E-mails

Tips & Tricks

https://twitter.com/henkvaness/status/1308417260848062464
# Using Google Dorks you can search for e-mails like this
# It can helps in identifying one target specific e-mail address
# "john doe " "john * * com"

Online tools

# Domain e-mail syntax finder
https://www.email-format.com
https://hunter.io

# Omail can find domain syntax as well as related e-mails addresses
https://omail.io/

# E-mail validator
https://tools.verifyemailaddress.io/
http://mailtester.com
https://dnslytics.com/email-test
https://verify-email.org/
https://verifalia.com/validate-email

# IntelX new tool allows to browse records for a given domain
https://phonebook.cz/

# Simple Email Reputation
https://emailrep.io/

The Harvester

# theHarvester is a famous OSINT and scrapping tool for passiv recon on targets
# Using API keys will highly increase results

# TheHarvester received a great
# Following modules need API key (api-keys.yaml)
# bing, github, hunter, intlex, securitytrails, shodan, spyse

Usage: theharvester options

       -d: Domain to search or company name
       -b: data source: baidu, bing, bingapi, dogpile, google, googleCSE,
                        googleplus, google-profiles, linkedin, pgp, twitter, vhost,
                        virustotal, threatcrowd, crtsh, netcraft, yahoo, all

       -s: start in result number X (default: 0)
       -v: verify host name via dns resolution and search for virtual hosts
       -f: save the results into an HTML and XML file (both)
       -n: perform a DNS reverse query on all ranges discovered
       -c: perform a DNS brute force for the domain name
       -t: perform a DNS TLD expansion discovery
       -e: use this DNS server
       -p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
       -l: limit the number of results to work with(bing goes from 50 to 50 results,
            google 100 to 100, and pgp doesn\'t use this option)
       -h: use SHODAN database to query discovered hosts

Examples:
        theharvester -d microsoft.com -l 500 -b google -h myresults.html
        theharvester -d microsoft.com -b pgp
        theharvester -d microsoft -l 200 -b linkedin
        theharvester -d apple.com -b googleCSE -l 500 -s 300

SimplyEmail

# Another simple tool to do email enumeration
https://github.com/SimplySecurity/SimplyEmail

./SimplyEmail.py -all -e cybersyndicates.com

or in verbose
./SimplyEmail.py -all -v -e cybersyndicates.com

or in verbose and no "Scope"
./SimplyEmail.py -all -v -e cybersyndicates.com -s

or with email verification
./SimplyEmail.py -all -v -verify -e cybersyndicates.com 

or with email verification & Name Creation
./SimplyEmail.py -all -v -verify -n -e cybersyndicates.com 

or json automation
./SimplyEmail.py -all -e cybersyndicates.com --json cs-json.txt

Zen (https://github.com/s0md3v/Zen)

# This tool allows you to retrieve the e-mail address of github users
python zen.py username
python zen.py https://github.com/username

# Find all emails addresses of contributors for one project
python zen.py https://github.com/username/repository

# Find emails for an organization
python zen.py organization --org
python zen.py https://github.com/orgs/organzation

# Search if the e-mail is present in a breach
python zen.py s0md3v --breach

Quidam (https://github.com/megadose/Quidam)

# Quidam allows you to retrieve information thanks to the forgotten password function of some sites.
$ python3 quidam.py --help
usage: quidam.py [-h] -u USERNAME -m MODULE

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        The uername of the target
  -m MODULE, --module MODULE
                        Modules to use instagram, twitter, github or all

$ python3 quidam.py --username test --module all   
You select all
Email extract with instagram of test: z*******1@gmail.com
Email extract with twitter of test: te**@b********.***
Possible email : 
te**@barcelona.com
te**@beethoven.com
te**@bellsouth.net
te**@bellsouth.net
te**@bigassweb.com
te**@bikeracer.com
te**@bikerider.com
te**@birdowner.net
te**@blazemail.com
te**@bluehyppo.com
te**@blushmail.com
te**@bmlsports.net
te**@bornnaked.com
te**@broadcast.net
te**@buffymail.com
te**@bullsgame.com
te**@buyersusa.com
Not informations found in github

Holehe (https://github.com/megadose/holehe)

# holehe allows you to check if the mail is used on different sites like twitter,
# instagram and will retrieve information on sites with the forgotten password function.

# Tons on modules

$ holehe -e test@gmail.com

# WEB VERSION BY EPIEOS
https://tools.epieos.com/holehe.php

Mailcat

https://github.com/sharsil/mailcat

# The only cat who can find existing email addresses by nickname.
./mailcat.py username

# Total 34 providers, > 60 domains and > 100 aliases.

MOSINT

https://github.com/alpkeskin/mosint

# MOSINT is an OSINT Tool for emails. It helps you gather information about the target email.
go run main.go -e example@domain.com -all

# It can use several APIs
# ipapi.co
# hunter.io
# emailrep.io
# scylla.io
# breachdirectory.org

+-------+--------------------------------+------------+
| FLAGS |          DESCRIPTION           | ISREQUIRED |
+-------+--------------------------------+------------+
| -e    | Set target email               | Yes        |
| -v    | Verify the target email        | No         |
| -ss   | Social scan for target email   | No         |
| -re   | Find related emails with       | No         |
|       | target email                   |            |
| -rd   | Find related domains with      | No         |
|       | target email                   |            |
| -l    | Find password leaks for target | No         |
|       | email                          |            |
| -pd   | Search pastebin dumps for      | No         |
|       | target email                   |            |
| -er   | EmailRep.io API                | No         |
| -d    | More information about target  | No         |
|       | email's domain                 |            |
| -all  | All features!                  | No         |
+-------+--------------------------------+------------+

Yopmail & co

https://openfacto.fr/2020/10/19/y-a-plein-de-mails-interessants-sur-yopmail-com/

# Yogo is a CLI tool allowing to search & scrape yopmail adresses
https://github.com/antham/yogo

# Retrieve 10 messages from mailbox test1@yopmail.com
yogo inbox list test1 10

# Retrieve first message from inbox helloworld@yopmail.com
yogo inbox show helloworld 1