Backtrack 4: Information Gathering: Searchengine: The Harvester – Email, User Names, Subdomain & Hostnames Finder

The next tool on Backtrack 4 I am going to review is The Harvester which was written by the guys over at Edge Security. The Harvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources. It’s a really simple tool, but very effective.
The supported sources are:

• Google – emails,subdomains/hostnames
• Bing search – emails, subdomains/hostnames
• Pgp servers – emails, subdomains/hostnames
• Linkedin – user names

Below I will go through a few examples of data mining some common search engines for usernames, email address’s and subdomains. The information gained in passive reconnaissance can be a invaluable resource for the penetration tester.


Lets take a look at the options which are available:
Code:

01
root@666:/pentest/enumeration/google/theharvester# ./theHarvester.py
02
 
03
*************************************
04
*TheHarvester Ver. 1.6             *
05
*Coded by Christian Martorella      *
06
*Edge-Security Research             *
07
*cmartorella@edge-security.com      *
08
*************************************
09
 
10
Usage: theharvester options
11
 
12
       -d: domain to search or company name
13
       -b: data source (google,bing,pgp,linkedin)
14
       -s: start in result number X (default 0)
15
       -v: verify host name via dns resolution
16
       -l: limit the number of results to work with(bing goes from 50 to 50 results,
17
            google 100 to 100, and pgp does'nt use this option)
18
 
19
Examples:./theharvester.py -d microsoft.com -l 500 -b google
20
         ./theharvester.py -d microsoft.com -b pgp
21
         ./theharvester.py -d microsoft -l 200 -b linkedin

Lets use cnn.com as a example:

Code:

01 root@666:/pentest/enumeration/google/theharvester# ./theHarvester.py -d cnn.com -l 500 -b bing
02  
03 *************************************
04 *TheHarvester Ver. 1.6             *
05 *Coded by Christian Martorella      *
06 *Edge-Security Research             *
07 *cmartorella@edge-security.com      *
08 *************************************
09  
10 Searching for cnn.com in bing :
11 ======================================
12  
13 Limit:  500
14 Searching results: 0
15 Searching results: 50
16 Searching results: 100
17 Searching results: 150
18 Searching results: 200
19 Searching results: 250
20 Searching results: 300
21 Searching results: 350
22 Searching results: 400
23 Searching results: 450
24  
25 Accounts found:
26 ====================
27  
28 @cnn.com
29 cnnfutures@cnn.com
30 ====================
31  
32 Total results:  2
33  
34 Hosts found:
35 ====================
36  
37 www.cnn.com
38 edition.cnn.com
39 money.cnn.com
40 sportsillustrated.cnn.com
41 amfix.blogs.cnn.com
42 live.cnn.com
43 news.blogs.cnn.com
44 politicalticker.blogs.cnn.com
45 marquee.blogs.cnn.com
46 weather.cnn.com
47 m.cnn.com
48 transcripts.cnn.com
49 www.cnnstudentnews.cnn.com
50 ac360.blogs.cnn.com
51 campbellbrown.blogs.cnn.com
52 newsource.cnn.com
53 cgi.cnn.com
54 joybehar.blogs.cnn.com
55 topics.edition.cnn.com
56 internationaldesk.blogs.cnn.com
57 us.cnn.com
58 larrykinglive.blogs.cnn.com
59 topics.cnn.com
60 weather.edition.cnn.com
61 cnnwire.blogs.cnn.com
62 scitech.blogs.cnn.com
63 on.cnn.com
64 ricksanchez.blogs.cnn.com
65 archives.cnn.com
66 community.cnn.com
67 sports.si.cnn.com
68 arabic.cnn.com
69 quiz.cnn.com
70 newsroom.blogs.cnn.com
71 cgi.money.cnn.com
72 partners.cnn.com
73 pagingdrgupta.blogs.cnn.com
74 features.blogs.fortune.cnn.com
75 tech.fortune.cnn.com
76 insession.blogs.cnn.com
77 business.blogs.cnn.com
78 behindthescenes.blogs.cnn.com
79 olympics.blogs.cnn.com
80 afghanistan.blogs.cnn.com
81 gdyn.cnn.com
82 premium.cnn.com
83 inthefield.blogs.cnn.com
84 ypwr.blogs.cnn.com
85 premium.edition.cnn.com
86 edition1.cnn.com
87 drgupta.cnn.com
88 edition2.cnn.com
89 wallstreet.blogs.fortune.cnn.com
90 tips.blogs.cnn.com
91 mxp.blogs.cnn.com

So as you can see from this search we were able to get a lot of possible subdomains but not very many email address’s. This is one reason its important to run your query on all available search engines.
Lets show a example which will show a few more email address’s:
Code:

01 root@666:/pentest/enumeration/google/theharvester# ./theHarvester.py -d 53.com -l 500 -b google
02  
03 *************************************
04 *TheHarvester Ver. 1.6             *
05 *Coded by Christian Martorella      *
06 *Edge-Security Research             *
07 *cmartorella@edge-security.com      *
08 *************************************
09  
10 Searching for 53.com in google :
11 ======================================
12  
13 Limit:  500
14 Searching results: 0
15 Searching results: 100
16 Searching results: 200
17 Searching results: 300
18 Searching results: 400
19  
20 Accounts found:
21 ====================
22  
23 josh.paskewicz@53.com
24 @53.com
25 info@tapioles53.com
26 @.53.com
27 rachael.smith@53.com
28 nan.horton@53.com
29 aler...@53.com
30 alertingservice@53.com
31 j.brinkman@53.com
32 Jerome.Gilbert@53.com
33 Gilbert@53.com
34 michelle.weddington@53.com
35 ====================
36  
37 Total results:  12
38  
39 Hosts found:
40 ====================
41  
42 www.53.com
43 reo.53.com
44 direct.53.com
45 premierissue.53.com
46 retire.53.com
47 ir.53.com
48 tdsc.53.com
49 secure.53.com
50 ra.53.com
51 2Fwww.53.com
52 Www.53.com
53 252Fwww.53.com
54 espanol.53.com
55 employee.53.com
56 bnjhz.php?...53.com
57 express.53.com
58 www.ra.53.com
59 Ra.53.com
60 3Dreo.53.com
61 wwww.53.com
62 Retire.53.com
63 @.53.com
64 www.express.53.com
65 mxism.php?...53.com
66 pngyo.php?...53.com

Using this example we got a lot more results, for example we now know that most likely all the email address’s will follow the following naming convention, firstname.lastname@53.com. This can be a very useful piece of knowledge because as long as we have a first and last name of any one at 53rd bank, we have their email address.
This is just one of the may tools which can aid a penetration tester in the passive reconnaissance process.