Email-based OSINT

When it comes to conducting effective searches and verification of target email addresses, tools are fairly limited both in terms of quantity and effectiveness. At the same time, manual processes used to search and verify Email addresses – often through the use of the ‘lost password’ feature – is fraught with risks. Such risks include target Email addresses being locked out and the Email user being made aware of an attempted breach. It goes without saying, manual Email searches are a time-consuming process, one such tool that will save time in this regard is Holehe.

What is Holehe?

In July last year, we wrote about Holehe, the Python-based utility that can be installed and deployed directly from the command-line interface. In that same article, we pointed out the key features of the tool, namely the fact that it enables Digital Investigators and OSINT Analysts to verify whether a target email address has been registered across a range of websites and social media platforms. The Holehe Transform for Maltego brings an additional range of exciting capabilities for Digital Investigators. Not only does the Transform let you conduct effective searches against target Email addresses, but it also enables you to visualise Holehe’s output as a link analysis chart. The websites and social media platforms that Holehe searches against include (but is not limited to):

Social Media

• Instagram
• MySpace
• Twitter
• Snapchat
• Discord
• Pinterest
• Parler
• Tumblr
• OK.ru

E-Commerce

• Amazon
• eBay
• Deliveroo

Email

• Google
• Protonmail
• Mail.ru

Adult

• PornHub
• RedTube

Cyber / Software-Related

• Github
• Code Igniter (Forum)
• Code Academy
• Codepen
• Cracked.to
• Docker
• Office 365

How does it work?

Holehe works by verifying the target email address through the ‘lost password’ function. The target Email user is not warned of this action. Many readers will now be wondering why some social media platforms such as Facebook are not included within Holehe’s list of sources; this is because a ‘lost password’ request on Facebook will trigger a warning to the target user. Regarding other web pages that are not listed, these are likely to have enhanced privacy measures; meaning that a ‘lost password’ submission will not verify an email address as it will respond with a message such as “If a matching account was found, an email will be sent to user@email.com to allow you to reset your password”.

Installation and deployment

For some first-time users, installing and configuring the Holehe transform may be somewhat tedious because the core utility needs to be pre-installed within the Transform directory. However, for the benefit of our readers, we have included a series of comprehensive instructions below.

1. Download or clone the Holehe Transform from https://github.com/megadose/holehe-maltego
2. Within the Holehe Transform directory, install the Holehe utility by invoking pip install holehe
3. Create a new local transform in Maltego by selecting Transforms > New Local Transform
   
   
4. In the Local Transform Wizard configure the name and entity type as shown in the image below:
   
5. To configure the Transform, indicate the path to your Python executable (.exe), in Windows OS, this is most likely located inside C:\Python3**. Then, indicate the full pathname to the Maltego Transform utility (e.g. C:\Scripts\Python\holehe-maltego\holehemaltego.py). This should be somewhat similar to the image below depending on where you saved the Holehe Transform directory.
   
6. Add an Email entity to the Maltego chart, configure the target name, then right-click and select Local Transforms and then select Holehe.

Limitations

Whilst Holehe conducts highly effective and efficient searches against target Email addresses, it does have some limitations that users should be aware of. The first is rate-limiting mechanisms used by several social media platforms such as Instagram. Rate-limiting can prevent users from conducting successive searches, though this can be easily bypassed by using a VPN instead. Another limitation is the fact that Holehe does not provide additional details such as the account that the target Email address is attached to. That said, Holehe can be useful for Digital Investigators who want to understand their target’s online behaviour, such as the type of websites that the Email address is registered to etc.

Holehe as a Maltego Transform

The Holehe command-line utility is a powerful tool in its own entirety. However, the utility as a Maltego Transform brings a whole new range of exciting investigative capabilities. For example, Digital Investigators can use the Holehe Transform for Maltego to conduct targeted searches against Email addresses, then use additional Maltego Transforms to effectively and efficiently complement their investigative findings. By doing so, Digital Investigators can uncover additional information regarding target Email addresses; then, produce comprehensive reports by using Maltego’s effective reporting capability.

To sum it all up

As we previously wrote in July last year, Holehe is a very good utility that Digital Investigators can add to their toolbox. But, the Transform for Maltego brings additional capabilities such as visual intelligence produced within Maltego’s link analysis interface. Not only that, the use of additional Maltego Transforms can make a huge difference when it comes to building a more comprehensive intelligence picture regarding a target Email address. We should also give a huge amount of credit to Megadose – the developer of Holehe – for being a very proactive member of the OSINT community and for his hard work in maintaining Holehe.