As a cybersecurity investigator, you can often encounter the challenges posed by secure email services like ProtonMail in your investigations. However, a tool that changed this landscape is ProtOSINT, a Python script designed for probing ProtonMail accounts and ProtonVPN IP addresses.

ProtonMail is renowned for its robust security measures, making it a preferred choice for users prioritizing privacy and security. Here are key aspects of its technology:

  • End-to-End Encryption: ProtonMail uses end-to-end encryption, ensuring that emails are encrypted on the sender’s device and remain so until they reach the intended recipient.
  • Zero-Access Encryption: This means even ProtonMail cannot access user emails, as decryption happens only on the user’s device.
  • Secure Data Centers: Located in Switzerland, ProtonMail’s data centers benefit from strict Swiss privacy laws.
  • Open Source Cryptography: Its cryptographic algorithms are open source, allowing for community review and transparency.
  • Two-Factor Authentication (2FA): ProtonMail supports 2FA, adding an extra layer of security to user accounts.
  • Self-Destructing Emails: Users can set emails to automatically delete after a specified time, enhancing message confidentiality.

These features underscore ProtonMail’s commitment to user privacy and security, making it a challenging target for cyber investigations. However, with tools like ProtOSINT, investigators can ethically navigate this secure environment to gather essential information within legal boundaries.

Design is not just what it looks like and feels like. Design is how it works.

What is ProtOSINT?

ProtOSINT stands out as a powerful open-source intelligence (OSINT) tool specifically tailored for ProtonMail and ProtonVPN investigations​​. It is structured into three sub-modules:

1. Verifying the validity of a ProtonMail account and retrieving additional information.

This option allows you to check if a specific ProtonMail email address is valid. When you choose this option and input an email address (like [email protected] in the example), the tool provides information such as the validity of the email, the date and time of account creation, the type of encryption used (X25519 in this case), and offers to download the public key associated with that email.

python protosint.py

   ___           _            _       _   
  / _ \_ __ ___ | |_ ___  ___(_)_ __ | |_ 
 / /_)/ '__/ _ \| __/ _ \/ __| | '_ \| __|
/ ___/| | | (_) | || (_) \__ \ | | | | |_ 
\/    |_|  \___/ \__\___/|___/_|_| |_|\__|
                                                  

Protonmail API is ONLINE
Protonmail VPN is ONLINE

Let's take a look at your target:
1 - Test the validity of one protonmail account
2 - Try to find if your target have a protonmail account
3 - Find if your IP is currently affiliate to ProtonVPN

Choose a program: 1
You want to know if a protonmail email is real ?
Give me your email: [email protected]
Protonmail email is valid
Date and time of the creation: 2017-09-14 18:58:27
Encryption : X25519 (Modern, fastest, secure)
Do you want to download the public key attached to the email ?
Please enter "yes" or "no": yes 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: ProtonMail

HBjnbyuJUUY7VBhvbh&YvbnbbhH7ugHgyuVgfcJVGymjhubJBYUHfcvtrdcik
SihtnV7BSb3NK2l1bGlhbi5wcm9AcHJvdG9uLm1lIDxpdWxpYW4ucHJvQHBy
J&vytyvghf^^vgyhDFTCVYHFV7uYUh&ghbi&bhugig78&bhbiuh7Ghjbigh&bhhj
oAYpLblHbqpQss0nksHgAl3Nv1jBNk4eYvsA/RbPZt7BkVMUig4mgGKFY3e2
rRu4UWlf7BILlsddmMgIwqgEEBYIAFoFAmNPPgAJENgGwa9ZeOjHFiEECoZS
/l1TOGBXiZ/p2AbBr1l46McsHG9wZW5wZ3AtY2FAcHJvdG9uLm1lIDxvcGVu
cGdwLWNhQHByb3Rvbi5tZT4FgwMDp5IAAMi0AQCkgl2437lbDL3va+XDJXfq
jcNBUHJgubd7JHB7BU7BJjknjhbvcvDcerU&vhjh9ooBnmijoyhnikoui8uibnj9o8
05wWIQSkqpOj+hnkzYPunhVLvdfRTE/TnF8CAQDFSP65+YQ4AzItzAtzzdmE
JYzDG+2BvXXz2CzaImzI9gEAq+ki1tfSWEpOPkUzCKcMTPu9XTkBpawRtgDR
IHCmxAs=
=3KKE
-----END PGP PUBLIC KEY BLOCK-----

2. Generating potential ProtonMail addresses of a target by combining different information fields.

When you select option 2, the tool prompts you to enter various pieces of information about your target, such as:

  1. First Name: giusep
  2. Last Name: mriondicol
  3. Year of Birth: 1977
  4. Pseudonyms: giusep322 and mrion221
  5. Zip Code: (left blank in this example)

After entering these details, ProtOSINT generates and tries different combinations of this information to create potential ProtonMail addresses for the target. The tool indicates that it is testing multiple combinations (48 in this case) based on the provided information. This feature is particularly useful in OSINT investigations where only partial information about a subject is available, and an investigator needs to identify possible email addresses the subject might be using.

To keep in mind

The ProtOSINT code is a Python script designed to interact with ProtonMail’s API. You may experience an issue when you choose option 2 (“Try to find if your target has a ProtonMail account”) not returning or printing a list of emails could be due to several reasons. Analysing the relevant parts of the script to diagnose potential issues:

  1. Generating Email Combinations: The function checkGeneratedProtonAccounts() generates a list of potential ProtonMail addresses based on user input (like first name, last name, year of birth, etc.). This list is then deduplicated and irrelevant combinations are removed.
  2. API Requests: For each generated email address, the script makes an API request to ProtonMail’s lookup service to check if the address exists.
  3. Printing Results: The script should print the status of each email address (valid or not valid) based on the API’s response.

Potential Issues:

  • API Limitations: Frequent or bulk requests might trigger rate limiting or other protective measures by the ProtonMail API, leading to unsuccessful queries.
  • Network Issues: If your script can’t reach the ProtonMail API due to network issues, it won’t return results. (Also if you query from the same IP too many times your IP might get blacklisted by the Proton API)
  • Input Data: If the input data (names, pseudo, year of birth, etc.) doesn’t lead to valid email combinations, the script will only return negative results.
  • Error Handling: The script lacks comprehensive error handling, especially for the API requests. If an error occurs during these requests, it may not be properly handled or reported.

To troubleshoot:

  • Check your network connection and ensure you can reach the ProtonMail API endpoints.
  • Test the script with known valid and invalid ProtonMail addresses to see if it correctly identifies them.
  • Implement error handling for the API requests to catch and log any issues.
  • Ensure the input data is likely to generate valid email combinations.
  • Consider potential rate limits or API restrictions that might affect bulk queries.
python protosint.py

   ___           _            _       _   
  / _ \_ __ ___ | |_ ___  ___(_)_ __ | |_ 
 / /_)/ '__/ _ \| __/ _ \/ __| | '_ \| __|
/ ___/| | | (_) | || (_) \__ \ | | | | |_ 
\/    |_|  \___/ \__\___/|___/_|_| |_|\__|
                                                  

Protonmail API is ONLINE
Protonmail VPN is ONLINE

Let's take a look at your target:
1 - Test the validity of one protonmail account
2 - Try to find if your target have a protonmail account
3 - Find if your IP is currently affiliate to ProtonVPN

Choose a program: 2
Let's go, try to find your protonmail target:
First name: giusep
Last name: mriondicol
Year of birth: 1977
Pseudo 1: giusep322
Pseudo 2: mrion221
zipCode: 
===============================
I'm trying some combinaison: 48
===============================

3. Checking if a specific IP is currently linked to ProtonVPN

The output shows the use of the third option in the ProtOSINT tool, which is designed to check if a specific IP address is currently affiliated with ProtonVPN. When you select this option and input the IP address 111.111.111.111 (fictitious IP address) , the tool processes the query and confirms that the IP address is indeed associated with ProtonVPN. This feature is useful for identifying whether an IP address is using ProtonVPN, which can be a critical piece of information in various cybersecurity and OSINT investigations.

 python protosint.py

   ___           _            _       _   
  / _ \_ __ ___ | |_ ___  ___(_)_ __ | |_ 
 / /_)/ '__/ _ \| __/ _ \/ __| | '_ \| __|
/ ___/| | | (_) | || (_) \__ \ | | | | |_ 
\/    |_|  \___/ \__\___/|___/_|_| |_|\__|
                                                  

Protonmail API is OFFLINE
Protonmail VPN is ONLINE

Let's take a look at your target:
1 - Test the validity of one protonmail account
2 - Try to find if your target have a protonmail account
3 - Find if your IP is currently affiliate to ProtonVPN

Choose a program: 3
Enter IP address: 111.111.111.111
This IP is currently affiliate to ProtonVPN

ProtOSINT stands as an additional tool in the realm of OSINT for cybersecurity investigations, especially in an era where secure communication platforms like ProtonMail pose significant challenges to digital forensics. Its ability to delve into ProtonMail accounts and ProtonVPN IP addresses, while maintaining ethical and legal boundaries, offers investigators a nuanced approach to gathering intelligence. As cybersecurity threats evolve, tools like ProtOSINT become handy in equipping investigators with the means to navigate and analyse the secure digital landscape effectively.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here