Hey guys, it’s me @dheerajydv19, and in today’s blog, I will share my own methodology for email osint. I will try to explain everything from scratch, but if you still face any difficulty, feel free to ask on Twitter.
What is Emal OSINT?
Email OSINT refers to the use of open-source intelligence tools and techniques for finding publicly available information by just knowing an email. This is how I describe email osint, other researchers may define it in some other way.
Pre Requisite -
In order to perform email osint, you require the email of your victim, there are a lot of ways for finding the email of your victim. Some of them are as follows -
Using phone number osint
Read my blog on phone numbers osint for knowing, how you can find someone’s email by just knowing his phone number.
https://hacklido.com/blog/272-phone-number-osint-my-methodology-for-investigations
From their website’s contact or about us page
In many of the cases, we knew our victim or our target’s website so, we can just explore their about us or contact us page, and in most cases, that contains their email. You can also use theharvester tool for this.
Using some social engineering techniques
Many times, what I do is, I just create a google form and force my victim to enter his own data in that somehow and by this way, I easily get their phone number and email.
There are a lot more ways, but these are the most common ways I personally use.
Now, let’s start with the actual part. So whenever I got any new email, the first thing I do is check if the email exists and its online reputation.
How to check if mail exists or not?
I use email-checker.net for this purpose.
How to check mail reputation?
I use emailrep.io for this purpose.
How to find socials using email?
Before going for finding the socials, I personally prefer finding the websites where the user has an account. The first thought in my find is always of using epieos, really an awesome website for email osint. Try it once by epieos.com, try the free version which I am sure you will like, you can also purchase its premium for finding more info by using all other modules.
Now, go for using some more tools for finding what websites the victim has an account on. Try holehe tool, I have just recently written a blog on that so, check out that blog at hacklido.com/blog/341-holehe-the-email-investigation-tool-you-need-for-osint
Once, you found out the websites which your victim uses, you can try abusing those websites’ functionality and can get some really good stuff if done correctly like knowing the victim’s country, starting and last digits of his phone number, his pic(rare case), real name and any other useful data.
What next?
Prefer searching for that mail on the leak database website.
I personally use
https://haveibeenpwned.com/
https://namescan.io/freeemailcompromisedcheck
https://leak-lookup.com/
- You can also try the below websites, I haven’t tried this since it’s paid and I can’t afford it. https://leakcheck.io/
- You can also try searching that email in the custom database if you have any.
One more tool, I sometimes use is https://github.com/drooling/email-osint
Wait, how can I forget google dorking?
I just directly search the email on google like “test@gmail.com” and sometimes plays with using different dorks.
The next thing, I always try is if the email seems unique, what I do is, just remove the @domain.com from the mail and parse it in sherlock by taking it as a username. Sometimes it gives awesome results.
Now, let’s learn how we can find some custom social profiles with accurate results.
LinkedIn -
It’s pretty simple but a few people know this, you can just go https://www.reversecontact.com/
I had personally used and tested it and it has given me 100% accurate results.
Github -
I just use gitfive’s email to GitHub account functionality.
https://github.com/mxrch/GitFive
You can also try the GitHub dorking, check out this awesome blog https://hacklido.com/blog/317-cracking-the-code-how-to-uncover-email-addresses-with-a-github-username
It has also given me 100% accurate results to date.
Ghunt
Never forgot about the capabilities of Ghunt in case your victim’s mail is Gmail.
https://github.com/mxrch/GHunt
Some more websites/tools, you want to explore are at -
https://www.aware-online.com/en/osint-tools/email-address-tools/
There is much more to write, will cover all other things in the next part.
Will publish part 2 when I reach 500 followers on Twitter, so show your support over there.
Follow me on Twitter: https://twitter.com/Dheerajydv19