False negative

[Ekultek]

• h8mail version: 2.2
• Python version: 3.x
• Operating System: macOS

Description

False negatives while doing compressed file searching

What I Did

Obviously I use whatbreach to get my databases (because i'm cool like that ;p). Anyways austinfields7@hotmail.com has been breached in one of Adobe's breaches, this file is a tar.gz that decompressed to a gz file that decompresses to a file named cred while using h8mail to search through the file it will not provide any information, but it will show that there are occurrences if i use -lb.

h8mail -t austinfields7@hotmail.com -gz Adobe\ 152M.tar -sk --loose
    h8mail is free & open-source. Please report scammers.

       Version 2.2 - "HAILTEAM"  

    ._____. ._____.     ;____________;
    | ._. | | ._. |     ;   h8mail   ;
    | !_| |_|_|_! |     ;------------;
    !___| |_______!  Heartfelt Email OSINT
    .___|_|_| |___.    Use responsibly!
    | ._____| |_. | ;____________________;
    | !_! | | !_! | ; github.com/khast3x ;
    !_____! !_____! ;--------------------;

[>] Targets:
['austinfields7@hotmail.com']
[~] Removing duplicates
[~] Target factory started for austinfields7@hotmail.com
[~] Terminating worker pool

 __________________________________________________________________________________________

[>] Showing results for austinfields7@hotmail.com

[~] No results founds
__________________________________________________________________________________________

                                   Session Recap:  

                 Target                  |                   Status                  
__________________________________________________________________________________________

       austinfields7@hotmail.com         |               Not Compromised              
__________________________________________________________________________________________

Execution time (seconds):   0.1438760757446289  

h8mail -t austinfields7@hotmail.com -lb cred 
    h8mail is free & open-source. Please report scammers.

       Version 2.2 - "HAILTEAM"  

    ._____. ._____.     ;____________;
    | ._. | | ._. |     ;   h8mail   ;
    | !_| |_|_|_! |     ;------------;
    !___| |_______!  Heartfelt Email OSINT
    .___|_|_| |___.    Use responsibly!
    | ._____| |_. | ;____________________;
    | !_! | | !_! | ; github.com/khast3x ;
    !_____! !_____! ;--------------------;

[>] Targets:
austinfields7@hotmail.com 
[~] Removing duplicates
[~] Target factory started for austinfields7@hotmail.com
[{'Name': 'Adobe'}, {'Name': 'OnlinerSpambot'}, {'Name': 'RiverCityMedia'}, {'Name': 'VerificationsIO'}]
[>] Found 4 breaches for austinfields7@hotmail.com using HIBP
[~] No pastes found for austinfields7@hotmail.com using HIBP PASTE
[>] Found 0 related emails for austinfields7@hotmail.com using Hunter.IO
[~] Using file cred
[~] Worker [96175] is searching for targets in cred (3481316319 bytes)
[>] Found occurrence [cred] Line 436679: 111285261-|--|-austinfields7@hotmail.com-|-FP220B6GQV8=-|-Munsters|--
^C[!] Caught KeyboardInterrupt, terminating workers

 __________________________________________________________________________________________

[>] Showing results for austinfields7@hotmail.com
HIBP           |austinfields7@hotmail.com > Adobe
HIBP           |austinfields7@hotmail.com > OnlinerSpambot
HIBP           |austinfields7@hotmail.com > RiverCityMedia
HIBP           |austinfields7@hotmail.com > VerificationsIO
__________________________________________________________________________________________

                                   Session Recap:  

                 Target                  |                   Status                  
__________________________________________________________________________________________

       austinfields7@hotmail.com         |          Breach Found (4 elements)         
__________________________________________________________________________________________

Execution time (seconds):   31.479928970336914  

[khast3x]

Hey there,
Thank you for opening the issue.
Have you tried using -gz on the file before extracting the tar archive? Typically when it is still .tar.gz.

Also, can you try using zgrep against your compressed archive to find your target?
Glad to know you're using the WhatBreach/h8mail combo, I think we're slowly setting a new standard!
Cheers

[Ekultek]

Hey, yeah it's the same problem.

[Ekultek]

I figured this out, it was my fault not the tools, thanks!

[khast3x]

Roger that, thanks!