One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.
Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.
theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.
A quick usage below identifies some users
p.s. you can one line search_email_collector like so in msfcli:
ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E
Check the last line for an example wrapper for these two tools.
zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500
*TheHarvester Ver. 1.5 *
*Coded by Christian Martorella *
*Edge-Security Research *
Searching for defcon.com in google :
Total results: 462000
Searching results: 0
Searching results: 100
Searching results: 200
Searching results: 300
Searching results: 400
And search_email_collector.rb usage here:
Running MSF search_email_collector...
[*] Please wait while we load the module tree...
[*] Harvesting emails .....
[*] Searching Google for email addresses from defcon.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from defcon.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from defcon.com
[*] Extracting emails from Yahoo search results...
[*] Located 7 email addresses for defcon.com
We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths):
echo "Running MSF search_email_collector..."
ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E
echo "Running theHarvester on Google, BING, MSN, PGP..."
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b google -l 500 >> $1_emails.txt
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b msn -l 500 >> $1_emails.txt
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b pgp >> $1_emails.txt
cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort > $1_emails.txt
echo "Searching for LinkedIN profiles with theHarverster..."
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b linkedin -l 40 >> $1_emails.txt
echo "Finishing... E-mail Results:"