 OK, yna'n roi ar fogaeth, roeddwn i'r next talk. Y next talk is for ith Martin and it is from email address to phone number. I have introduced a lot of talk so far over the past two days and each time I get given a wonderful little bio that I then basically get given one line. For this... For Martin, I got given a whole paragraph. I'm not going to read the whole paragraph, I will read the final line of the paragraph. And it says outside of the office Martin enjoys research, bug bounties, gin and tonics, and scuba diving. On that night I'm going to hand over for his presentation. Yn tonic, yn tonic for the win. Thanks for coming to this talk. It's going to be awesome to be later. And basically what we are trying to see is new ways for you to go from an email address that you may have of your target. How maybe you could get the victims' phone number. So my name is Martin Vigo. No introductions needed. I do now red teaming from Galicia Spen. That's important that I mentioned that. And the gin tonic's things was already said. So since the talk is about going from an email address to a phone number, I kind of wanted to put these slides up. And this is my view of it. So kind of like a spectrum of how I feel in terms of privacy when some of my PII leaks. My email address is something that I hand out. So I'm not concerned. Obviously my social security number will be the worst thing for me. And I kind of like put the phone number in between, right? The phone number, I give it to a lot of people, even to people that I don't know that I just met. But it's not something that I'm comfortable making public online or anything like that. And I will assume that many of you kind of relate to this. This is from a privacy standpoint. But from security it's also important, right? What's the difference between your email leaking, your email address and your phone number? We saw that in terms of privacy, that's important. In terms of security, if an attacker has your email address, right? What can they do? And they can spam you or try to face you so that you click on a link or anything like that. They could potentially target actually people you know by spoofing the email address, right? So pretending to be you so that they get to click on something. And probably the worst part will be going to sites like Have I Been Pound or any of those sites that give you like, oh this person, you know, the data leaked on LinkedIn in 2012 and then you can go somewhere to get actually those credentials in the deep web or whatever. If the phone number leaks in terms of security, we have kind of the same thing, right? People can spam you, it's actually more annoying because it's more invasive to receive a phone call. There could be also phishing, someone pretending to be someone else. Spoofing as well, right? It's online, you can find services, even free, that you can spoof a caller ID and pretend being someone else. Again, maybe targeting someone you know. And then we'll get into the more interesting stuff. You may or may not be related with HLR registers, but that's basically a global database. That's kind of how the phone system works, just very simplified, but you are able to query some information about the phone number and that can include if the phone number is roaming or not. Someone may know if you are in a different country and maybe target your house, for example. This is usually free or very, very cheap for 10 cents. Twillio, you go to slash lookup and you can do that just with the phone number. For example, I gave last year a talk on voicemail hacking, so what you need is the phone number, right? The impact is very, very big because they could compromise all your accounts. We have things like fake cell towers, SS7 attacks, SIM swapping is big. We hear over and over again about people getting their Bitcoin wallets drained because someone did a SIM swapping attack again. For that, you need the phone number. So there is a big difference between leaking your email and leaking your telephone number in terms of security. But for who will that be useful, right? For whom will it be useful to know a technique in which you can go from an email address to a phone number? On the good spectrum again, we have private investigators that may be working a case, going after someone that is malicious and they want to find more information, think about it. A phone number gives you, for example, location data, right? There was an excellent talk a couple of hours ago from Joseph Cox kind of talking about that. Wasn't professionals, probably like many of you guys. It's important, but also for red teamers. Imagine that you actually get credentials from someone, right? That you are trying to target and they have 2FA. So now if you have a way from that email address to get the phone number, that will be really useful because you can try to phish the people or do some more advanced attacks. But unfortunately we also have the bad side. If there is ways that someone from an email address can get your phone number, that could be useful for stalkers or from people trying to dox you, right? Or even for spammers. We'll probably get calls from a recording talking in Chinese, talking about some taxes. It's very popular in the US. Okay, so what are the classic methodologies that we know to get from an email address to a phone number? Like you can do Google Docs. Maybe someone has in a forum posted their phone number and their username is actually the email. Public records, you can go to court and stuff like that. There's more advanced sauce and stuff. Classic people search engines. You go to Spokeo, two people find there. Put an email address. You are likely to get a phone number. Social engineering, you know, you can target someone. Data leaks. So the purpose of this talk is to add new tricks to your back-of-tricks. And there are new us installed that you can use for your investigations. I hope all of you are on the good side of the spectrum. So I talked about before the voicemail hacking, right? So I did two talks, I did that one and another one related to SMS and stuff like that. So I spent many, many hours resetting passwords last year during my investigations. So and I started to notice a pattern, right? Because I was resetting passwords in many accounts. And the case was that when you reset a password, right, you can get a text and it will tell you, I'm going to send you an SMS too, blah, blah, blah, blah, blah. So it's basically PII masking. The problem is, which is what I realized, is that not everyone is masking the same thing. There is a lack of standardisation in the way we do PII masking. eBay 10 was actually the worst word that I could see. It's showing to anyone that has your email address and initiates the password research with that. The first three digits of your area code, this is for American numbers and the last two. PayPal is the first one and the last four. Last pass is the last four. Yahoo is the first one and the last two. And the most common thing I've seen is the last two. I want to stress again the lack of standardisation in PII. This is both cases PayPal. PayPal, if I go to reset your password with just the email, that's all I know, I will get five digits. If I have your password and I get challenged with 2FA, I only get three. So the same service thinks that it needs to mask more information from someone that has also your password than from someone that has only your email. This is obviously different developers working on it, that's my guess. But this again is the proof that we have no standardisation. So the power comes from the combination. I can perfectly go around to the top websites and start to reset your password just with your email. Who has eBay and PayPal? You guys don't want to admit it, right? Okay, so bunch of liars, I like it. So who has eBay and LastPass? All right, thank you. He's my friend actually. Yahoo and LastPass, right? I'm pretty sure many of you at least can think of someone close to them that may have at least eBay and PayPal, which I will claim is like the most common services. With that, with those two services, I have seven out of your ten digits. Seven out of your ten digits. All right. So when I got here, you know, I was thinking like, okay, I have 1,000 numbers left. 1,000 numbers that are possible for you, right? From 10 billion is quite significant. But you know, I thought it was cool, it was nice, but I didn't know how to go forward. And I appreciate a co-worker like I showed him this and he told me, oh, you're actually missing the exchange. And I'm from Spain, so I'm not very familiar with the American numbers, right? And then I said, oh, okay, so the exchange is those three numbers I knew about the area code, right? So that threw me into a rabbit hole that was fascinating and I learned so much from the telephone system, and that's what we're going to talk now. So the thing is now we are focusing not on how many numbers we don't know, but which ones we don't know. And that's the exchange. That's good, that's what we are going to get at. Exactly, there are actually more. Good point, and we are going to get into that. Exactly, and actually 211, 311, we're going to get into that. So enter the North American Numbering Plan Administration. So this is actually an organization that is mostly in charge of assigning phone numbers, right? That's what they are taking care of. And they have a website with public available information with basically, apart from many other very interesting things which is what allowed me to learn all these things, it has the list of area codes and its assigned exchanges. That means that not all area codes have all the exchanges, right? For example, as the gentleman said, like the first 200 numbers are not assigned to the area code. So we get there, for example, 800 numbers only possible, from the thousand that we had because we were missing three digits. Take Tacoma. Tacoma, 253 area code that was looking for one that is very significant, only has 458 exchanges. So we just went down from 1,000 numbers to 558 possible just with your email address and with publicly available information. So 458 numbers is very good. I will even claim that you can, with some automation, maybe using Twilio APIs, do phone calls and try to figure out actually which one it is. But I wanted to go deeper the rabbit hole. I learned a lot and find ways to actually reduce that list even more because that's ultimately what we are trying to do. Enter the National Pulling Administration. I also had no idea about this. So hear me out. So the way it works is area codes and exchanges are assigned historically to a location and specifically to a carrier, right? So take 415-200 is for AT&T. 415-201, I mean the numbers that start by those digits is for Verizon, right? And the 415-200 and 201 is an exchange for South Salito. So South Salito has only 7,000 people living there, residents. So if you think about it, we have four or five major carriers. We are assigning 50,000 possible numbers to an area that only has 7,000 residents, right? Because 401-200, 401-201 for the different carriers, those are blocks of 10,000 digits. It's the last four digits. So it's a huge waste of phone numbers. So I learned that the FCC came out with a document and suggested that the first digit of the subscriber number will represent the block. So instead of assigning blocks of 10,000 digits, we will be assigning blocks of 1,000 digits. So now it will be 415-201 for Verizon. So we are assigning blocks of 1,000 numbers so we don't waste that many. Again, the website has publicly available information at database in which you can go check if an area code plus an exchange is a pooled area coding exchange, which is kind of the lingo. And if so, what are the blocks that are actually assigned today? So there are blocks that are not. So you can discard all those blocks of 1,000 numbers because as we can see in this slide, this is from the nationalpooling.com, if you look at the bottom, which is something, we see that the 415-272, which is an area code for South Salito, the only possible number could be the next one, it will be the 9 because it's the only block that is assigned to that area coding exchange. We can already discard all the others. This is great. This is publicly available information. So take now someone from Tacoma, right? With an email in a PayPal account. So I got from eBay the area code 253. I got from PayPal the subscriber number, which is 9123. Now from Nampa, the website, I get that there are only 458 exchange numbers for the 253 area code. And from the pooling administration, I get that the block number 9 is only on a 444 exchange numbers. So I discarded even 13 exchange numbers that don't have the 9 block available. Awesome. So we got from 10 billion numbers to 444 by using an email address and publicly available information. This is cool again, but I wanted to find a way in which I could go to actually, this is the number of the person, this is what I have, without having to make any phone calls for free and that it only requires me the email address. So I went over what I did, you know, I went back to the drawing board and I thought about, okay, the way I'm doing it is I'm taking the email, initiating password research, and I'm getting digits from the phone number. Are there services that I can go reset a password with a phone number and get letters back from an email? Yes, there is. So that is exactly what we are doing. Amazon shows you when you go reset with a phone number, the first letter and the last letter of the username plus the entire domain. But the best thing is that the stars that you see that are masking those letters match the number of characters that were masked. So it's giving me also the length of the username. Twitter shows you the first two and the first letter of the domain. And there are many more. So this is exactly what we are doing. We have a list of 445 possible numbers that we reduce with an email address. What we are going to do now is go with that list, iterate over it and start to reset passwords, look at the masked email, correlate it to the one that we have originally, and we will find the phone number. So the attack vector looks like this. First you go harvest with an email address, different digits on different websites. Then you use publicly available information and your knowledge of the phone number in plan system. And then with the list that you hopefully reduce quite significantly, you use those other services to initiate password research with the list of phone numbers and correlate the masked characters that you get back from the email. Automation. So this is where the thing, right? I just told you no one is going to do that manually, right? So I created a Python script that is your new awesome tool to go to this. And it basically automates the entire process. So it will go to those top websites and with an email address, it will scrape those digits. Then it will allow you to generate by providing a mask, say, we found that it's 415, we're missing the next three, and we have the subscriber number, you just put that there, it will go fetch the information, it will use all the intelligence that I just told you and give you a list back of the possible phone numbers. And then it will also allow you to go again back to those services, reset the password with those email lists and think about it. You cannot be blocked because we are only trying to reset a password once per phone number, right? It's not that we are hammering a brute force and then they are going to lock the account. So actually it supports proxies to bypass captures and things of that nature, right? And it's publicly available now in my GitHub repo. Let's look at them. All right. So we are going to do a victim USA at martinvigo.com. It's a phone number from the US, right? That's why I was saying it's closed. So we're going to use the scrape option. And all we're going to provide is an email address. And in this case for the demo, again, this is so you guys also contribute to the tool, it's just going to go to eBay and LastPass because one gives me the first three and the other gives me the last four. And the way it works is it kind of writes a report for you with everything that it could find about it, right? Not just the digits, sometimes I can tell, for example, from LastPass, if the phone number is from a different country. If it's not a number of LastPass, it adds the plus if it's not a non-US number. So we just learned 415 are the first three, 886 are the last four from eBay and LastPass. Next option I'm going to use with the tool is Generate. And I'm going to give it a mask, right? With the option M and substitute the digits that I don't know with simple X. And so we will use that to go and try to reduce the list right now. We will have 1,000 possible numbers. Just as I explained before, it's going downloading and it gives you a list that you obviously can put in a file as well of possible phone numbers. Okay, we just reduced it now to 800. For demo purposes, it's only going to try to go over 10, so I'm going to pretend that I actually only missing one character, so it's just faster, right? But we could perfectly do this because we have the proxy support and all that stuff. So I'm going to use now the brute force option. And it's going to use, I think in this case, Amazon to initiate the password reset on those possible phone numbers that we have left. So I give it the email because I need to give it so it can correlate it, right? I give it the mask with the digits that I'm missing. Again, in this case, I'm pretending just that I'm missing, I need to find out over just 10 possible phone numbers so that X is just there. And I'm going to just make it verbose so that we can also see the accounts that don't exist. So now it's going to Amazon, it's going over the 10 possible phone numbers over and boom. It found that there was an email associated to the phone number that started with a V that the username ended with an M that the length matched that it was MartinVigo.com and it's obviously possibly the phone number. So we are not done yet. We are not done yet. We are not done yet. And what about other countries? It gets even worse, it gets even worse. This is where it gets a little nuts. So remember eBay in last part, so we are masking PII, right? The US is a very big country and it has digits, phone numbers that are 10 digits long. But then I thought in Spain they are 9 digits long. You know what, there are countries that are only 7 digits long. Is there anyone, I know you're not going to admit it, but is there anyone here from Stonias and Salvador, Iceland, Finland? All right. Because the next question was, did you have an eBay in last pass account? Because if that's the case, your phone number is public. It's 7 digits long, those phone numbers. I go to eBay, I get the first three. I go to last pass, I get the last four. I don't need to brute force anything. So we are pretty good in the US with 10 digits. This is a list of the countries by phone number length. So there are many more. Think if they are 8 digits long, you only have 100 possible phone numbers, right? And so on. So it gets really, really bad because now it's not only that we don't have a lack of standardisation in the PII masking of phone numbers, but we also do not adjust it based on how long the phone number is. So, what I know, the tool is kind of like a POC, right? I need support, I need the community to add support for other websites, right? But the true power is really going and obtaining the public available information about the phone numbering plan of the country. So I'm still working on this, but this is really what is going to be interesting for the Aussie professionals. I'm scraping all the information. I'm adding it to a database so that you can have advanced filters. So, for example, say you have additional intel. I know, I have all these digits, but I know that this phone number, the victim had it for the last two years at least and it's AT&T. So it's going to allow you to do that because this website, it gives me not only to with exchange the area code belongs but what is the carrier when it was assigned. There is a lot of intel there. I want to provide advanced filtering so that you can do that. Multicountry support, I started to learn from other phone numbering systems so that's going to be added as well. Detailed info, again, now you get block assignments, the dates, what is the OCN, what is the carrier that owns it, it's very interesting because I found exchanges that are specifically for satellites and things like that, at least from the carriers that I saw that I was assigned. So this is very interesting because you know additional research and then historical records, they keep it updating this stuff so I'm taking care of that so that we can go back in time and see phone numbers how it was in the past and use that again to further filter. So recommendations very quick for online services. My suggestion is I was thinking how to fix that, just allow customisable labels. Instead of showing the UI I'm going to send a text to what you can do is say my work number or my personal number just a label and so the user has the choice to actually put the digits if he wants or something else, right? And for you, never provide your real phone number, many services just ask for it during the registration process but they don't really need it, they just want to correlate you around the net just to give you better ads or more accurate, not better. Usually it requires use point numbers or dedicated numbers for 2FA for all those things when it's mandatory but don't use your real number, a void number you get rid of location tracking for example which is an issue, so always void and ideally even dedicated for that and you can also further do and use email aliases for accounts there is no reason why you have to be in Uber with your personal email in last pass and here and there just by using email aliases when there is password dumps and stuff like that these automated attacks that's what they will do they will go scrape in different services and try your passwords that they will clear text if you have different email aliases then you will find responsible disclosure eBay now it's only showing one and the last two is not perfect but at least it's better PayPal for whatever reason they decided this is working as designed Yahoo is still assessing and the risks and mitigations and last pass acted immediately and it's only showing the last two now I like to end the talk without too long didn't read that says attackers can use your email address to obtain phone number digits from online services due to a lack of standardisation in PII masking combined with publicly available information and an understanding of the countries phone numbering plan it is possible to recover the entire phone number thank you very much and I take any questions you may have happily I will probably change the phone number yes because you are going to get spam and stuff like that so just use dedicated numbers what I do I use VoIP services I don't even use the number of my SIM card I only use VoIP so if that leaks somehow I don't even know my phone number if that leaks I just get another SIM card I just need it for the data no location tracking any other questions all right so stay tuned for narrator it's going to take me a couple of weeks I think there is a question back there all right hi thank you