Skip to content

Use haveibeenpwned.com via CLI without an API key.

License

Notifications You must be signed in to change notification settings

0xgrey/hibpcheck

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 

Repository files navigation

hibpcheck

Use the haveibeenpwned.com (HIBP) service via CLI without an API key.

Features:

  • A single-file script that uses Python 3.
  • Include a wordlist argument containing emails and/or phone numbers to check if they're listed in HIBP data breaches.
  • Avoid rate-limiting by sending requests every 2 seconds by default.

Why?

  1. It makes my job easier for credential stuffing when pentesting. Maybe it can help you?
  2. You don't have to pay monthly for API access.

How Does it Work?

Usage: python3 hibpcheck.py <wordlist>

Example: python3 hibpcheck emails.txt

Phone numbers must be in international format. (i.e., +1-123-123-1234)

  • Generate a wordlist with either emails or phone numbers, one account for each line.
  • The wordlist must be included in the second argument.

Sleep intervals are set at 2 seconds between reqeusts to avoid rate limiting by Cloudflare.

TODO:

  • Check if breached account credentials are available on Dehashed
    • Integrate the Dehashed API to pull credentials from compatible accounts automatically.
  • Enable output to TXT and JSON.
  • Instead of a singular wordlist option, add a feature to check one account via CLI.
  • Add argument parsing.
  • Include estimated time of completion when using a wordlist.
  • Make the current output suck less.
    • Include quite and verbose output mode.
  • Check if requesting IP address gets blocked by Cloudflare.

License

MIT

About

Use haveibeenpwned.com via CLI without an API key.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages