Email harvesting with metasploit | tutorial

By | April 28, 2013

Out of the many useful auxiliary modules that metasploit has, one is called search_email_collector which searches google, bing and yahoo for email addresses associated to a particular domain. This is useful in automated information gathering during a penetration test program. The location inside msfconsole is auxiliary/gather/search_email_collector

So lets try it out. Launch msfconsole. I am using backtrack. In backtrack msfconsole can be directly launched from the console or the menu Backtrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole.

Lets search first

msf > search gather auxiliary

Matching Modules

   Name                                            Disclosure Date          Rank    Description
   ----                                            ---------------          ----    -----------
   auxiliary/admin/oracle/tnscmd                   2009-02-01 00:00:00 UTC  normal  Oracle TNS Listener Command Issuer
   auxiliary/gather/android_htmlfileprovider                                normal  Android Content Provider File Disclosure
   auxiliary/gather/checkpoint_hostname            2011-12-14 00:00:00 UTC  normal  CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
   auxiliary/gather/citrix_published_applications                           normal  Citrix MetaFrame ICA Published Applications Scanner
   auxiliary/gather/citrix_published_bruteforce                             normal  Citrix MetaFrame ICA Published Applications Bruteforcer
   auxiliary/gather/corpwatch_lookup_id                                     normal  CorpWatch Company ID Information Search
   auxiliary/gather/corpwatch_lookup_name                                   normal  CorpWatch Company Name Information Search
   auxiliary/gather/d20pass                        2012-01-19 00:00:00 UTC  normal  General Electric D20 Password Recovery
   auxiliary/gather/enum_dns                                                normal  DNS Record Scanner and Enumerator 
   auxiliary/gather/natpmp_external_address                                 normal  NAT-PMP External Address Scanner
   auxiliary/gather/search_email_collector                                  normal  Search Engine Domain Email Address Collector
   auxiliary/gather/shodan_search                                           normal  Shodan Search
   auxiliary/scanner/http/cisco_device_manager     2000-10-26 00:00:00 UTC  normal  Cisco Device HTTP Device Manager Access
   auxiliary/scanner/http/squiz_matrix_user_enum   2011-11-08 00:00:00 UTC  normal  Squiz Matrix User Enumeration Scanner

Towards the lower part, we see the module called search_email_collector. This is the one we are going to use.
So lets use it and check the options.

msf > use auxiliary/gather/search_email_collector 
msf  auxiliary(search_email_collector) > show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DOMAIN                          yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine
   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

The important option to fill is the domain name. Apart from that the search engine to use can be selected. By default google, bing, yahoo all 3 are selected. Set the domain name and run the scanner.

msf  auxiliary(search_email_collector) > set DOMAIN
msf  auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from
[*] Extracting emails from Yahoo search results...
[*] Located 170 email addresses for
[*] 	19ee5962-8ff6-416d-83fa-b0ba137c62e7@microsoft com
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]
[*] 	[email protected]


Running it on revealed quite a few email addresses.

Email harvesting can be used by hackers to carry out a phishing campaign against an entire organisation. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers or getting their system's compromised. In the worst case, if a hacker gets control of a single machine inside an organisations network, it might open for him the path to access and exploit the entire network of the organisation.

Although phishing is a social engineering attack that is amongst the least dangerous ones, but given the right oppurtunity to the hacker, it has the potential to lead to the worst security breaches.

This particular technique of email harvesting is based on data from search engines, and therefore is not supposed to be very accurate. Email addresses that are found on webpages and become visible to the search engines are crawled. Those can be discovered by using proper search parameters in the respective search engines.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *