Post Mon Mar 15, 2010 5:37 pm

Gathering logins/emails with theHarvester and Metasploit

Like GI Joe always said: Knowing is half the battle… And so it is the same with Pentesting.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users ;)

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500

*************************************

*TheHarvester Ver. 1.5 *

*Coded by Christian Martorella *

*Edge-Security Research *

*cmartorella@edge-security.com *

*************************************

Searching for defcon.com in google :

======================================


Total results: 462000

Limit: 500

Searching results: 0

Searching results: 100

Searching results: 200

Searching results: 300

Searching results: 400

Accounts found:

====================

quietpro@defcon.com

nick.s@defcon.com

robert@defcon.com

lynne@defcon.com

@defcon.com

joe@defcon.com

info@defcon.com

dtangent@defcon.com

====================

And search_email_collector.rb usage here:

Running MSF search_email_collector...

[*] Please wait while we load the module tree...
[*] Harvesting emails .....
[*] Searching Google for email addresses from defcon.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from defcon.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from defcon.com
[*] Extracting emails from Yahoo search results...
[*] Located 7 email addresses for defcon.com
[*]    headsets@defcon.com
[*]    info@defcon.com
[*]    jobs@defcon.com
[*]    nick.s@defcon.com
[*]    nick@defcon.com
[*]    robert@defcon.com
[*]    spr@defcon.com

We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths):

#!/bin/bash

echo "Running MSF search_email_collector..."
echo
ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E
echo
echo "Running theHarvester on Google, BING, MSN, PGP..."
echo
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b google -l 500 >> $1_emails.txt
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b msn -l 500 >> $1_emails.txt
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b pgp >> $1_emails.txt
cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort > $1_emails.txt
echo
echo "Searching for LinkedIN profiles with theHarverster..."
perl /pentest/enumeration/google/theHarvester/theHarvester.py -d $1 -b linkedin -l 40 >> $1_emails.txt
echo
echo "Finishing... E-mail Results:"
echo
cat $1_emails.txt