Emails
Email Recon
Collecting Emails – Passive
Discovering and collecting valid emails for a target domain is an important step in penetration testing. Emails are used in activities like testing for valid usernames on the external perimeter. Also, they can be used to perform password attacks like credential stuffing or password guessing. There are several online services such as phonebook.cz. I have listed several other good services here: DNS Tools & Links
An excellent CLI tool for gathering emails is CrossLinked which is a LinkedIn enumeration tool that uses search engine scraping to collect valid employee names from an organization. It can be found here: https://github.com/m8sec/CrossLinked
python3 crosslinked.py -f '{first}.{last}@domain.com' 'company name' #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{f}.{last}@domain.com' 'company name' #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{f}{last}@domain.com' 'company name' #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{first}.{l}@domain.com' 'company name' #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{first}{l}@domain.com' 'company name' #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f 'domain\{f}{last}' 'company name' #Searches and outputs emails in the format domain\jdoe
theHarvester is a simple-to-use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It can be used to gather email addresses and is found here: https://github.com/laramies/theHarvester
theHarvester -d hacker.com -b all -l 50 #Will perfom OSINT on the specified domain for all available sources (Some sources require API keys)
The EmailHarvester is an excellent tool for retrieving domain email addresses from various search engines. You can find it here: https://github.com/maldevel/EmailHarvester
python3 ./EmailHarvester.py -d hacker.com -e all #All out search using all available search engines. python3 ./EmailHarvester.py -d hacker.com -e google #Specify a specific search engine python3 ./EmailHarvester.py -d hacker.com -e all -r twitter,ask #Use all search engines but exclude some python3 ./EmailHarvester.py -d hacker.com -e all -s emails.txt #Save the discovered emails to a text file
For cases where you have a nickname, and want to search for potential email accounts for the associated nickname, mailcat is an excellent tool. It can be downloaded here: https://github.com/sharsil/mailcat
./mailcat nickname #Find existing email addresses by nickname ./mailcat --tor nickname #Find existing email addresses by nickname by running the script through TOR ./mailcat --proxy http://127.0.0.1:8080 #Find existing email addresses by nickname by running the script through a proxy
Collecting Emails – Active
Active email reconnaissance involves directly engaging with the target system or web application to obtain valid emails. The most effective method in my experience is to scrape the target website for emails. Several tools can be used.
The tool I use most is gospider which can be obtained here: https://github.com/jaeles-project/gospider. GoSpider is a fast web spider written in Go and can be used as demonstrated below to scrape a target web application and extract email addresses.
for url in "https://www.tesla.com"; do gospider -s "$url" -d 4 --js --sitemap --robots --other-source -c 10 -t 10 | grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'; done #Spiders a target web application and extracts email addresses.
for url in $(cat domains.txt); do gospider -s "$url" -d 4 --js --sitemap --robots --other-source -c 10 -t 10 | grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'; done #Spiders a list of target web applications and extracts email addresses.
Another excellent tool is Katana from ProjectDiscovery which can be found here: https://github.com/projectdiscovery/katana. To extract emails from a target domain using Katana use the commands below.
katana -u 'https://www.tesla.com' -silent -js-crawl -known-files all -f email #Spider a web application and extract emails katana -list targets.txt -silent -js-crawl -known-files all -f email #Spider a list of web applications and extract emails
A good method for harvesting target emails is downloading PDF, XLS and DOCX files from the web for the target domain. These files can be examined for emails. A good tool is metagoofil which can be found here: https://github.com/opsdisk/metagoofil. Once you have a folder of documents you can use tools such as exiftool to pdftotext to extract email data.
./metagoofil.py -d 'https://hacker.com' -f -t doc,pdf,txt,csv,docx,xls -w #Searches Google for specific types of files being publicly hosted for a target
for file in *.pdf; do pdftotext "$file" - | grep -o -E '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}'; done #Extracts emails from downloaded PDF Files
exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u #Extract metadata from downloaded files