Knowing is half the battle…
G.I. Joe used to say, “Knowing is half the battle.” The collection of prior information could make the difference between success and failure of a Penetration Test.
The first phase (reconnaissance phase) of a penetration test, includes information gathering & network mapping procedures. Automated intelligent reconnaissance tools have been developed extensively the last years, offering a reliable and sprinting starting point for the exploitation phase. In this article, I will focus on information gathering tools in order to collect valid login names, emails, DNS records and WHOIS databases. A Penetration Tester can use the gathered information in order to profile the target, launch client side attacks, search into social networks for additional knowledge, bruteforce authentication mechanisms etc.
We can easily gather this information with simple scripts, without following an extensive OSINT (Open Source Intelligence) procedure. Although, I should mention that a detailed and extensive OSINT phase will have better results and will be necessary under certain business needs.
I will analyze Edge-Security’s theHarvester and Metasploit’s Search Email Collector tools.
theHarvester
theHarvester (currently at 2.0 version) is a python script that can gather email accounts, usernames and subdomains from public search engines and PGP key servers.
The tool supports the following sources:
- Google – emails,subdomains/hostnames
- Google profiles – Employee names
- Bing search – emails, subdomains/hostnames,virtual hosts (requires bing API key)
- Pgp servers – emails, subdomains/hostnames
- Linkedin – Employee names
- Exalead – emails,subdomain/hostnames
The latest version of theHarvester can be downloaded from the GitHub repository here.
Give execute permissions to the script file, and run it in order to see the available options.
$ ./theHarvester.py ************************************* *TheHarvester Ver. 2.0 (reborn) * *Coded by Christian Martorella * *Edge-Security Research * *cmartorella@edge-security.com * ************************************* Usage: theharvester options -d: Domain to search or company name -b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,exalead,all) -s: Start in result number X (default 0) -v: Verify host name via dns resolution and search for vhosts(basic) -l: Limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp does not use this option) -f: Save the results into an XML file Examples:./theharvester.py -d microsoft.com -l 500 -b google ./theharvester.py -d microsoft.com -b pgp ./theharvester.py -d microsoft -l 200 -b linkedin |
You can see some execution example in the following screenshots:
Metasploit Email Collector
Search email collector is a metasploit module written by Carlos Perez. The module runs under the metasploit framework and uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain.
You can view the source code here.
The module options are:
DOMAIN | The domain name to locate email addresses for |
OUTFILE | A filename to store the generated email list |
SEARCH_BING | Enable Bing as a backend search engine (default: true) |
SEARCH_GOOGLE | Enable Google as a backend search engine (default: true) |
SEARCH_YAHOO | Enable Yahoo! as a backend search engine (default: true) |
PROXY | Proxy server to route connection. <host>:<port> |
PROXY_PASS | Proxy Server Password |
PROXY_USER | Proxy Server User |
WORKSPACE | Specify the workspace for this module |
Let’s see a running example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | msf >; msf >; use auxiliary/gather/search_email_collector msf auxiliary(search_email_collector) >; set DOMAIN example.com DOMAIN =>; example.com msf auxiliary(search_email_collector) >; run [*] Harvesting emails ..... [*] Searching Google for email addresses from example.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from example.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from example.com [*] Extracting emails from Yahoo search results... [*] Located 49 email addresses for example.com [*] 555-555-0199@example.com [*] a@example.com [*] alle@example.com [*] b@example.com [*] boer_faders@example.com [*] ceo@example.com [*] defaultemail@example.com [*] email@example.com [*] example@example.com [*] foo@example.com [*] fsmythe@example.com [*] info@example.com [*] joe@example.com [*] joesmith@example.com [*] johnnie@example.com [*] johnsmith@example.com [*] myname+spam@example.com [*] myname@example.com [*] name@example.com [*] nobody@example.com .... |
Useful links:
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
A. Bechtsoudis
Ah yes, I’ve been using metasploit’s gather/search_email_collector since I became part of ROOTCON(http://rootcon.org/) but I haven’t tried that email collector coded in python yet coz so far I’m satisfied with the results of the metasploit email collector.