OSINT Tool Tuesday - Zehef

Learn how to use Zehef for OSINT investigations

Apr 16, 2024

∙ Paid

👋 Welcome to OSINT Tool Tuesday. This week we’re looking at Zehef, an email OSINT tool published on GitHub in the last year. It combines several OSINT methods for email addresses into a single workflow for maximum efficiency. We’ll go through setup, use cases, and how to pivot from GHunt into other investigative methods.

🚨 This tool has been added to the OSINT Resources for Email Addresses page on The OSINT Newsletter for easy reference later. That list serves as a roadmap for new tutorials in the future. If there are any tools you’d like to see added to the list and covered, please reach out jake@osint.news with details.

Zehef

Zehef is an email OSINT tool that combines modules from Holehe, breach account lookup using the pwnedpasswords library, Pastebin lookup, and more. It’s useful for automating several steps in the OSINT investigative process and ensures nothing is overlooked.

🎩 H/T: Norze

In this tutorial, we’re going to cover each of the use cases that Zehef applies to:

Email → website registration
Leaked data
Email reputation
Username pivots
Paste sites

This will include pivot points on the data we expect to find from each of these methods.

Let’s get started. ⬇️

Setup

The ReadMe of Zehef’s GitHub project does not include setup instructions. If you’re a beginner to command line tools, this really sucks. You may be discouraged from using this tool on that basis alone. If you’re an intermediate to advanced user of command line tools, you’ll probably just say “clone the repo and install requirements, duh”.

Let’s not assume anything here.

First, let’s get all the necessary files downloaded to our device. Use the following command in your terminal.

git clone https://github.com/N0rz3/Zehef.git

🗒️ If you get an error saying you don’t have git installed or that the git command isn’t valid, use this guide to install git. It includes steps for all operating systems.

Now that you have the project “cloned” to your device, let’s open that directory and begin the installation.

cd Zehef

This will open the directory where all of the installation files for Zehef are. Once you’re in that directory, use the ls command to view the contents. It should look something like this.

jakecreps@Macbook Zehef % ls
LICENSE			lib			requirements.txt
README.md		main.py			wiki
assets			modules			zehef.py
install.bat		output

Now, the developer of Zehef has two options you can use to install the requirements. You can either run the install.bat file, which essentially fires off a shell script to install the requirements, or you can use the following method (preferred).

pip install -r requirements.txt

🗒️ You may have python2 and python3 installed. If so, try pip3 if you’re running into issues rather than pip.

After running this command, you should have all required Python libraries installed on your device.

Usage

Now, let’s explore the options of Zehef using the following command.

python zehef.py -h

🗒️ Most scripts have a built-in ‘help’ menu that can be accessed by using the -h command. Keep this in mind for other GitHub projects you’re interested in using.

If successful, you should get something like this.

jakecreps@Macbook Zehef % python zehef.py -h
usage: zehef.py [-h] [email]

positional arguments:
  email       Search information on target email with api, holehe, and
              others...

options:
  -h, --help  show this help message and exit

As you can see, the help menu of Zehef indicates that it requires an argument of email. This does not mean that you have to specify “email” as an operator; rather, you just need to provide the email address you’re investigating.

python zehef.py <your_email_address>

Some tools have several options for input. Zehef only has one (for now) and that’s an email address. Here’s a partial example of what you can expect using the email address johnsmith@gmail.com.

jakecreps@Macbook Zehef % python3 zehef.py johnsmith@gmail.com

v1.0.0
               __    ________  _____ 
________ ____ |  |__ \_____  \/ ____\
\___   // __ \|  |  \  _(__  <   __\ 
 /    /\  ___/|   Y  \/       \  |   
/_____ \\___  >___|  /______  /__|      (BY 🦊 @N0rz3)
      \/    \/     \/       \/       

      😡 Zehef OSINT Tool 
                    
🐦 Twitter: @norze15
☕ Donations: https://www.buymeacoffee.com/norze

📄 Infos                           

[2024-04-13 11:00:12] No Disposable
[2024-04-13 11:00:12] No Deliverable
[2024-04-13 11:00:12] No Spammer

🔎📂 Leak / Breach

EMAIL Status : [SAFE]

🕶️  Dump Pastebin
               
💻 Possible accounts 

👻 Snapchat :
[+] https://www.snapchat.com/add/JOHNSMITH
[+] https://www.snapchat.com/add/johnsmith
[+] https://www.snapchat.com/add/johnsmith [Already shown]
[-] https://www.snapchat.com/add/j0hnsm1th
[+] https://www.snapchat.com/add/johnsmith [Already shown]
[+] https://www.snapchat.com/add/johnsmith [Already shown]

📱 TikTok :
[+] https://www.tiktok.com/@JOHNSMITH
[+] https://www.tiktok.com/@johnsmith
[+] https://www.tiktok.com/@johnsmith [Already shown]
[+] https://www.tiktok.com/@j0hnsm1th
[+] https://www.tiktok.com/@johnsmith [Already shown]
[+] https://www.tiktok.com/@johnsmith [Already shown]

🗒️ At the time of this writing, there’s an issue with the Holehe module of this project. A solution has been posted here.

To fix this, we can run the following script to update the file. To start, open Python in your terminal.

python

Then, once Python initiates, copy and paste the following code in.

Keep reading with a 7-day free trial

Subscribe to The OSINT Newsletter to keep reading this post and get 7 days of free access to the full post archives.