1
00:00:00,660 --> 00:00:02,610
-: Right now we are going to see

2
00:00:02,610 --> 00:00:04,380
how we can gather emails

3
00:00:04,380 --> 00:00:07,140
for a certain company or a domain.

4
00:00:07,140 --> 00:00:11,160
Remember, people are always weak at security.

5
00:00:11,160 --> 00:00:12,390
If we managed to send

6
00:00:12,390 --> 00:00:13,680
some malicious program

7
00:00:13,680 --> 00:00:15,810
to someone working in a company,

8
00:00:15,810 --> 00:00:17,730
and they run that program

9
00:00:17,730 --> 00:00:20,070
we got our way in.

10
00:00:20,070 --> 00:00:22,200
We can also use emails in something

11
00:00:22,200 --> 00:00:23,850
like a brute force attack.

12
00:00:23,850 --> 00:00:27,270
We can use them in the username fields.

13
00:00:27,270 --> 00:00:28,920
There are many ways this could be useful,

14
00:00:28,920 --> 00:00:32,640
but, for now let us just see how we can get them.

15
00:00:32,640 --> 00:00:34,830
Since emails are public information,

16
00:00:34,830 --> 00:00:37,920
we can test this on any domain we want.

17
00:00:37,920 --> 00:00:40,140
To get emails, we are going to check out

18
00:00:40,140 --> 00:00:42,030
two different options,

19
00:00:42,030 --> 00:00:44,040
a tool called the Harvester,

20
00:00:44,040 --> 00:00:46,110
that's installed in Kali Linux,

21
00:00:46,110 --> 00:00:50,070
and a website called hunter.io.

22
00:00:50,070 --> 00:00:51,690
Let's start with Harvester first.

23
00:00:51,690 --> 00:00:53,061
So open up your terminal,

24
00:00:53,061 --> 00:00:55,350
(computer mouse clicks)

25
00:00:55,350 --> 00:00:58,560
and to just run the help menu from the Harvester,

26
00:00:58,560 --> 00:01:01,380
we can type the tool name.

27
00:01:01,380 --> 00:01:03,000
So just type the Harvester,

28
00:01:03,000 --> 00:01:05,793
with capital H and press enter,

29
00:01:06,750 --> 00:01:08,010
and this will output us

30
00:01:08,010 --> 00:01:09,810
with a smaller help menu,

31
00:01:09,810 --> 00:01:11,490
just like the whatweb tool did.

32
00:01:11,490 --> 00:01:13,110
Once we specified its name,

33
00:01:13,110 --> 00:01:14,520
we get its banner,

34
00:01:14,520 --> 00:01:16,923
and some of the options that we can run.

35
00:01:17,940 --> 00:01:19,710
It tells us since we try to run it

36
00:01:19,710 --> 00:01:20,940
with just the name of the program,

37
00:01:20,940 --> 00:01:22,110
that there is an error,

38
00:01:22,110 --> 00:01:24,240
the following arguments are required.

39
00:01:24,240 --> 00:01:26,160
So we need to specify the domain,

40
00:01:26,160 --> 00:01:27,810
but before we specify the domain,

41
00:01:27,810 --> 00:01:30,240
let us just run the bigger help manual,

42
00:01:30,240 --> 00:01:33,840
so we can see all of our available options.

43
00:01:33,840 --> 00:01:34,673
Okay, great.

44
00:01:34,673 --> 00:01:35,970
Here it is.

45
00:01:35,970 --> 00:01:38,580
So, we get the domain option.

46
00:01:38,580 --> 00:01:40,920
So, we need to specify either a company name,

47
00:01:40,920 --> 00:01:42,753
or domain name to search.

48
00:01:43,650 --> 00:01:45,060
This is the limit,

49
00:01:45,060 --> 00:01:46,290
limit of search results,

50
00:01:46,290 --> 00:01:49,320
which is default equal to 500,

51
00:01:49,320 --> 00:01:51,150
and all these other options are not

52
00:01:51,150 --> 00:01:52,830
really of interest to us,

53
00:01:52,830 --> 00:01:55,530
besides this last source option.

54
00:01:55,530 --> 00:01:56,910
And this last source option,

55
00:01:56,910 --> 00:01:58,680
we specify with dash B,

56
00:01:58,680 --> 00:02:02,580
and we specify where we want to search for emails.

57
00:02:02,580 --> 00:02:04,920
Now, we can need to specify one of these.

58
00:02:04,920 --> 00:02:06,750
We can, for example, specify we want to search

59
00:02:06,750 --> 00:02:11,250
for Twitter, LinkedIn, Bing, Google,

60
00:02:11,250 --> 00:02:13,440
or we can simply just specify all

61
00:02:13,440 --> 00:02:14,760
and it will go through

62
00:02:14,760 --> 00:02:15,810
all of these,

63
00:02:15,810 --> 00:02:19,500
in search for usernames, hosts and emails.

64
00:02:19,500 --> 00:02:21,150
So let's try it out.

65
00:02:21,150 --> 00:02:22,470
If I clear the screen,

66
00:02:22,470 --> 00:02:24,450
type the Harvester,

67
00:02:24,450 --> 00:02:26,040
and first thing we need to specify

68
00:02:26,040 --> 00:02:28,500
is dash D for the domain,

69
00:02:28,500 --> 00:02:29,400
and for this test,

70
00:02:29,400 --> 00:02:31,590
I will go with this domain right here,

71
00:02:31,590 --> 00:02:33,630
which is another university domain.

72
00:02:33,630 --> 00:02:35,460
You can go either with this one,

73
00:02:35,460 --> 00:02:37,890
or you can pick any website that you want,

74
00:02:37,890 --> 00:02:39,870
and use it instead.

75
00:02:39,870 --> 00:02:42,030
So, if I specified the Harvester dash D,

76
00:02:42,030 --> 00:02:43,320
then the domain name,

77
00:02:43,320 --> 00:02:46,290
the next option that I want to specify is dash B,

78
00:02:46,290 --> 00:02:48,840
and remember dash B option is the source.

79
00:02:48,840 --> 00:02:51,150
So where we want to search for the emails,

80
00:02:51,150 --> 00:02:53,670
host names, and usernames,

81
00:02:53,670 --> 00:02:56,913
and let us for the first try specify all,

82
00:02:58,050 --> 00:03:00,390
and the last option is dash L,

83
00:03:00,390 --> 00:03:01,410
which is the limit,

84
00:03:01,410 --> 00:03:03,360
that is set by default, to be 500.

85
00:03:03,360 --> 00:03:05,040
So we can either specify

86
00:03:05,040 --> 00:03:06,540
more than that or less than that,

87
00:03:06,540 --> 00:03:09,810
or we can simply just not specify dash L at all,

88
00:03:09,810 --> 00:03:13,620
and it'll just, by default, scan 500 results.

89
00:03:13,620 --> 00:03:15,480
So if we leave it just like this,

90
00:03:15,480 --> 00:03:17,043
and I press, here, enter,

91
00:03:17,880 --> 00:03:20,640
the running of this command will take some time.

92
00:03:20,640 --> 00:03:22,470
It will search for different results,

93
00:03:22,470 --> 00:03:24,120
it will search for host names,

94
00:03:24,120 --> 00:03:25,980
it will search for user names,

95
00:03:25,980 --> 00:03:28,650
and it'll also search for emails.

96
00:03:28,650 --> 00:03:31,740
As we can see down here it says searching 300 results,

97
00:03:31,740 --> 00:03:33,690
and this will go up to 500,

98
00:03:33,690 --> 00:03:36,180
since we are using the default dash L option,

99
00:03:36,180 --> 00:03:38,400
which is 500 results.

100
00:03:38,400 --> 00:03:41,760
And it seems that we already got some users found.

101
00:03:41,760 --> 00:03:43,500
Here are some of the names,

102
00:03:43,500 --> 00:03:45,183
as well, as what do they do.

103
00:03:46,050 --> 00:03:49,800
So this is already some result for us.

104
00:03:49,800 --> 00:03:51,630
Let's just wait for all of this to finish,

105
00:03:51,630 --> 00:03:53,700
and then we will go through all of the results

106
00:03:53,700 --> 00:03:54,950
that we managed together.

107
00:03:58,020 --> 00:03:59,280
Okay, so it is finished.

108
00:03:59,280 --> 00:04:02,550
Let us check out what we got as an output.

109
00:04:02,550 --> 00:04:05,430
So it searched through bunch of different platforms,

110
00:04:05,430 --> 00:04:10,430
as we can see, LinkedIn, VirusTotal, Yahoo, Twitter,

111
00:04:10,560 --> 00:04:12,930
but it didn't manage to find

112
00:04:12,930 --> 00:04:15,720
any results for these platforms.

113
00:04:15,720 --> 00:04:19,382
The only thing we got is these users right here,

114
00:04:20,279 --> 00:04:22,410
but this is not what we looked for.

115
00:04:22,410 --> 00:04:24,480
We wanted to find some email addresses,

116
00:04:24,480 --> 00:04:27,210
or perhaps some usernames.

117
00:04:27,210 --> 00:04:30,270
There is one thing with this Harvester tool.

118
00:04:30,270 --> 00:04:31,830
From my personal experience,

119
00:04:31,830 --> 00:04:34,500
this tool doesn't always work.

120
00:04:34,500 --> 00:04:36,690
There are days when it gives amazing result,

121
00:04:36,690 --> 00:04:39,600
but there are days when it doesn't find any emails,

122
00:04:39,600 --> 00:04:43,050
or any hosts, just like you did in this case.

123
00:04:43,050 --> 00:04:45,510
As it says, failed to detect a valid IP address

124
00:04:45,510 --> 00:04:47,400
from this domain name.

125
00:04:47,400 --> 00:04:50,070
We also didn't get any emails,

126
00:04:50,070 --> 00:04:53,370
and I'm talking about scanning this same domain,

127
00:04:53,370 --> 00:04:55,560
just on two different days.

128
00:04:55,560 --> 00:04:57,960
That's why it is always good to,

129
00:04:57,960 --> 00:04:59,970
in case you don't get any results,

130
00:04:59,970 --> 00:05:02,070
for this tool, right now,

131
00:05:02,070 --> 00:05:04,410
to scan it multiple times.

132
00:05:04,410 --> 00:05:06,240
So, if I scan it once again,

133
00:05:06,240 --> 00:05:08,010
and instead of dash B all,

134
00:05:08,010 --> 00:05:09,150
I will select dash B,

135
00:05:09,150 --> 00:05:11,370
and scan only from Google,

136
00:05:11,370 --> 00:05:14,400
to see if I get any different results.

137
00:05:14,400 --> 00:05:17,490
And if we still don't manage to get any results,

138
00:05:17,490 --> 00:05:21,360
just try the same command either later or tomorrow,

139
00:05:21,360 --> 00:05:23,760
and I guarantee you it will usually give you

140
00:05:23,760 --> 00:05:25,530
a different result.

141
00:05:25,530 --> 00:05:28,710
As we can see, we didn't manage to find anything

142
00:05:28,710 --> 00:05:32,670
with this tool, that's why we got a second option.

143
00:05:32,670 --> 00:05:37,080
And that second option, is a website hunter.io.

144
00:05:37,080 --> 00:05:38,730
So let's go and visit that website.

145
00:05:38,730 --> 00:05:39,931
Open up your Firefox,

146
00:05:39,931 --> 00:05:43,514
(computer keyboard clicks)

147
00:05:44,520 --> 00:05:46,560
and in the search bar, up here,

148
00:05:46,560 --> 00:05:50,643
type hunter.io,

149
00:05:51,840 --> 00:05:53,970
it'll automatically lead you to this website,

150
00:05:53,970 --> 00:05:55,860
and we can see right here,

151
00:05:55,860 --> 00:05:57,450
we got this search bar,

152
00:05:57,450 --> 00:05:59,940
where we specify our company domain,

153
00:05:59,940 --> 00:06:03,120
and we click on find email addresses.

154
00:06:03,120 --> 00:06:04,590
But on this website,

155
00:06:04,590 --> 00:06:07,140
you must first create an account,

156
00:06:07,140 --> 00:06:08,940
and you either have a free account

157
00:06:08,940 --> 00:06:11,010
or a paid account.

158
00:06:11,010 --> 00:06:12,660
Technically you can even search

159
00:06:12,660 --> 00:06:14,190
without creating an account,

160
00:06:14,190 --> 00:06:16,800
but it will only show you first five results,

161
00:06:16,800 --> 00:06:18,600
and they will be half blurred.

162
00:06:18,600 --> 00:06:19,680
Let me show you.

163
00:06:19,680 --> 00:06:20,970
If I go here,

164
00:06:20,970 --> 00:06:22,440
and type the same domain name

165
00:06:22,440 --> 00:06:24,183
that we used for Harvester,

166
00:06:25,020 --> 00:06:27,660
and let me just enlarge this a little bit,

167
00:06:27,660 --> 00:06:31,290
so you can see in greater detail.

168
00:06:31,290 --> 00:06:34,083
And I click on find email addresses,

169
00:06:34,950 --> 00:06:37,200
it will show me first five results,

170
00:06:37,200 --> 00:06:39,300
and they will all be blurred.

171
00:06:39,300 --> 00:06:40,230
Now you can technically,

172
00:06:40,230 --> 00:06:43,290
try to figure out what these email addresses are,

173
00:06:43,290 --> 00:06:46,080
but they will be blurred, nonetheless.

174
00:06:46,080 --> 00:06:47,760
And down here, it also tells you

175
00:06:47,760 --> 00:06:50,370
how much results it managed to gather.

176
00:06:50,370 --> 00:06:53,430
It managed to gather 315 more results,

177
00:06:53,430 --> 00:06:55,410
besides these five emails,

178
00:06:55,410 --> 00:06:57,570
and those results will be available,

179
00:06:57,570 --> 00:06:59,340
if you get a paid account.

180
00:06:59,340 --> 00:07:01,020
With free account, however,

181
00:07:01,020 --> 00:07:01,853
let me show you,

182
00:07:01,853 --> 00:07:03,270
how free account looks like.

183
00:07:03,270 --> 00:07:04,533
If I go and sign in,

184
00:07:05,580 --> 00:07:07,860
and I sign into my account, for you,

185
00:07:07,860 --> 00:07:10,110
just go and create an account right here,

186
00:07:10,110 --> 00:07:12,330
and sign in, into your free account.

187
00:07:12,330 --> 00:07:13,980
Once you create an account,

188
00:07:13,980 --> 00:07:15,570
you should be able to have about

189
00:07:15,570 --> 00:07:17,100
50 searches per month,

190
00:07:17,100 --> 00:07:19,833
with the free account, as it says right here.

191
00:07:19,833 --> 00:07:21,690
So we got zero out of 50,

192
00:07:21,690 --> 00:07:25,413
and these monthly requests reset in about one month.

193
00:07:26,310 --> 00:07:28,320
And as I mentioned, even with free account,

194
00:07:28,320 --> 00:07:30,870
you also don't get all the results outputted,

195
00:07:30,870 --> 00:07:33,000
but at least the emails that it gives you,

196
00:07:33,000 --> 00:07:34,350
are not blurred.

197
00:07:34,350 --> 00:07:35,850
Let's test it out.

198
00:07:35,850 --> 00:07:38,520
If I type the domain name that we used

199
00:07:38,520 --> 00:07:39,840
this entire video,

200
00:07:39,840 --> 00:07:40,953
and click on search,

201
00:07:42,240 --> 00:07:45,120
right now, I managed to get some of the results,

202
00:07:45,120 --> 00:07:46,680
right here.

203
00:07:46,680 --> 00:07:49,200
So I get up to 10 results

204
00:07:49,200 --> 00:07:52,200
with its email addresses and with their names.

205
00:07:52,200 --> 00:07:56,130
So we got the name and we also got the email addresses.

206
00:07:56,130 --> 00:07:57,150
We get right here,

207
00:07:57,150 --> 00:08:00,570
which pattern it used to find email addresses,

208
00:08:00,570 --> 00:08:03,450
and all of these email addresses are also split

209
00:08:03,450 --> 00:08:05,160
into different sections.

210
00:08:05,160 --> 00:08:06,933
So if you click on IT/Engineering,

211
00:08:07,950 --> 00:08:09,420
I will even get

212
00:08:09,420 --> 00:08:12,300
what type of work does this person do,

213
00:08:12,300 --> 00:08:14,460
Project Advisor, IT Engineering,

214
00:08:14,460 --> 00:08:17,580
Production Engineering, Technical Editor,

215
00:08:17,580 --> 00:08:19,140
as well, as their email addresses.

216
00:08:19,140 --> 00:08:21,480
We also get from which sources

217
00:08:21,480 --> 00:08:24,180
we managed to get these emails.

218
00:08:24,180 --> 00:08:27,660
And if I go to all, right here,

219
00:08:27,660 --> 00:08:30,600
and I remove this IT/Engineering,

220
00:08:30,600 --> 00:08:32,010
down here we will also get

221
00:08:32,010 --> 00:08:33,937
that there are 310 more results

222
00:08:33,937 --> 00:08:36,183
for this domain name.

223
00:08:37,200 --> 00:08:38,730
So, it is completely up to you,

224
00:08:38,730 --> 00:08:41,520
whether you think you should get paid version for this.

225
00:08:41,520 --> 00:08:44,010
Just keep in mind that with the paid version

226
00:08:44,010 --> 00:08:47,700
you get much more results, than with the free version.

227
00:08:47,700 --> 00:08:49,830
The bad side about the paid version

228
00:08:49,830 --> 00:08:53,070
is that it isn't cheap at all.

229
00:08:53,070 --> 00:08:55,950
If I go to my account up here,

230
00:08:55,950 --> 00:08:57,663
and I click on subscription,

231
00:08:59,940 --> 00:09:02,310
I can see down here which plan choices

232
00:09:02,310 --> 00:09:04,860
I have available to purchase,

233
00:09:04,860 --> 00:09:07,560
and you can see a thousand requests per month

234
00:09:07,560 --> 00:09:09,963
will be around 50 euros per month.

235
00:09:11,070 --> 00:09:13,350
So this is completely up to you,

236
00:09:13,350 --> 00:09:14,730
but, nonetheless,

237
00:09:14,730 --> 00:09:16,140
what we did learn in this video,

238
00:09:16,140 --> 00:09:18,090
is different ways to gather emails

239
00:09:18,090 --> 00:09:19,680
about a certain domain,

240
00:09:19,680 --> 00:09:22,230
and I encourage you to also, later try out

241
00:09:22,230 --> 00:09:24,300
this Harvester tool once again,

242
00:09:24,300 --> 00:09:27,510
because it does know to give really good results,

243
00:09:27,510 --> 00:09:29,130
once it works.

244
00:09:29,130 --> 00:09:30,630
And one more thing,

245
00:09:30,630 --> 00:09:32,430
is that at the end of this section

246
00:09:32,430 --> 00:09:33,630
I will give you a tool

247
00:09:33,630 --> 00:09:35,400
that is coded in Python 3

248
00:09:35,400 --> 00:09:37,890
that will be able to gather even more emails

249
00:09:37,890 --> 00:09:39,690
from a specified domain.

250
00:09:39,690 --> 00:09:40,770
So, it will be even better

251
00:09:40,770 --> 00:09:42,810
than these two options that I showed you right here,

252
00:09:42,810 --> 00:09:45,360
and it will be our own tool.

253
00:09:45,360 --> 00:09:46,410
I will give you its code,

254
00:09:46,410 --> 00:09:48,030
and also show you how to run it,

255
00:09:48,030 --> 00:09:49,323
and how it works.

256
00:09:50,220 --> 00:09:51,480
Okay, good.

257
00:09:51,480 --> 00:09:52,590
In the next video,

258
00:09:52,590 --> 00:09:54,292
we're going to see

259
00:09:54,292 --> 00:09:55,710
how we can install some additional tools

260
00:09:55,710 --> 00:09:58,170
that we might need for information gathering.

261
00:09:58,170 --> 00:09:59,003
See you there.