Quickly gathering logins/emails with theHarvester and Metasploit

最新推荐文章于 2024-10-29 11:23:55 发布

最新推荐文章于 2024-10-29 11:23:55 发布 · 142 阅读

文章标签：

本文介绍使用theHarvester及Metasploit中的search_email_collector.rb脚本来收集目标组织的有效登录名和电子邮件地址的方法。这些工具能从Google、Bing等搜索引擎中提取信息，为后续的渗透测试提供支持。

Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500

*************************************

*TheHarvester Ver. 1.5 *

*Coded by Christian Martorella *

*Edge-Security Research *

*cmartorella@edge-security.com *

*************************************

Searching for defcon.com in google :

======================================

Total results: 462000

Limit: 500

Searching results: 0

Searching results: 100

Searching results: 200

Searching results: 300

Searching results: 400

Accounts found:

====================

quietpro@defcon.com

nick.s@defcon.com

robert@defcon.com

lynne@defcon.com

@defcon.com

joe@defcon.com

info@defcon.com

dtangent@defcon.com

====================

And search_email_collector.rb usage here:

Running MSF search_email_collector...
[*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*] headsets@defcon.com [*] info@defcon.com [*] jobs@defcon.com [*] nick.s@defcon.com [*] nick@defcon.com [*] robert@defcon.com [*] spr@defcon.com

We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths):

#!/bin/bash echo "Running MSF search_email_collector..." echo ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E echo echo "Running theHarvester on Google, BING, MSN, PGP..." echo python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b google -l 500 >> $1_emails.txt python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b msn -l 500 >> $1_emails.txt python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b pgp >> $1_emails.txt cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort > $1_emails.txt echo echo "Searching for LinkedIN profiles with theHarverster..." python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b linkedin -l 40 >> $1_emails.txt echo echo "Finishing... E-mail Results:" echo cat $1_emails.txt