Welcome back guys, today lets talk on emails. We can all agree that almost everyone in this digital age has atleast1 email address and how tightly its integrated into our lives be it confidential conversations, device backups, history/private details mine, and what not. So compromising 1 email can give us almost everything about a user and his life. Hence as a white hat its our duty to assess email aspect of security when assessing other aspects of an organization.
The art of gathering info from free and open sources and making a connection between them. OSINT includes a variety of data points and email is one of them. Email OSINT is dependent on factors like how much use the address is in, how public is it on internet or if its a private domain like of company or public such as gmail, outlook.
Following are tools used when doing info gathering w.r.t emails:
TheHarvester: A simple and effective tool used for gathering email addresses, subdomains, banners, etc.
theHarvester -d kali.org
H8mail: Used to find credentials from data breaches, torrents and other reconnaissance services.
h8mail -t h8mail.txt -c /opt/h8mail/h8mail_config.ini
Infoga: Can gather info regarding email accounts (ip, dns, country, domain) from public sources like shodan, search engines, crawler, and public keys. It can also check haveibeenpwned.com to let you know if its in any data leak.
python infoga.py --domain evil.com --source all --breach -v 2 --report ../evil.txt
Websites to perform Email OSINT:
HaveIBeenPwned (HIBP): Tells if supplied email address is present in any known breach and in which one. So by knowing when it was leaked we can assume how old that email address is.
Google Dorks: Also called google hacking, using some specific queries we can get some good info regarding any particular thing. Using dorking for email OSINT is just a small part of google dorks. Use filter like intitle , inurl , filetype , intext , site to make a good query to find a company’s email addresses.
filetype:xlsx inurl: “emails.xlsx”
Thatsthem: A reverse email lookup site that gives details regarding a particular email address like associated person’s name ,address (real and virtual)and phone number.
Hunter.io: Just provide a company or a domain and it will tell you pattern of email addresses used in organization with all addresses it can find.
Other sources like Facebook, LinkedIn, Job portals can provide some very interesting details about targets just by knowing any of their details like full name, company where they work, their phone numbers or home address. Another thing which can give more intense info about target can be found in dark web. This is very detailed but needs some experience with dark web and keeping system secure in internets dark side.
So that wraps up this blog. One very useful website is osint framework which is a treasure for any form of surface web OSINT. If you are new, do consider reading my previous blogs; next time we will cover another interesting topic so stay tuned…