Email Recon

Email Icon
Email reconnaissance in penetration testing involves gathering information about email addresses associated with a target organization to use in user enumeration and password brute force attacks.

Collecting Emails – Passive

Discovering and collecting valid emails for a target domain is an important step in penetration testing. Emails are used in activities like testing for valid usernames on the external perimeter. Also, they can be used to perform password attacks like credential stuffing or password guessing. There are several online services such as phonebook.cz. I have listed several other good services here: DNS Tools & Links

An excellent CLI tool for gathering emails is CrossLinked which is a LinkedIn enumeration tool that uses search engine scraping to collect valid employee names from an organization. It can be found here: https://github.com/m8sec/CrossLinked

python3 crosslinked.py -f '{first}.{last}@domain.com' 'company name'   #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{f}.{last}@domain.com' 'company name'       #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{f}{last}@domain.com' 'company name'        #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{first}.{l}@domain.com' 'company name'      #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f '{first}{l}@domain.com' 'company name'       #Searches and outputs emails in the format [email protected]
python3 crosslinked.py -f 'domain\{f}{last}' 'company name'            #Searches and outputs emails in the format domain\jdoe

 

theHarvester is a simple-to-use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It can be used to gather email addresses and is found here: https://github.com/laramies/theHarvester

theHarvester -d hacker.com -b all -l 50   #Will perfom OSINT on the specified domain for all available sources (Some sources require API keys)

 

The EmailHarvester is an excellent tool for retrieving domain email addresses from various search engines. You can find it here: https://github.com/maldevel/EmailHarvester

python3 ./EmailHarvester.py -d hacker.com -e all                     #All out search using all available search engines.
python3 ./EmailHarvester.py -d hacker.com -e google                  #Specify a specific search engine
python3 ./EmailHarvester.py -d hacker.com -e all -r twitter,ask      #Use all search engines but exclude some
python3 ./EmailHarvester.py -d hacker.com -e all -s emails.txt       #Save the discovered emails to a text file

 

For cases where you have a nickname, and want to search for potential email accounts for the associated nickname, mailcat is an excellent tool. It can be downloaded here: https://github.com/sharsil/mailcat

./mailcat nickname                         #Find existing email addresses by nickname
./mailcat --tor nickname                   #Find existing email addresses by nickname by running the script through TOR
./mailcat --proxy http://127.0.0.1:8080    #Find existing email addresses by nickname by running the script through a proxy

Collecting Emails – Active

Active email reconnaissance involves directly engaging with the target system or web application to obtain valid emails. The most effective method in my experience is to scrape the target website for emails. Several tools can be used.

The tool I use most is gospider which can be obtained here: https://github.com/jaeles-project/gospider. GoSpider is a fast web spider written in Go and can be used as demonstrated below to scrape a target web application and extract email addresses.

for url in "https://www.tesla.com"; do gospider -s "$url" -d 4 --js --sitemap --robots --other-source -c 10 -t 10 | grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'; done   #Spiders a target web application and extracts email addresses.
for url in $(cat domains.txt); do gospider -s "$url" -d 4 --js --sitemap --robots --other-source -c 10 -t 10 | grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'; done   #Spiders a list of target web applications and extracts email addresses.

 

Another excellent tool is Katana from ProjectDiscovery which can be found here: https://github.com/projectdiscovery/katana. To extract emails from a target domain using Katana use the commands below.

katana -u 'https://www.tesla.com' -silent -js-crawl -known-files all -f email    #Spider a web application and extract emails
katana -list targets.txt -silent -js-crawl -known-files all -f email             #Spider a list of web applications and extract emails

 

A good method for harvesting target emails is downloading PDF, XLS and DOCX files from the web for the target domain. These files can be examined for emails. A good tool is metagoofil which can be found here: https://github.com/opsdisk/metagoofil. Once you have a folder of documents you can use tools such as exiftool to pdftotext to extract email data.

./metagoofil.py -d 'https://hacker.com' -f -t doc,pdf,txt,csv,docx,xls -w                                             #Searches Google for specific types of files being publicly hosted for a target
for file in *.pdf; do  pdftotext "$file" - | grep -o -E '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}'; done       #Extracts emails from downloaded PDF Files
exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u                                       #Extract metadata from downloaded files