Open Source Intelligence: How to find anyone's email address
Google Dorks
· “@example.com” site:example.com
— search for all emails on a given domain.
· HR “email” site:example.com
filetype:csv | filetype:xls | filetype:xlsx — find HR contact lists on a
given domain.
· site:example.com intext:@gmail.com filetype:xls —
extract email IDs from Google on a given domain.
Email
tools
· Hunter — performs fast
scan of the domain name for email addresses and reveals its common pattern.
·
Email permutator —
generates permutations of up to three domains at which target is likely to have an
email address. Supports multiple variables input to generate custom results.
· Proofy — allows bulk email validation
which is useful when you generated a list of emails using a permutation tool and
want to check all of them at once.
·
Verifalia — validates single
email addresses for free without registration. To use bulk validation you have to
sign up.
Browser plugins
·
Prophet —
reveals more about people. It uses an advanced engine to predict the most likely
email mix for a given person based on name, company, and other social data. Prophet
then validates the generated emails to ensure they are correct and deliverable.
·
OSINT browser extension — includes many
useful links, including links for email search and verification. Compatible with
Firefox and Chrome.
·
LinkedIn
Sales Navigator — chrome plugin that displays associated Twitter accounts
and rich LinkedIn profile data directly in Gmail.
Compromised
Databases
Data breaches have become a big problem, and recently
we've been seeing more and more data dumps. Security researcher Troy Hunt collected
the published data, stripped the passwords, assigned the emails to the breaches they
were involved in, and uploaded them to haveibeenpwned.com.
While the fact of the breach itself may not be as important, what is important is
that via email you may be able to get a list of services that the person used or at
least used.
Another option is to use dehashed.com.
For free accounts, it works similar to Troy Hunt's site, but for valid subscriptions
it will display the password in clear text or as a password hash. From an open
source intelligence perspective, we need it to search if it has been used on some
other site - another way to find out which services the person uses or at least has
used. A search by password or its hash value will not only show which site it was
used on, but also the email address associated with it. Thus, we can obtain the
email of the target, which we would otherwise not have access to. It is important to
note that if the password is not unique, we may get false positives because others
may also use it.