1
00:00:00,600 --> 00:00:06,580
Right now, we are going to see how we can gather emails for a certain company or a domain.

2
00:00:07,020 --> 00:00:10,260
Remember, people are always we get security.

3
00:00:11,160 --> 00:00:17,420
If we manage to send some malicious program to someone working in a company and they run the program,

4
00:00:17,700 --> 00:00:19,120
we got our way in.

5
00:00:20,070 --> 00:00:23,490
We can also use emails in something like a brute force attack.

6
00:00:23,820 --> 00:00:26,340
We can use them in the username fields.

7
00:00:27,250 --> 00:00:31,840
There are many ways this could be useful, but for now, let's just see how we can get them.

8
00:00:32,590 --> 00:00:36,700
Since emails are public information, we can test this on any domain.

9
00:00:36,700 --> 00:00:38,970
We want to get emails.

10
00:00:39,010 --> 00:00:45,640
We're going to check out two different options, a tool called the Harvester that's installed in clinics

11
00:00:46,030 --> 00:00:49,120
and a website called Hunter Dot Io.

12
00:00:50,080 --> 00:00:51,680
Let's start with Harvester first.

13
00:00:51,700 --> 00:01:00,520
So open up your terminal and to just run the whole menu from the harvester, we can type the tool name.

14
00:01:01,360 --> 00:01:09,210
So just type the harvester with Capital H and press enter and this will output us with a smaller help

15
00:01:09,220 --> 00:01:15,970
menu, just like the what we did once we specified its name, we get its banner and some of the options

16
00:01:15,970 --> 00:01:16,780
that we can run.

17
00:01:17,890 --> 00:01:22,210
He tells us since we tried to run it with just the name of the program, that there is an error, the

18
00:01:22,210 --> 00:01:24,120
following arguments are required.

19
00:01:24,220 --> 00:01:25,750
So we need to specify the domain.

20
00:01:26,120 --> 00:01:32,410
But before we specify the domain, let us just run the bigger health menu so we can see all of our available

21
00:01:32,410 --> 00:01:32,920
options.

22
00:01:33,850 --> 00:01:34,580
OK, great.

23
00:01:34,600 --> 00:01:35,220
Here it is.

24
00:01:35,980 --> 00:01:38,590
So we get the domain option.

25
00:01:38,590 --> 00:01:42,580
So we need to specify either a company name or domain name to search.

26
00:01:43,690 --> 00:01:48,430
This is the limit limit of search results, which is default equal to five hundred.

27
00:01:49,240 --> 00:01:56,050
And all these other options are not really of interest to us besides this last source option and this

28
00:01:56,050 --> 00:01:58,300
last source option would specify that would be.

29
00:01:58,660 --> 00:02:02,800
And we specify where we want to search for emails now.

30
00:02:02,800 --> 00:02:07,480
We can need to specify one of these if we can, for example, specify we want to search for Twitter,

31
00:02:07,900 --> 00:02:13,300
LinkedIn, Bing, Google, or we can simply just specify all.

32
00:02:13,420 --> 00:02:19,060
And it will go through all of these in search for usernames, posts and emails.

33
00:02:19,510 --> 00:02:20,500
So let's try it out.

34
00:02:21,100 --> 00:02:23,800
If I clear the screen, type the harvester.

35
00:02:24,370 --> 00:02:30,340
And first thing we need to specify is Dashty for the domain and for this test, I will go with this

36
00:02:30,340 --> 00:02:33,220
domain right here, which is another university domain.

37
00:02:33,580 --> 00:02:39,040
You can go either with this one or you can pick any website that you want and use it instead.

38
00:02:39,880 --> 00:02:42,910
So if you specify the Harvester Dashty, then the domain name.

39
00:02:43,300 --> 00:02:48,870
The next option that I want to specify is Dasch B and remember that B option is the source.

40
00:02:48,880 --> 00:02:55,570
So where we want to search for the emails, host names and user names and letters for the first try,

41
00:02:55,570 --> 00:02:56,740
specify all.

42
00:02:57,980 --> 00:03:03,770
And the last option is Dash L, which is the limit that is set by default to be five hundred, so we

43
00:03:03,770 --> 00:03:09,500
can either specify more than that or less than that, or we can simply just not specify dash at all.

44
00:03:09,740 --> 00:03:12,750
And it will just by default scan five hundred results.

45
00:03:13,610 --> 00:03:19,700
So if we leave it just like this and I press here, enter the running of this command will take some

46
00:03:19,700 --> 00:03:22,430
time, it will search for different results.

47
00:03:22,460 --> 00:03:27,890
It will search for hostname, it will search for usernames, and it will also search for emails.

48
00:03:28,580 --> 00:03:33,650
As we can see down here, it says searching three hundred results and this will go up to five hundred

49
00:03:33,650 --> 00:03:37,520
since we are using the default option, which is five hundred results.

50
00:03:38,330 --> 00:03:41,350
And it seems that we already got some users found.

51
00:03:41,810 --> 00:03:45,030
Here are some of the names as well as what do they do.

52
00:03:46,040 --> 00:03:49,030
So this is already some result for us.

53
00:03:49,820 --> 00:03:54,290
Let's just wait for all of this to finish and then we will go through all of the results that we managed

54
00:03:54,290 --> 00:03:54,610
to get.

55
00:03:57,960 --> 00:04:04,800
OK, so it is finished, let us check out what we got as an output so it search through a bunch of different

56
00:04:04,800 --> 00:04:09,390
platforms, as we can see, LinkedIn virus, total Yahoo!

57
00:04:09,630 --> 00:04:15,270
Twitter, but it didn't manage to find any results for these platforms.

58
00:04:15,720 --> 00:04:19,230
The only thing we got is these users right here.

59
00:04:20,230 --> 00:04:22,040
But this is not what we looked for.

60
00:04:22,390 --> 00:04:29,320
We wanted to find some email addresses or perhaps some usernames, there is one thing with this harvester

61
00:04:29,320 --> 00:04:34,030
took from my personal experience, this tool doesn't always work.

62
00:04:34,480 --> 00:04:39,880
There are days when it gives amazing result, but there are days when it doesn't find any emails or

63
00:04:39,880 --> 00:04:46,120
any hosts, just like it did in this case, as it says, failed to detect a valid IP address from this

64
00:04:46,120 --> 00:04:46,620
domain name.

65
00:04:47,380 --> 00:04:54,280
We also didn't get any emails, and I'm talking about scanning this same domain just on two different

66
00:04:54,280 --> 00:04:54,630
days.

67
00:04:55,540 --> 00:05:02,560
That's why it is always good to, in case you don't get any results for this tool right now to scan

68
00:05:02,560 --> 00:05:03,800
it multiple times.

69
00:05:04,390 --> 00:05:10,660
So if we scan it once again and instead of Desh be all, I will select Begbie and scan only from Google

70
00:05:11,380 --> 00:05:13,740
to see if I get any different results.

71
00:05:14,350 --> 00:05:21,030
And if we still don't manage to get any results, just try the same command either later or tomorrow.

72
00:05:21,310 --> 00:05:24,700
And I guarantee you it will usually give you a different result.

73
00:05:25,490 --> 00:05:32,320
As we can see, we didn't manage to find anything with this, so that's why we got a second option.

74
00:05:32,620 --> 00:05:36,270
And that second option is a website Hunter Dot Io.

75
00:05:37,120 --> 00:05:38,740
So let's go and visit that website.

76
00:05:38,740 --> 00:05:39,940
Open up your Firefox.

77
00:05:44,460 --> 00:05:54,030
And in the search bar up here, type Hunter Dot Io, it will automatically lead you to this website

78
00:05:54,030 --> 00:06:01,050
and we can see right here we got this search bar where we specify our company domain and we click on

79
00:06:01,050 --> 00:06:02,570
find email addresses.

80
00:06:03,090 --> 00:06:09,720
But on this website, you must first create an account and you either have a free account or a paid

81
00:06:09,720 --> 00:06:10,130
account.

82
00:06:10,980 --> 00:06:16,230
Technically, you can even search without creating an account, but it will only show you first five

83
00:06:16,230 --> 00:06:18,360
results and there will be half blurred.

84
00:06:18,600 --> 00:06:23,970
Let me show you, if I go here and type the same domain name that we used for Harvester.

85
00:06:24,930 --> 00:06:33,420
And let me just enlarge this a little bit so you can see in greater detail and I click on find email

86
00:06:33,420 --> 00:06:33,960
addresses.

87
00:06:34,930 --> 00:06:38,770
It will show me first five results and they will all be blurred.

88
00:06:39,310 --> 00:06:44,740
Now you can technically try to figure out what these email addresses are, but they will be blurred

89
00:06:44,740 --> 00:06:45,340
nonetheless.

90
00:06:46,040 --> 00:06:50,130
And down here, it also tells you how much results it manage together.

91
00:06:50,320 --> 00:06:51,320
It managed together.

92
00:06:51,550 --> 00:06:55,060
Three hundred and fifteen more results besides these five emails.

93
00:06:55,330 --> 00:07:00,240
And those results will be available if you get a paid account with free account.

94
00:07:00,250 --> 00:07:04,420
However, let me show you how free account looks like if I go in signing.

95
00:07:05,560 --> 00:07:11,410
And I sign into my account for you, just go and create an account right here and sign it into your

96
00:07:11,410 --> 00:07:12,070
free account.

97
00:07:12,340 --> 00:07:18,040
Once you create an account, you should be able to have about 50 searches per month with the free account,

98
00:07:18,040 --> 00:07:19,010
as it says right here.

99
00:07:19,030 --> 00:07:25,320
So we got zero out of 50 and these monthly requests we set in about one month.

100
00:07:26,260 --> 00:07:30,910
And as I mentioned, even with free account, you also don't get all the results outputted.

101
00:07:30,910 --> 00:07:34,160
But at least the emails that it gives you are not blurred.

102
00:07:34,360 --> 00:07:35,320
Let's test it out.

103
00:07:35,840 --> 00:07:40,810
If I type the domain name that we used this entire video and click on Search.

104
00:07:42,270 --> 00:07:45,690
Right now, I managed to get some of the results right here.

105
00:07:46,680 --> 00:07:54,420
So I get up to 10 results with its email addresses and their names, so we got the name and we also

106
00:07:54,420 --> 00:07:59,970
got the email addresses we get right here, which pattern it used to find email addresses.

107
00:08:00,540 --> 00:08:04,750
And all of these email addresses are also split into different sections.

108
00:08:05,160 --> 00:08:06,900
So if you click on it, the engineering.

109
00:08:07,920 --> 00:08:11,770
I will even get what type of work does this person do?

110
00:08:12,270 --> 00:08:18,600
Project adviser, I.T. engineering, production, engineering technical editor, as well as their email

111
00:08:18,600 --> 00:08:19,130
addresses.

112
00:08:19,140 --> 00:08:23,300
We also get from which sources we manage to get these emails.

113
00:08:24,330 --> 00:08:32,370
And if I go to all right here and I remove this I.T. engineering down here, we will also get that there

114
00:08:32,370 --> 00:08:36,060
are three hundred and ten more results for this domain name.

115
00:08:37,190 --> 00:08:42,140
So it is completely up to you whether you think you should get paid version for this, just keep in

116
00:08:42,140 --> 00:08:46,850
mind that with the paid version, you get much more results than with the free version.

117
00:08:47,720 --> 00:08:52,130
The bad side about the paid version is that it isn't cheap at all.

118
00:08:53,060 --> 00:08:57,500
If I go to my account up here and I click on subscription.

119
00:09:00,030 --> 00:09:07,020
I can see down here which plan choices I have available to purchase, and you can see a thousand requests

120
00:09:07,020 --> 00:09:09,870
per month will be around 50 euros per month.

121
00:09:11,060 --> 00:09:17,120
So this is completely up to you, but nonetheless, what we did learn in this video is different ways

122
00:09:17,120 --> 00:09:19,190
to gather emails about a certain domain.

123
00:09:19,640 --> 00:09:25,910
And I encourage you to also later try out these harvestable once again, because it does no to give

124
00:09:26,300 --> 00:09:28,390
really good results once it works.

125
00:09:29,090 --> 00:09:34,790
And one more thing is that at the end of this section, I will give you a tool that is coding in Python

126
00:09:34,790 --> 00:09:39,030
three that will be able to gather even more emails from a specified domain.

127
00:09:39,650 --> 00:09:42,660
So it will be even better than these two options that they showed you right here.

128
00:09:42,800 --> 00:09:44,600
And it will be our own tool.

129
00:09:45,290 --> 00:09:49,180
I will give you its code and also show you how to run it and how it works.

130
00:09:50,160 --> 00:09:50,910
OK, good.

131
00:09:51,450 --> 00:09:56,670
In the next video, we're going to see how we can instill some additional tools that we might need for

132
00:09:56,670 --> 00:09:58,740
information gathering there.