Quickly gathering logins/emails with theHarvester and Metasploit

Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users 

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

<code>zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500</code>

<code>*************************************</code>

<code>*TheHarvester Ver. 1.5 *</code>

<code>*Coded by Christian Martorella *</code>

<code>*Edge-Security Research *</code>

<code>*[email protected] *</code>

<code>Searching for defcon.com in google :</code>

<code>======================================</code>

<code></code>

<code>Total results: 462000</code>

<code>Limit: 500</code>

<code>Searching results: 0</code>

<code>Searching results: 100</code>

<code>Searching results: 200</code>

<code>Searching results: 300</code>

<code>Searching results: 400</code>

<code>Accounts found:</code>

<code>====================</code>

<code>[email protected]</code>

<code>[email protected]</code>

<code>[email protected]</code>

<code>[email protected]</code>

<code>@defcon.com</code>

<code>[email protected]</code>

<code>[email protected]</code>

<code>[email protected]</code>

And search_email_collector.rb usage here:

<code>Running MSF search_email_collector...</code>

<code>[*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*]     [email protected] [*]     [email protected] [*]     [email protected] [*]     [email protected] [*]     [email protected] [*]     [email protected] [*]     [email protected]</code>

We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths):

<code>#!/bin/bash echo "Running MSF search_email_collector..." echo ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E echo echo "Running theHarvester on Google, BING, MSN, PGP..." echo python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b google -l 500 &gt;&gt; $1_emails.txt python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b msn -l 500 &gt;&gt; $1_emails.txt python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b pgp &gt;&gt; $1_emails.txt cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort &gt; $1_emails.txt echo echo "Searching for LinkedIN profiles with theHarverster..." python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b linkedin -l 40 &gt;&gt; $1_emails.txt echo echo "Finishing... E-mail Results:" echo cat $1_emails.txt</code>