Out of the many useful auxiliary modules that metasploit has, one is called search_email_collector which searches google, bing and yahoo for email addresses associated to a particular domain. This is useful in automated information gathering during a penetration test program. The location inside msfconsole is auxiliary/gather/search_email_collector
So lets try it out. Launch msfconsole. I am using backtrack. In backtrack msfconsole can be directly launched from the console or the menu Backtrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole.
Lets search first
msf > search gather auxiliary Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/oracle/tnscmd 2009-02-01 00:00:00 UTC normal Oracle TNS Listener Command Issuer auxiliary/gather/android_htmlfileprovider normal Android Content Provider File Disclosure auxiliary/gather/checkpoint_hostname 2011-12-14 00:00:00 UTC normal CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure auxiliary/gather/citrix_published_applications normal Citrix MetaFrame ICA Published Applications Scanner auxiliary/gather/citrix_published_bruteforce normal Citrix MetaFrame ICA Published Applications Bruteforcer auxiliary/gather/corpwatch_lookup_id normal CorpWatch Company ID Information Search auxiliary/gather/corpwatch_lookup_name normal CorpWatch Company Name Information Search auxiliary/gather/d20pass 2012-01-19 00:00:00 UTC normal General Electric D20 Password Recovery auxiliary/gather/enum_dns normal DNS Record Scanner and Enumerator auxiliary/gather/natpmp_external_address normal NAT-PMP External Address Scanner auxiliary/gather/search_email_collector normal Search Engine Domain Email Address Collector auxiliary/gather/shodan_search normal Shodan Search auxiliary/scanner/http/cisco_device_manager 2000-10-26 00:00:00 UTC normal Cisco Device HTTP Device Manager Access auxiliary/scanner/http/squiz_matrix_user_enum 2011-11-08 00:00:00 UTC normal Squiz Matrix User Enumeration Scanner
Towards the lower part, we see the module called search_email_collector. This is the one we are going to use.
So lets use it and check the options.
msf > use auxiliary/gather/search_email_collector msf auxiliary(search_email_collector) > show options Module options (auxiliary/gather/search_email_collector): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN yes The domain name to locate email addresses for OUTFILE no A filename to store the generated email list SEARCH_BING true yes Enable Bing as a backend search engine SEARCH_GOOGLE true yes Enable Google as a backend search engine SEARCH_YAHOO true yes Enable Yahoo! as a backend search engine
The important option to fill is the domain name. Apart from that the search engine to use can be selected. By default google, bing, yahoo all 3 are selected. Set the domain name and run the scanner.
msf auxiliary(search_email_collector) > set DOMAIN microsoft.com DOMAIN => microsoft.com msf auxiliary(search_email_collector) > run [*] Harvesting emails ..... [*] Searching Google for email addresses from microsoft.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from microsoft.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from microsoft.com [*] Extracting emails from Yahoo search results... [*] Located 170 email addresses for microsoft.com [*] [email protected] com [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] [*] [email protected] ..........TRUNCATED
Running it on microsoft.com revealed quite a few email addresses.
Email harvesting can be used by hackers to carry out a phishing campaign against an entire organisation. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers or getting their system's compromised. In the worst case, if a hacker gets control of a single machine inside an organisations network, it might open for him the path to access and exploit the entire network of the organisation.
Although phishing is a social engineering attack that is amongst the least dangerous ones, but given the right oppurtunity to the hacker, it has the potential to lead to the worst security breaches.
This particular technique of email harvesting is based on data from search engines, and therefore is not supposed to be very accurate. Email addresses that are found on webpages and become visible to the search engines are crawled. Those can be discovered by using proper search parameters in the respective search engines.