Valid e-mail accounts are very handy to penetration testers since they can be used for exploiting trust relationships in phishing attacks, brute-force password auditing to mail servers, and as usernames in many IT systems.
This recipe illustrates how to get a list of valid public e-mail accounts by using Nmap.
The script http-google-email
is not included in Nmap's official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse
, you should update the script database with:
#nmap --script-updatedb
Open your favorite terminal and type:
$nmap -p80 --script http-google-email,http-email-harvest <target>
You should see something similar to the following output:
Nmap scan report for insecure.org (74.207.254.18) Host is up (0.099s latency). rDNS record for 74.207.254.18: web.insecure.org PORT STATE SERVICE 80/tcp open http | http-google-email: |[email protected] | http-email-harvest: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=insecure.org | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] |_ [email protected]
The Nmap Scripting Engines allows penetration testers to gather e-mails in two ways:
http-google-email
script uses Google Web and Google Groups Search to find public e-mail accounts belonging to a given domain.http-email-harvest
spiders the given web server and extracts all of the e-mail addresses found.The argument -p80 --script http-google-email,http-email-harvest
limits port scanning to port 80 and initiates the scripts mentioned previously to try to gather as many valid e-mail accounts as possible.
The script http-email-harvest
depends on the httpspider
library, which is highly customizable. For example, to allow the spider to crawl additional pages, use the argument httpspider.maxpagecount
:
$nmap -p80 --script http-email-harvest --script-args httpspider.maxpagecount=50 <target>
To start spidering from a different page than the root folder, use the argument httpspider.url
:
$nmap -p80 --script http-email-harvest --script-args httpspider.url=/welcome.php <target>
The official documentation for this library can be found at http://nmap.org/nsedoc/lib/httpspider.html#script-args.
For http-google-email
,
there are a couple of arguments that are good to know:
domain
.$ nmap -p80 --script http-google-email --script-args domain=insecure.org scanme.nmap.org
pages
you might get additional results:# nmap -p80 --script http-google-email --script-args pages=10 scanme.nmap.org
The flag --script-args
is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent
, use the following:
nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>
You can also use aliases when setting arguments of NSE scripts. Use:
$nmap -p80 --script http-trace --script-args path <target>
Instead of:
$nmap -p80 --script http-trace --script-args http-trace.path <target>
18.118.37.254