https://twitter.com/henkvaness/status/1308417260848062464
# Using Google Dorks you can search for e-mails like this# It can helps in identifying one target specific e-mail address# "john doe " "john * * com"
Online tools
# Domain e-mail syntax finder
https://www.email-format.com
https://hunter.io
# Omail can find domain syntax as well as related e-mails addresses
https://omail.io/
# E-mail validator
https://tools.verifyemailaddress.io/
http://mailtester.com
https://dnslytics.com/email-test
https://verify-email.org/
https://verifalia.com/validate-email
# IntelX new tool allows to browse records for a given domain
https://phonebook.cz/
# Simple Email Reputation
https://emailrep.io/
The Harvester
# theHarvester is a famous OSINT and scrapping tool for passiv recon on targets# Using API keys will highly increase results# TheHarvester received a great# Following modules need API key (api-keys.yaml)# bing, github, hunter, intlex, securitytrails, shodan, spyse
Usage: theharvester options
-d: Domain to search or company name
-b: data source: baidu, bing, bingapi, dogpile, google, googleCSE,
googleplus, google-profiles, linkedin, pgp, twitter, vhost,
virustotal, threatcrowd, crtsh, netcraft, yahoo, all
-s: start in result number X (default: 0)
-v: verify host name via dns resolution and search for virtual hosts
-f: save the results into an HTML and XML file (both)
-n: perform a DNS reverse query on all ranges discovered
-c: perform a DNS brute force for the domain name
-t: perform a DNS TLD expansion discovery
-e: use this DNS server
-p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
-l: limit the number of results to work with(bing goes from 50 to 50 results,
google 100 to 100, and pgp doesn\'t use this option)
-h: use SHODAN database to query discovered hosts
Examples:
theharvester -d microsoft.com -l 500 -b google -h myresults.html
theharvester -d microsoft.com -b pgp
theharvester -d microsoft -l 200 -b linkedin
theharvester -d apple.com -b googleCSE -l 500 -s 300
SimplyEmail
# Another simple tool to do email enumeration
https://github.com/SimplySecurity/SimplyEmail
./SimplyEmail.py -all -e cybersyndicates.com
or in verbose
./SimplyEmail.py -all -v -e cybersyndicates.com
or in verbose and no "Scope"
./SimplyEmail.py -all -v -e cybersyndicates.com -s
or with email verification
./SimplyEmail.py -all -v -verify -e cybersyndicates.com
or with email verification & Name Creation
./SimplyEmail.py -all -v -verify -n -e cybersyndicates.com
or json automation
./SimplyEmail.py -all -e cybersyndicates.com --json cs-json.txt
# This tool allows you to retrieve the e-mail address of github users
python zen.py username
python zen.py https://github.com/username
# Find all emails addresses of contributors for one project
python zen.py https://github.com/username/repository
# Find emails for an organization
python zen.py organization --org
python zen.py https://github.com/orgs/organzation
# Search if the e-mail is present in a breach
python zen.py s0md3v --breach
# Quidam allows you to retrieve information thanks to the forgotten password function of some sites.
$ python3 quidam.py --help
usage: quidam.py [-h] -u USERNAME -m MODULE
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
The uername of the target
-m MODULE, --module MODULE
Modules to use instagram, twitter, github or all
$ python3 quidam.py --username test --module all
You select all
Email extract with instagram of test: z*******1@gmail.com
Email extract with twitter of test: te**@b********.***
Possible email :
te**@barcelona.com
te**@beethoven.com
te**@bellsouth.net
te**@bellsouth.net
te**@bigassweb.com
te**@bikeracer.com
te**@bikerider.com
te**@birdowner.net
te**@blazemail.com
te**@bluehyppo.com
te**@blushmail.com
te**@bmlsports.net
te**@bornnaked.com
te**@broadcast.net
te**@buffymail.com
te**@bullsgame.com
te**@buyersusa.com
Not informations found in github
# holehe allows you to check if the mail is used on different sites like twitter,# instagram and will retrieve information on sites with the forgotten password function.# Tons on modules
$ holehe -e test@gmail.com
# WEB VERSION BY EPIEOS
https://tools.epieos.com/holehe.php
Mailcat
https://github.com/sharsil/mailcat
# The only cat who can find existing email addresses by nickname.
./mailcat.py username
# Total 34 providers, > 60 domains and > 100 aliases.
MOSINT
https://github.com/alpkeskin/mosint
# MOSINT is an OSINT Tool for emails. It helps you gather information about the target email.
go run main.go -e example@domain.com -all
# It can use several APIs# ipapi.co# hunter.io# emailrep.io# scylla.io# breachdirectory.org
+-------+--------------------------------+------------+
| FLAGS | DESCRIPTION | ISREQUIRED |
+-------+--------------------------------+------------+
| -e | Set target email | Yes || -v | Verify the target email | No || -ss | Social scan for target email | No || -re | Find related emails with | No ||| target email ||| -rd | Find related domains with | No ||| target email ||| -l | Find password leaks for target | No ||| email ||| -pd | Search pastebin dumps for| No ||| target email ||| -er | EmailRep.io API | No || -d | More information about target | No ||| email's domain ||| -all | All features! | No |
+-------+--------------------------------+------------+
Yopmail & co
https://openfacto.fr/2020/10/19/y-a-plein-de-mails-interessants-sur-yopmail-com/
# Yogo is a CLI tool allowing to search & scrape yopmail adresses
https://github.com/antham/yogo
# Retrieve 10 messages from mailbox test1@yopmail.com
yogo inbox list test1 10# Retrieve first message from inbox helloworld@yopmail.com
yogo inbox show helloworld 1