Valid e-mail accounts are very handy to penetration testers since they can be used for exploiting trust relationships in phishing attacks, brute-force password auditing to mail servers, and as usernames in many IT systems.
This recipe illustrates how to get a list of valid public e-mail accounts by using Nmap.
The script http-google-email is not included in Nmap's official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse, you should update the script database with:
#nmap --script-updatedb
Open your favorite terminal and type:
$nmap -p80 --script http-google-email,http-email-harvest <target>
You should see something similar to the following output:
Nmap scan report for insecure.org (74.207.254.18) Host is up (0.099s latency). rDNS record for 74.207.254.18: web.insecure.org PORT STATE SERVICE 80/tcp open http | http-google-email: |[email protected] | http-email-harvest: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=insecure.org | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] |_ [email protected]
The Nmap Scripting Engines allows penetration testers to gather e-mails in two ways:
- Shinook's
http-google-emailscript uses Google Web and Google Groups Search to find public e-mail accounts belonging to a given domain. - Pattrik Karlsson's
http-email-harvestspiders the given web server and extracts all of the e-mail addresses found.
The argument -p80 --script http-google-email,http-email-harvest limits port scanning to port 80 and initiates the scripts mentioned previously to try to gather as many valid e-mail accounts as possible.
The script http-email-harvest depends on the httpspider library, which is highly customizable. For example, to allow the spider to crawl additional pages, use the argument httpspider.maxpagecount:
$nmap -p80 --script http-email-harvest --script-args httpspider.maxpagecount=50 <target>
To start spidering from a different page than the root folder, use the argument httpspider.url:
$nmap -p80 --script http-email-harvest --script-args httpspider.url=/welcome.php <target>
The official documentation for this library can be found at http://nmap.org/nsedoc/lib/httpspider.html#script-args.
For http-google-email, there are a couple of arguments that are good to know:
- You can specify the domain name to look for by using the script argument
domain.$ nmap -p80 --script http-google-email --script-args domain=insecure.org scanme.nmap.org - By increasing the number of page results with the script argument
pagesyou might get additional results:# nmap -p80 --script http-google-email --script-args pages=10 scanme.nmap.org
The flag --script-args is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent, use the following:
nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>
You can also use aliases when setting arguments of NSE scripts. Use:
$nmap -p80 --script http-trace --script-args path <target>
Instead of:
$nmap -p80 --script http-trace --script-args http-trace.path <target>
- The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration
- The Geolocating an IP address recipe
- The Getting information from WHOIS records recipe
- The Fingerprinting the operating system of a host recipe
- The Discovering hostnames pointing to the same IP address recipe
- The Checking if a host is known for malicious activities recipe
- The Brute forcing DNS records recipe