Explore

emails for domain

Here’s a detailed list of 5 tools and 15 techniques (for a total of 35 ways) attackers could potentially gather emails linked to a domain like tesla.com. This breakdown includes both manual and automated approaches, focusing on OSINT techniques.

⁠

Session Outline: Tools and Techniques for Gathering Emails

1. Tools (5 Powerful OSINT Tools)

1.1 Hunter.io

Description: A tool to find email addresses associated with a domain.

Steps:

Input domain (e.g., tesla.com).

Analyze results to extract emails and patterns.

1.2 theHarvester

Description: A command-line tool that gathers emails, subdomains, IPs, and URLs from various public sources.

Steps:

Command:

theharvester -d tesla.com -b google

Output: Extracted emails and related data.

1.3 Maltego

Description: A powerful tool for data visualization and gathering OSINT data like emails.

Steps:

Use the "Transform" feature to search for emails tied to the domain.

Map employee connections and email addresses visually.

1.4 Email Permutator

Description: Generates potential email combinations based on a person’s name.

Steps:

Input first name, last name, and domain.

Receive combinations like:

⁠

john.smith@tesla.com⁠

⁠

j.smith@tesla.com⁠

⁠

smith.j@tesla.com⁠

⁠

1.5 SpiderFoot

Description: A tool that automates OSINT collection for emails, IPs, domains, etc.

Steps:

Set the target domain (tesla.com).

Enable email harvesting modules.

Review the collected emails.

⁠

2. Techniques (15 Methods)

Manual Approaches (5 Methods)

Google Dorking:

Use advanced search operators to discover exposed emails.

Examples:

site:tesla.com "email"

site:linkedin.com "@tesla.com"

filetype:txt "@tesla.com"

Social Media Scraping:

Explore LinkedIn, Twitter, and Facebook to find employees and email formats.

Search queries:

"Tesla employee" site:linkedin.com

"@tesla.com" site:twitter.com

Public PDF Metadata:

Download PDFs from the domain and extract metadata.

Tools:

exiftool document.pdf

Contact Pages or Press Releases:

Visit Tesla's official website to find email addresses listed on:

Press pages.

Investor relations.

Contact forms.

Public Forums and Mailing Lists:

Check forums, GitHub repositories, or public mailing lists where employees might have shared emails.

⁠

Automated Approaches (10 Methods)

theHarvester (Advanced Usage):

Use different search engines with:

theharvester -d tesla.com -b bing

Censys.io or Shodan:

Search for domains and subdomains revealing email addresses in server configurations.

Breach Databases:

Platforms like Have I Been Pwned or DeHashed can reveal emails exposed in data breaches.

Email Enumeration via SMTP:

Use tools like Metasploit or SMTPEnum to validate guessed emails.

Recon-ng:

A modular framework to perform reconnaissance and gather emails from various APIs.

Example module:

recon/domains-contacts/gather_contacts

Sublist3r:

Discover subdomains and associated emails.

Command:

sublist3r -d tesla.com

Amass:

A DNS and email enumeration tool.

Command:

amass enum -d tesla.com

Social Mapper:

Uses facial recognition to correlate employee profiles from social media platforms.

Output: Potential email patterns based on public data.

Email Finder APIs:

Use APIs like FindThatEmail or Clearbit to search for email addresses linked to a domain.

Phishing Email Bait:

Send emails to guessed addresses and track responses or email rejections for valid/invalid results.

⁠

3. 15 Ways (Combination of All)

Based on Information Sources

Google Dorking (manual queries).

Bing Dorking (alternative search engine).

LinkedIn Scraping (manual or automated).

Twitter Public Mentions (e.g., "Contact us @tesla.com").

Official Tesla Website Metadata.

PDFs and Document Metadata.

GitHub Commits (search for "@tesla.com").

Job Portals (e.g., Glassdoor, Indeed postings listing emails).

Conference Listings (look for employees who attended).

Domain Registration Info (check Whois data for associated emails).

Using Tools

Hunter.io.

theHarvester (Google, Bing, Yahoo modules).

Maltego (visual mapping of connections).

SpiderFoot.

Amass.

⁠

Bonus: Ethical Hacking Note

Always emphasize the importance of responsible usage.

Gaining unauthorized access or using these methods maliciously is illegal.

This is for awareness and defensive purposes only.

Would you like me to create slides for this session or expand on specific points?

Demonstrating how attackers collect employee emails from organizations like Tesla for educational purposes should focus on legitimate techniques and ethical boundaries. Below is a structured 2-hour demonstration plan using open-source intelligence (OSINT) and ethical practices:

⁠

Agenda for the 2-Hour Demonstration

Introduction to Email Harvesting (10 minutes)

Define email harvesting and its role in phishing and social engineering attacks.

Discuss ethical considerations and legal boundaries.

Tools and Methods Overview (10 minutes)

Introduce tools and techniques used for email collection.

Mention the importance of OSINT in cybersecurity.

Practical Demonstration (90 minutes)

Step-by-step demonstration of email harvesting techniques.

Defensive Measures (10 minutes)

Discuss how organizations can protect themselves from such attacks.

Q&A Session (10 minutes)

Engage with the audience to clarify doubts.

⁠

Step-by-Step Practical Demonstration

1. Google Dorking

Objective: Use advanced search queries to find publicly available employee emails.

Commands:

site:tesla.com "email" -jobs -careers

site:tesla.com "@tesla.com"

"intitle:index.of" "Tesla" "email"

Explanation: Highlight how attackers use Google to find email addresses from public pages, job postings, and documents.

2. LinkedIn OSINT

Objective: Extract potential employee emails using LinkedIn data.

Tools:

⁠

Hunter.io⁠

(Free plan available)

⁠

Email Permutator⁠

for guessing email formats (e.g.,

first.last@tesla.com⁠

Steps:

Use LinkedIn to search for Tesla employees.

Generate permutations based on common email patterns.

3. Email Harvesting with theHarvester

Objective: Gather emails from public sources automatically.

Tool:

theHarvester⁠

⁠

Command:

theHarvester -d tesla.com -b google

theHarvester -d tesla.com -b linkedin

Explanation: theHarvester collects emails from search engines and LinkedIn.

4. Using Data Breaches

Objective: Check if Tesla emails appeared in past breaches.

Tool:

Have I Been Pwned⁠

⁠

Optional Tool: holehe (Python tool to check email presence across websites).

Command:

holehe tesla@example.com

5. Extract Emails from PDF Files

Objective: Analyze public documents for email addresses.

Tool: pdfgrep

Command:

pdfgrep -io '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' *.pdf

6. Web Scraping for Emails

Objective: Scrape websites for emails.

Tool: emailfinder or scrapy in Python.

Example Script:

import re

import requests

from bs4 import BeautifulSoup

url = "https://www.tesla.com"

response = requests.get(url)

emails = re.findall(r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}', response.text)

print("Found Emails:", emails)

7. Social Media OSINT

Objective: Use platforms like Twitter to find emails.

Command (Twitter Search):

"@tesla.com" site:twitter.com

8. Shodan for IoT and Email Identifiers

Objective: Search for Tesla-related email identifiers on exposed systems.

Tool:

Shodan⁠

⁠

Command:

shodan search "tesla.com email"

⁠

Preventive Measures

Train employees on phishing awareness.

Implement email obfuscation techniques on websites.

Use tools like DMARC, SPF, and DKIM to prevent email spoofing.

Regularly monitor for exposed employee data on breach sites.

⁠

Important Notes

Always emphasize the ethical use of these techniques.

Focus on education and awareness rather than exploitation.

Ensure no sensitive or private data is exposed during the demonstration.

Would you like specific tools or sections elaborated further?

If you want to demonstrate methods to collect email addresses and phone numbers of employees from an organization like stmu.edu.pk, here are some effective techniques, tools, and methods commonly used in OSINT:

⁠

1. Search Engine Dorking

Search engine dorking with Google or Bing is an easy and effective way to uncover email addresses and phone numbers.

Example Queries:

For emails:

site:stmu.edu.pk "@stmu.edu.pk"

Finds all indexed pages with email addresses containing the domain.

For phone numbers:

site:stmu.edu.pk "contact" OR "phone" OR "call us"

Searches for pages with contact details, often listed on the organization's website.

Advanced:

site:stmu.edu.pk intext:@stmu.edu.pk

⁠

2. OSINT Tools

Harvester

A tool designed to collect email addresses, subdomains, and phone numbers from public sources.

theharvester -d stmu.edu.pk -l 500 -b google

Amass

Amass can enumerate emails and other information:

amass intel -whois -d stmu.edu.pk

⁠

3. Data Breach Sites

Look for emails and phone numbers in data breaches. Popular tools include:

Have I Been Pwned (HIBP): Check if employee emails have been leaked in breaches:

https://haveibeenpwned.com/

LeakLooker or Dehashed: Search leaked databases for organization-related data.

⁠

4. Social Media Scraping

Search social networks (LinkedIn, Twitter, etc.) for employee profiles.

LinkedIn:

Use tools like LinkedIn Scraper or OSINT LinkedIn tools.

Query employees:

site:linkedin.com "@stmu.edu.pk"

Twitter:

Find employees sharing phone numbers or emails:

site:twitter.com "@stmu.edu.pk"

⁠

5. Public Directory Lookups

Some organizations have public directories for employees. Look for a "Staff Directory" or similar pages:

Search for terms like:

site:stmu.edu.pk "staff directory"

⁠

6. PGP Key Servers

PGP key servers often list emails and phone numbers.

Example:

Search for employees using their domain:

pgp.mit.edu

⁠

7. FOCA

FOCA extracts metadata (including emails and phone numbers) from publicly available files (e.g., PDFs, Word documents).

Download files from the domain:

site:stmu.edu.pk filetype:pdf

Run FOCA on the downloaded files:

FOCA > Upload Files > Extract Metadata

⁠

8. WHOIS Lookup

WHOIS data for the domain may contain admin contact details, including phone numbers:

whois stmu.edu.pk

⁠

9. Data Broker and Scraping Services

Some third-party data brokers aggregate email addresses and phone numbers. Tools like:

Hunter.io (for emails)

Clearbit API

⁠

10. Tools Overview

Table 1

Table 1

Tool

Purpose

Command

theHarvester

Emails, subdomains

theharvester -d stmu.edu.pk -b google

Amass

Whois and email intel

amass intel -whois -d stmu.edu.pk

FOCA

Metadata extraction

Analyze documents for hidden metadata

SpiderFoot

Emails, phone numbers, more

Use the GUI or spiderfoot-cli

Google Dorks

Emails and phone scraping

Use dorking queries mentioned above.

Maltego

Graph-based OSINT gathering

Install transforms for emails and phones.

There are no rows in this table

⁠

Would you like guidance on any specific tool or additional demonstration ideas?

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.