Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
martinvigo
389 views
18 slides
Aug 17, 2022
Slide 1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
About This Presentation
Couple years ago at DEF CON‘s Recon Village, I introduced a new OSINT technique to obtain a target’s phone number by just knowing the email address and published the tool "email2phonenumber" which automates the entire process. email2phonenumber, among other things, generates possible p...
Slide Content
Phonerator
An advanced *valid* phone number
generator for your OSINT/SE needs
Martin Vigo
@martin_vigo | martinvigo.com
An advanced *valid* phone number
generator for your OSINT/SE needs
Martin Vigo
@martin_vigo | martinvigo.com
Red teamer | Podcaster | Founder de Triskel Security
Galicia, Spain
Research | Bug bounties | Gin tonics
@martin_vigo - martinvigo.com
Amstrad CPC 6128
Martín Vigo
La abadía del crimen
Galicia, Spain
Research | Bug bounties | Gin tonics
@martin_vigo - martinvigo.com
Amstrad CPC 6128
Martín Vigo
La abadía del crimen
Background
Why
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
XXX-XXX-XX89
Google, Twitter, Microsoft, Steam
Phone number digits scrapping from password resets
012-XXX-6789
Ebay + Paypal
Ebay + Lastpass
0XX-XXX-6789
Yahoo + Lastpass
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
XXX-XXX-XX89
Google, Twitter, Microsoft, Steam
Phone number digits scrapping from password resets
012-XXX-6789
Ebay + Paypal
Ebay + Lastpass
0XX-XXX-6789
Yahoo + Lastpass
How
253-XXX-9123
1.ebay gives us area code
2.Paypal gives us subscriber number
3.NANPA gives us 458 valid exchange numbers for the area code ‘253’
4.NPA gives us 13 unassigned exchange numbers for the block number ‘9’
Only 445 possible numbers left!!
————— —
[email protected] with ebay and Paypal account
Leverage the country’s “Phone numbering plan” public data
253-XXX-9123
1.ebay gives us area code
2.Paypal gives us subscriber number
3.NANPA gives us 458 valid exchange numbers for the area code ‘253’
4.NPA gives us 13 unassigned exchange numbers for the block number ‘9’
Only 445 possible numbers left!!
————— —
[email protected] with ebay and Paypal account
Leverage the country’s “Phone numbering plan” public data
What
email2phonenumber
1.Harvests phone number digits from major sites
2.Generates valid phone number lists from partial numbers based on the country’s
Phone Numbering Plan
3.Bruteforces phone number password reset and correlate masked emails with victim’s
github.com/martinvigo/email2phonenumber
email2phonenumber
1.Harvests phone number digits from major sites
2.Generates valid phone number lists from partial numbers based on the country’s
Phone Numbering Plan
3.Bruteforces phone number password reset and correlate masked emails with victim’s
github.com/martinvigo/email2phonenumber
1.Harvests phone number digits from major sites
2.Generates valid phone number lists from partial numbers
based on the country’s Phone Numbering Plan
3.Bruteforces phone number password reset and correlate masked emails with victim’s
2.Generates valid phone number lists from partial numbers
based on the country’s Phone Numbering Plan
3.Bruteforces phone number password reset and correlate masked emails with victim’s
Phonerator
An advanced *valid* phone number generator
An advanced *valid* phone number generator
Phonerator
1.Cleans, formats, sorts and categorizes
phone numbering plan data
2.Multi-country support
3.Extended phone number information
4.Advanced data
fi
filtering
5.Multi-format download
martinvigo.com/tools/phonerator
1.Cleans, formats, sorts and categorizes
phone numbering plan data
2.Multi-country support
3.Extended phone number information
4.Advanced data
fi
filtering
5.Multi-format download
martinvigo.com/tools/phonerator
Use cases
OSINT
Got your target’s email and you want the phone number
Obtain digits via password reset and use
phonerator to reduce the list of possible numbers
Optionally, reduce the list even further with
additional intel
Bruteforce password resets over phone numbers
and compare emails
Got your target’s email and you want the phone number
Obtain digits via password reset and use
phonerator to reduce the list of possible numbers
Optionally, reduce the list even further with
additional intel
Bruteforce password resets over phone numbers
and compare emails
Investigations
Want to find the identity of a target but you just
have some phone digits
Use phonerator to obtain a list of
possible numbers
Export as txt and feed into into Twilio’s
lookup API with reverse lookup add-on
Want to find the identity of a target but you just
have some phone digits
Use phonerator to obtain a list of
possible numbers
Export as txt and feed into into Twilio’s
lookup API with reverse lookup add-on
Contact discovery
abuse
Your target uses Signal to
communicate.
Use phonerator to reduce the
list of valid phone number and
download list in VCF format to
import contacts in burner phone
abuse
Your target uses Signal to
communicate.
Use phonerator to reduce the
list of valid phone number and
download list in VCF format to
import contacts in burner phone
Wardialing
Target company owns 415-202 numbers
Use phonerator to obtain a list of
valid numbers for that particular
area code + exchange, download
as txt and feed it into your
favorite wardialing tool
Target company owns 415-202 numbers
Use phonerator to obtain a list of
valid numbers for that particular
area code + exchange, download
as txt and feed it into your
favorite wardialing tool
Research
Want to dig into carriers
Use phonerator to find
unknown and obscure
carriers together with their
assigned phone numbers
Want to dig into carriers
Use phonerator to find
unknown and obscure
carriers together with their
assigned phone numbers
CTF
Where in the world is Carmen Sandiego?
Carmen has escaped again and I need your help to locate her. Thanks to my friends at NSA I got
access to the SS7 network and I can find her if we obtain her phone number. They were able to
obtain a leak from a secure communications service she was using that contained her email address
and a hashed version of her phone number + city she connected from. Unfortunately, it was hashed
with 5 million rounds of PBKDF2. We estimate that bruteforcing in a reasonable amount of time is
only feasible having the correct city and less than 500 numbers. The NSA warned me that OPSEC is
utterly important. Do not attempt to reset any passwords. It won’t help you find any useful
information and she will know we are tracking her. Find her phone number!
[email protected]
a599f5e85a15799c5fa0a11887dbfc9ebd4de92e0ebbac6768dec60377454ab1
#!/usr/bin/python3
import hashlib
import binascii
##
# Takes phonenumber without country code nor spaces. Example: 5551234567
# Takes city lowercase without spaces. Example: sanfrancisco
##
def get_phone_hash(phonenumber, city):
stringInput = phonenumber + city;
binhash = hashlib.pbkdf2_hmac('sha256', stringInput.encode("utf-8"), b'',
5000000);
return binhash.hex();
Carmen has escaped again and I need your help to locate her. Thanks to my friends at NSA I got
access to the SS7 network and I can find her if we obtain her phone number. They were able to
obtain a leak from a secure communications service she was using that contained her email address
and a hashed version of her phone number + city she connected from. Unfortunately, it was hashed
with 5 million rounds of PBKDF2. We estimate that bruteforcing in a reasonable amount of time is
only feasible having the correct city and less than 500 numbers. The NSA warned me that OPSEC is
utterly important. Do not attempt to reset any passwords. It won’t help you find any useful
information and she will know we are tracking her. Find her phone number!
[email protected]
a599f5e85a15799c5fa0a11887dbfc9ebd4de92e0ebbac6768dec60377454ab1
#!/usr/bin/python3
import hashlib
import binascii
##
# Takes phonenumber without country code nor spaces. Example: 5551234567
# Takes city lowercase without spaces. Example: sanfrancisco
##
def get_phone_hash(phonenumber, city):
stringInput = phonenumber + city;
binhash = hashlib.pbkdf2_hmac('sha256', stringInput.encode("utf-8"), b'',
5000000);
return binhash.hex();
Thanks!
@martin_vigo
martinvigo.com
linkedin.com/in/martinvigo
github.com/martinvigo
youtube.com/martinvigo
tierradehackers.com
@martin_vigo
martinvigo.com
linkedin.com/in/martinvigo
github.com/martinvigo
youtube.com/martinvigo
tierradehackers.com
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 389
- Slides 18
- Age 1203 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views