credential hunting.
Looks up leaked credentials for an account. Overlaps with h8mail's breach lookups.
faq
related
A list of target emails feeds h8mail, which checks breach and recon services and writes the exposure hits as a queryable output.
Facts on this page come from the live Trickest tool library.