And it says, outside of the office, Martin enjoys research, bug bounties, gin and tonics, and scuba diving. On that night, I'm going to hand it over for his presentation. Gin and tonic, gin and tonic for the win. All right. Thanks for coming to this talk. It's going to be awesome to be later. And basically, what we are trying to see is new ways for you to go from an email address

that you may have of your target, how maybe you could get the victim's phone number. So, my name is Martin Vigo. No introductions needed. I do now red teaming from Galicia Spain. That's important that I mentioned that. And the gin and tonic thing was already said.

So, since the talk is about going from an email address to a phone number, I kind of wanted to put these slides up. And this is my view of it. So, kind of like a spectrum of how I feel in terms of privacy when some of my PII leaks, right? And my email address is something that I hand out, so I'm not concerned.

Obviously, my social security number will be the worst thing for me. And I kind of like put the phone number in between, right? The phone number, I give it to a lot of people, even to people that I don't know, that I just met. But it's not something that I'm comfortable making public online or anything like that. And I will assume that many of you kind of relate to this.

This is from privacy standpoint, but from security, it's also important, right? What's the difference between your email leaking, your email address, and your phone number? We saw that in terms of privacy, that's important. In terms of security, if an attacker has your email address, right, what can they do?

And, you know, like they can spam you or try to face you so that you click on a link or anything like that. They could potentially target actually people you know by spoofing the email address, right? So, pretending to be you so that they get to click on something. And probably the worst part will be going to sites like Have I Been Powned or any of those sites

that give you like, oh, this person, you know, the data leaked on LinkedIn in 2012. And then you can go somewhere to get actually those credentials in the deep web or whatever. If the phone number leaks in terms of security, we have kind of the same thing, right? People can spam you. It's actually more annoying because it's more invasive to receive a phone call.

There could be also phishing, someone pretending to be someone else. Spoofing as well, right? It's online. You can find services even free that you can spoof a caller ID and pretend being someone else. Again, maybe targeting someone you know. And then we get into the more interesting stuff. You may or may not be related with HLR registers, but that's basically a global database.

That's kind of how the phone system works, just very simplified. But you are able to query some information about the phone number. And that can include if the phone number is roaming or not. Someone may know if you are in a different country and maybe target your house, for example. And this is usually free or very, very cheap for 10 cents, Twilio, you go to slash lookup.

And you can do that just with the phone number. And then like, for example, I gave last year a talk on voicemail hacking. So if someone, what you need is the phone number, right? So, and the impact is very, very big because they could compromise all your accounts. We have things like fake cell towers, SS7 attacks, SIM swapping is big.

We hear over and over again about people getting their Bitcoin wallets drained because someone did a SIM swapping attack. Again, for that you need the phone number. So there is a big difference between leaking your email and leaking your telephone number in terms of security. But for who would that be useful, right?

For whom would it be useful to know a technique in which you can go from an email address to a phone number. On the good spectrum, again, we have private investigators that may be working a case, going after someone that is malicious and they want to find more information, think about it. A phone number gives you, for example, location data, right? There was an excellent talk a couple hours ago from Joseph Cox kind of talking about that.

Wasn't professionals, probably like many of you guys. It's important, but also for red teamers. Imagine that you actually get credentials from someone, right, that you are trying to target and they have 2FA. So now if you have a way from that email address to get the phone number, that will

be really useful because you can try to phish the people or do some more advanced attacks. But unfortunately, we also have the bad side. If there is ways that someone from an email address can get your phone number, that could be useful for stalkers or from people trying to dox you, right? Or even for spammers. We've probably got calls from recording, talking in Chinese, talking about some taxes.

It's very popular in the US. Okay. So what are the classic methodologies that we know to get from an email address to a phone number? Like you can do Google Docs. Maybe someone has in a forum posted their phone number and their username is actually the email. Public records. You can go to court and stuff like that. There's more advanced source and stuff.

Classic. People search engines. You go to Spokeo. Two people find there. Put an email address. You are likely to get a phone number. Social engineering, you know, you can target someone, data leaks, yada, yada, yada. So the purpose of this talk is just to add new tricks to your back of tricks. And a new awesome tool that you can use for your investigations.

I hope all of you are on the good side of the spectrum. So I talked about before the voicemail hacking, right? So I did two talks. I did that one and another one related to SMS and stuff like that. So I spent many, many hours resetting passwords last year during my investigations. And I started to notice a pattern, right?

Because I was resetting passwords in many accounts. And the case was that when you reset a password, right, you can get a text and it will tell you, I'm going to send you an SMS to blah, blah, blah, blah, blah. So it's basically PII masking. The problem is, which is what I realized, is that not everyone is masking the same thing. There is a lack of standardization in the way we do PII masking.

eBay was actually the worst word I could see. It's showing to anyone that has your email address and initiates the password reset with that, the first three digits of your area code, this is for American numbers, and the last two. PayPal is the first one and the last four. LastPass is the last four. Yahoo is the first one and the last two.

And the most common thing I've seen is the last two. I want to stress again the lack of standardization in PII. This is both cases PayPal. PayPal, if I go to reset your password with just the email, that's all I know, I will get five digits. If I have your password and I get challenged with 2FA, I only get three.

So the same service thinks that it needs to mask more information from someone that has also your password than from someone that has only your email. This is obviously different developers working on it, that's my guess. But this, again, is the proof that we have no standardization. So the power comes from the combination.

I can perfectly go around to the top websites and start to reset your password just with your email. Who has eBay and PayPal? You guys don't want to admit it, right? Okay. So, bunch of players, I like it. So who has eBay and LastPass?

All right. Thank you. Here's my friend, actually. Yahoo and LastPass, right? I'm pretty sure many of you at least can think of someone close to them that may have at least eBay and PayPal, which I will claim is like the most common services. With that, with those two services, I have seven out of your 10 digits. Seven out of your 10 digits.

All right. So when I got here, you know, I was thinking like, okay, I have 1,000 numbers left. 1,000 numbers that are possible for you, right? From 10 billion is quite significant. But, you know, I thought it was cool, it was nice, but I didn't know how to go forward. And I appreciate a co-worker, like I showed him this, and he told me, oh, you're actually

missing the exchange. I'm from Spain, so I'm not very familiar with American numbers, right? And then I said, oh, okay, so the exchange is those three numbers? I knew about the area code, right? So that threw me into a rabbit hole that was fascinating, and I learned so much from the telephone system, and that's what we're going to talk about now.

So the thing is, now we are focusing not on how many numbers we don't know, but which ones we don't know, and that's the exchange. Enter the – that's good, and that's what we are going to get at.

Exactly. There are actually more. Good point. And we are going to get into – exactly. And actually 211, 311, we're going to get into that. So enter the North American Numbering Plan Administration. So this is actually an organization that is mostly in charge of assigning phone numbers,

right? That's what they are taking care of. And they have a website with public available information with basically, apart from many other very interesting things, which is what allowed me to learn all these things, it has the list of area codes, and it's assigned exchanges. That means that not all area codes have all the exchanges, right?

For example, as the gentleman said, like the first 200 numbers are not assigned to the area code. So we get there, for example, 800 numbers only possible from the 1,000 that we had because we were missing three digits. Take Tacoma, Tacoma 253 area code – I was looking for one that is very significant

– only has 458 exchanges. So we just went down from 1,000 numbers to 558 possible just with your email address and with publicly available information. So 458 numbers is very good.

I will even claim that you can, with some automation, maybe using Twilio APIs, do phone calls and try to figure out actually which one it is. But I wanted to go deeper than rabbit hole. I learned a lot and go and find ways to actually reduce that list even more because that's ultimately what we are trying to do.

Enter the National Pooling Administration. I also had no idea about this. So hear me out. So the way it works is area codes and exchanges are assigned historically to a location and specifically to a carrier, right? So take 415 200 is for AT&T.

415 201, I mean the numbers that start by those digits, is for Verizon, right? And the 415 200 and 201 is an exchange for Sausalito. So Sausalito has only 7,000 people living there, residents. So if you think about it, we have four or five major carriers.

We are assigning 50,000 possible numbers to an area that only has 7,000 residents, right? Because 401 200, 401 201 for the different carriers, those are blocks of 10,000 digits. It's the last four digits. So it's a huge waste of phone numbers. So I learned that the FCC came out with a document and suggested that the first digit

of the subscriber number will represent the block. So instead of assigning blocks of 10,000 digits, we will be assigned blocks of 1,000 digits. So now it will be 415 200 0 for AT&T, 415 201 for Verizon.

So we are assigning blocks of 1,000 numbers so we don't waste that many. Again, the website has publicly available information, a database in which you can go check if an area code procedure exchange is a pooled area code and exchange, which is kind of the lingo.

And if so, what are the blocks that are actually assigned today? So there are blocks that are not. So you can discard all those blocks of 1,000 numbers. Because as we can see in this slide, this is from the nationalpooling.com. If you look at the bottom, which is something, we see that the 415 272, which is an area

code for Sausalito, the only possible number could be the next one. Because it's the only block that is assigned to that area code and exchange. We can already discard all the others. This is great. This is publicly available information. So take now someone from Tacoma, right, with an email in a PayPal account.

So I got from eBay the area code, 253. I got from PayPal the subscriber number, which is 9123. Now from Nampa, the website, I get that there are only 458 exchange numbers for the 253 area code.

And from the pooling administration, I get that the block number 9 is only on 444 exchange numbers. So I discarded even 13 exchange numbers that don't have the 9 block available. Awesome. So we got from 10 million numbers to 444 by using an email address and publicly available

information. This is cool, again, but I wanted to find a way in which I could go to actually this is the number of the person. This is what I have without having to make any phone calls for free and that it only requires me the email address.

So I went over what I did. You know, I went back to the drawing board and I thought about, okay, the way I'm doing it is I'm taking the email, initiating password resets, and I'm getting digits from the phone number. Are there services that I can go reset a password with a phone number and get letters back from an email? Yes, there is. So and that is exactly what we are doing.

Amazon shows you when you go reset with a phone number, the first letter and the last letter of the username plus the entire domain. Twitter, but the best thing is that the stars that you see that are masking those letters match the number of characters that were masked.

So it's giving me also the length of the username. Twitter shows you the last the first two and the first letter of the domain. And there are many more. So this is exactly what we are doing. We have a list of 445 possible numbers that we reduce with an email address. All we got to do now is go and with that list iterate over it and start to reset

passwords, look at the masked email correlated to the one that we have originally and we will find the phone number. So the attack vector looks like this. First you go harvest with an email address, different digits on different websites. Then you use publicly available information and your knowledge of the phone number in

plan system. And then with the list that you hopefully reduced quite significantly, you use those other services to initiate password research with the list of phone numbers and correlate the masked characters that you get back from the email. Automation. So this is where the thing, right? I just told you no one is going to do that manually, right?

So I created a Python script that is your new awesome tool to go through this. And it basically automates the entire process. So it will go to those top websites and with an email address, it will scrape those digits. Then it will allow you to generate by providing a mask.

Say we found that it's 415, we're missing the next three and we have the subscriber number. You just put that there. It will go fetch the information. It will use all the intelligence that I just told you and give you a list back of the possible phone numbers. And then it will also allow you to go again back to those services, reset the password with those email lists and think about it.

You cannot be blocked because we are only trying to reset a password once per phone number, right? It's not that we are hammering a brute force and then they are going to lock the account. So actually it supports proxies to bypass CAPTCHAs and things of that nature, right? And it's publicly available now in my GitHub repo.

Let's look at a demo. All right. So we are going to do a victimusa.martinvigo.com. It's a phone number from the US, right? I hope you can see it. That's why I was saying sit close. So we're going to use the scrape option. And all we're going to provide is an email address. And in this case for the demo, again, this is so you guys also contribute to the tool.

It's just going to go to eBay and LastPass because one gives me the first three and the other gives me the last four. And the way it works is it kind of writes a report for you with everything that it could find about it, right? Not just the digits. Sometimes I can tell, for example, from LastPass if the phone number is from a different country because in the UI of LastPass, it adds the plus if it's not a non-US number.

So we just learned 415 are the first three, 8816 are the last four from eBay and LastPass. Next option I'm going to use with the tool is generate. And I'm going to give it a mask, right, with the option M. And substitute the digits that I don't know with simple X.

And so we will use that to go and try to reduce the list. Right now, we will have 1,000 possible numbers. Just as I explained before, it's going downloading and it gives you a list that you obviously can put in a file as well of possible phone numbers. Okay. We just reduced it now to 800. For demo purposes, it's only going to try to go over 10.

So I'm going to pretend that I actually only missing one character. So it's just faster, right? But we could perfectly do this because we have the proxy support and all that stuff. So I'm going to use now the brute force option. And it's going to use, I think in this case, Amazon to initiate the password reset on those possible phone numbers that we have left.

So I give it the email because I need to give it so you can correlate it, right? I give it the mask with the digits that I'm missing. Again, in this case, I'm pretending just that I'm missing. I need to find out over just 10 possible phone numbers so that X is just there. And I'm going to just make it verbose so that we can also see the accounts that don't exist. So now it's going to Amazon.

It's going over the 10 possible phone numbers, resetting the password and boom. It found that there was an email associated to the phone number that started with a V, that the username ended with an M, that the length matched, that it was MartinVigo.com, and it's obviously possibly the phone number.

So we're not done yet. We're not done yet. We're not done yet. And what about other countries? It gets even worse. It gets even worse. This is where it gets a little nuts. So remember eBay and LastPass, so we are masking PII, right? We are masking phone numbers. The U.S. is a very big country,

and it has digits, phone numbers that are 10 digits long. But then I thought in Spain they are nine digits long. You know what? There are countries that are only seven digits long. Is there anyone, I know you're not going to admit it, but is there anyone here from Estonia, San Salvador, Iceland, Finland? All right, because the next question was, do you have an eBay and LastPass account?

Because if that's the case, your phone number is public because it's seven digits long, those phone numbers. I go to eBay, I get the first three. I go to LastPass, I get the last four. I don't need to brute force anything. So we are pretty good in the U.S. with 10 digits. This is a list of the countries by phone number length.

So there are many more. Think if they are eight digits long, you only have 100 possible phone numbers, right? And so on. So it gets really, really bad because now it's not only that we don't have a lack of standardization in the PII masking phone numbers, but we also do not adjust it based on how long the phone number is.

So what I wrote, the tool is kind of like a POC, right? I need the community to add support for other websites, right? So but the true power is really going and obtaining the public available information about the phone numbering plan of the country.

So I'm still working on this, but this is really what is going to be interesting for the Aussie professionals. I'm scraping all the information, I'm adding it to a database so that you can have advanced filters. So for example, say you have additional intel. I know I have all these digits, but I know that this phone number, the victim had it for the last two years at least, and it's AT&T.

So it's going to allow you to do that because this website, it gives me not only to with exchange the area code belongs, but what is the carrier, when it was assigned. There is a lot of intel there. So I want to provide advanced filtering so that you can do that. Multicountry support. I started to learn from other phone numbering systems, so that's going to be added as well.

Detailed info. Again, now you get block assignments, the dates, what is the OCN, what is the carrier that owns it. It's very interesting because I found exchanges that are specifically for satellites and things like that, at least from the carriers that I saw that I was assigned. So this is very interesting because you can find stuff for additional research.

And then historical records, they keep it updating this stuff. So I'm taking care of that so that we can go back in time and see phone numbers, how it was in the past, and use that again to further filter. So recommendations, very quick, for online services. My suggestion is, I was thinking how to fix that. Just allow customizable labels, right?

Instead of showing in the UI, I'm going to send the text to 89, what you can do is just let it say my work number or my personal number, just a label. And so the user has the choice to actually put the digits that he wants or something else, right? And for you, never provide your real phone number.

Many services just ask for it during the registration process, but they don't really need it. They just want to correlate you around the net just to give you better ads or more accurate, not better. Usually require, yeah, use VoIP numbers or dedicated numbers for 2FA, for all those things when it's mandatory, but don't use your real number. A VoIP number, you get rid of location tracking, for example, which is an issue.

So always VoIP and ideally even dedicated for that. And you can also further do and use email aliases for accounts. There is no reason why you have to be in Uber with your personal email and in LastPass and here and there. Just by using email aliases, when there is password dumps and stuff like that,

these automated attacks, I have one minute left, that's what they will do. They will go scrape in different services and try your passwords that they can clear text. If you have different email addresses, they will find responsible disclosure. eBay, now it's only showing one and the last two is not perfect, but at least it's better. PayPal, for whatever reason, they decided this is working as designed.

Yahoo is still assessing and the risks and mitigations in LastPass are acted immediately and it's only showing the last two now. I'd like to end the talk with a too long didn't read that says attackers can use your email address to obtain phone number digits from online services due to a lack of standardization in PII masking.

Combined with publicly available information and an understanding of the country's phone number implant, it is possible to recover the entire phone number. Thank you very much. And I take any questions you may have, happily.

Yep, I will probably change the phone number, yeah. Yes, yeah, because you are gonna get spam and stuff like that, so just use dedicated numbers. What I do, I use VoIP services.

I don't even use the number of my SIM card. I only use VoIP. So if that leaks somehow, I don't even know my phone number. If that leaks, you know, I just get another SIM card. I just need it for the data. No location tracking. Any other questions?

All right, so stay tuned for narrator. It's gonna take me a couple of weeks. I think there is a question back there. Oh, all right, hi. Thank you.