WEBVTT

0:00:03.640000 --> 0:00:06.860000
 Email harvesting with the harvester.

0:00:06.860000 --> 0:00:10.580000
 In this video, we're gonna be exploring
 the process of enumerating emails

0:00:10.580000 --> 0:00:15.160000
 belonging to a specific domain,
 which is of course your target.

0:00:15.160000 --> 0:00:18.260000
 Through these often open source
 tool called the harvester.

0:00:18.260000 --> 0:00:23.440000
 And of course, the harvester works
 quite similarly to sublister where

0:00:23.440000 --> 0:00:29.080000
 it utilizes search engines and publicly
 available databases to identify

0:00:29.080000 --> 0:00:33.700000
 emails that might have been leaked
 or that are available online.

0:00:33.700000 --> 0:00:37.360000
 So again, we're not performing
 active information gathering.

0:00:37.360000 --> 0:00:41.680000
 This is all passive and all of this
 information is publicly accessible.

0:00:41.680000 --> 0:00:45.200000
 So again, we're gonna be doing
 this from Callie Linux.

0:00:45.200000 --> 0:00:48.260000
 And in my case, I'll be doing
 it from my Callie Linux VM.

0:00:48.260000 --> 0:00:50.620000
 And of course, you can follow
 along if you want to.

0:00:50.620000 --> 0:00:55.520000
 So I'm just gonna switch over to my
 Callie Linux VM really quickly.

0:00:55.520000 --> 0:00:58.900000
 All right, so I'm back
 on my Callie Linux VM.

0:00:58.900000 --> 0:01:01.500000
 And I'm currently on the harvest
 guitar repository.

0:01:01.500000 --> 0:01:04.720000
 As I said, it's open source
 and it's freely available.

0:01:04.720000 --> 0:01:08.580000
 It really, really is a very
 cool, very powerful tool.

0:01:08.580000 --> 0:01:12.640000
 As it says right over here in the about
 section, the harvester is a very

0:01:12.640000 --> 0:01:16.760000
 simple to use yet powerful and effective
 tool designed to be used in the

0:01:16.760000 --> 0:01:20.860000
 early stages of a penetration test
 or red team engagement, i.e.

0:01:20.860000 --> 0:01:22.620000
 information gathering or reconnaissance.

0:01:22.620000 --> 0:01:28.080000
 You can use it for open source intelligence,
 also known as OSINT, gathering

0:01:28.080000 --> 0:01:32.780000
 to help determine a company's external
 threat landscape on the internet.

0:01:32.780000 --> 0:01:37.420000
 The tool gathers emails, names, subdomains,
 IPs and URLs using multiple

0:01:37.420000 --> 0:01:40.720000
 public data sources that
 include the following.

0:01:40.720000 --> 0:01:43.460000
 So it uses the Anubis database.

0:01:43.460000 --> 0:01:46.860000
 Baidu, Baidu is a Chinese search engine.

0:01:46.860000 --> 0:01:51.860000
 Bing, Bing API census, you do require
 an API key to use census, although

0:01:51.860000 --> 0:01:53.920000
 that's really not required.

0:01:53.920000 --> 0:01:59.220000
 It also utilizes CERT SH, which is
 the Komodo certificate search, DNS

0:01:59.220000 --> 0:02:04.960000
 dumpster. And in the case of email
 addresses, it'll essentially search

0:02:04.960000 --> 0:02:09.360000
 for exposed email addresses
 on sites like LinkedIn.

0:02:09.360000 --> 0:02:13.400000
 So your typical social, media
 or social networking sites.

0:02:13.400000 --> 0:02:15.760000
 So LinkedIn is one that
 is very important.

0:02:15.760000 --> 0:02:16.340000
 Why is that important?

0:02:16.340000 --> 0:02:23.000000
 Well, if we are searching for employee
 email addresses that belong to

0:02:23.000000 --> 0:02:28.920000
 a particular domain, that information
 is really only linked in one area,

0:02:28.920000 --> 0:02:34.400000
 typically, and that is linked in, because
 individuals usually post or

0:02:34.400000 --> 0:02:38.860000
 specify what company they're
 working for are on LinkedIn.

0:02:38.860000 --> 0:02:42.680000
 And of course, there's a couple of
 other search engines and databases

0:02:42.680000 --> 0:02:47.220000
 that it uses. It also utilizes sublister
 for subdomain enumeration, which

0:02:47.220000 --> 0:02:48.760000
 I've already explored.

0:02:48.760000 --> 0:02:52.400000
 Twitter, VirusTotal, Yahoo,
 and of course Google.

0:02:52.400000 --> 0:02:58.720000
 And a plethora of other search engines
 and public databases that contain

0:02:58.720000 --> 0:03:03.520000
 data that could be potentially
 useful in this case.

0:03:03.520000 --> 0:03:08.040000
 So the harvester comes pre-packaged
 with Kali Linux, although you can

0:03:08.040000 --> 0:03:12.300000
 install it if you want to, or
 install the latest version.

0:03:12.300000 --> 0:03:17.680000
 As I said, one thing that I wanted to
 point out is the functionality that

0:03:17.680000 --> 0:03:24.260000
 the harvester offers is broken down
 into passive info gathering, and of

0:03:24.260000 --> 0:03:27.960000
 course, active. We are primarily
 focused on passive.

0:03:27.960000 --> 0:03:30.200000
 So to use the tool, it's fairly simple.

0:03:30.200000 --> 0:03:33.800000
 I'm just going to open up a terminal,
 and we can type in the harvester.

0:03:33.800000 --> 0:03:37.960000
 There we are. And using
 it is fairly simple.

0:03:37.960000 --> 0:03:41.820000
 We can specify the domain
 name, and then the source.

0:03:41.820000 --> 0:03:44.800000
 The source allows us to specify
 the search engine.

0:03:44.800000 --> 0:03:47.420000
 So let's perform a few checks.

0:03:47.420000 --> 0:03:53.740000
 So I'm going to say the harvester,
 and the domain hackasploit.org.

0:03:53.740000 --> 0:03:56.420000
 And let's say I'm looking for email
 addresses, so I can say limit this

0:03:56.420000 --> 0:04:00.080000
 to Google, and we can say LinkedIn.

0:04:00.080000 --> 0:04:05.860000
 Solid enter. I is going to search on
 Google and on LinkedIn, and it's

0:04:05.860000 --> 0:04:11.480000
 going to bring back names, email addresses,
 and subdomains, if it does

0:04:11.480000 --> 0:04:15.560000
 find them. As you can see, it's utilizing
 the sublister functionality

0:04:15.560000 --> 0:04:19.640000
 here because it's incorporated
 into this particular script.

0:04:19.640000 --> 0:04:22.300000
 So we'll give this a couple of seconds.

0:04:22.300000 --> 0:04:27.580000
 I have switched, or I am using a VPN server,
 or a VPN, if you will, primarily

0:04:27.580000 --> 0:04:31.900000
 because I've been running a lot of Google
 searches today, and Google is

0:04:31.900000 --> 0:04:37.000000
 going to get really suspicious if I continue
 performing quite a few Google

0:04:37.000000 --> 0:04:39.660000
 searches as we did in the previous video.


0:04:39.660000 --> 0:04:42.580000
 So now I'm going to search LinkedIn,
 and let's see what it brings anything

0:04:42.580000 --> 0:04:46.340000
 interesting up. Now remember, I'm searching,
 my target is a domain name.

0:04:46.340000 --> 0:04:49.980000
 I can also specify a company name,
 which I'll show you in a second.

0:04:49.980000 --> 0:04:52.160000
 So I'm just going to wait
 for this to complete.

0:04:52.160000 --> 0:04:58.140000
 All right, so you can see the harvester
 is done, and it tells us that

0:04:58.140000 --> 0:05:02.140000
 no users were found on LinkedIn, no
 IPs found, no emails found, no hosts

0:05:02.140000 --> 0:05:05.620000
 found. Now that could be down to the
 fact that we're specifying our target

0:05:05.620000 --> 0:05:09.920000
 as a domain, and also because we limited
 it to two search engines, or

0:05:09.920000 --> 0:05:12.760000
 really a search engine
 and a social network.

0:05:12.760000 --> 0:05:18.000000
 So what I can do is I can just get rid
 of the domain option, and we can

0:05:18.000000 --> 0:05:21.380000
 specify the company name as the target.

0:05:21.380000 --> 0:05:24.760000
 And in this case, I believe
 we actually can specify it.

0:05:24.760000 --> 0:05:28.640000
 Can we specify that?

0:05:28.640000 --> 0:05:31.540000
 I believe we still need to
 specify this as the domain.

0:05:31.540000 --> 0:05:32.940000
 Let's see if that works out.

0:05:32.940000 --> 0:05:34.960000
 There we are, so the target
 is Hackersploit.

0:05:34.960000 --> 0:05:39.040000
 So I'm going to search on Google,
 and then of course on LinkedIn.

0:05:39.040000 --> 0:05:43.020000
 And I'll also get rid of the search
 engine option, or the specification,

0:05:43.020000 --> 0:05:45.160000
 so that we can run it on all.

0:05:45.160000 --> 0:05:48.160000
 And of course, in the case of Hackersploit,
 it looks like I've done a

0:05:48.160000 --> 0:05:54.680000
 good job with sort of obfuscating subdomains
 names, and of course emails,

0:05:54.680000 --> 0:06:00.440000
 but that's something that we will
 actually see at the end of this.

0:06:00.440000 --> 0:06:04.920000
 So LinkedIn should be done, and
 we should be able to see.

0:06:04.920000 --> 0:06:11.820000
 There we are, so nothing with regards
 to Hackersploit as the company name.

0:06:11.820000 --> 0:06:14.860000
 So I can say Hackersploit.org.

0:06:14.860000 --> 0:06:18.420000
 And when I don't specify a search engine,
 you can see that that's what

0:06:18.420000 --> 0:06:22.980000
 it, if I don't specify a source,
 that's what it tells me.

0:06:22.980000 --> 0:06:33.140000
 So we can say Google, LinkedIn, Yahoo,
 we can also specify DNS dumpster.

0:06:33.140000 --> 0:06:36.740000
 Another good site that we can, another
 good source rather that we can

0:06:36.740000 --> 0:06:42.960000
 use is probably one that I know works
 really well, is of course, DuckDuckGo

0:06:42.960000 --> 0:06:50.860000
 and CRTSH. CRTSH.

0:06:50.860000 --> 0:06:54.780000
 Let's try Hackert Target.

0:06:54.780000 --> 0:06:58.720000
 That's not really required
 at this point in time.

0:06:58.720000 --> 0:07:02.040000
 We can also try Project Discovery.

0:07:02.040000 --> 0:07:05.880000
 I think that also requires an API key.

0:07:05.880000 --> 0:07:08.360000
 We can try RapidDNS.

0:07:08.360000 --> 0:07:15.900000
 Remember the objective of this particular
 video is to enumerate emails,

0:07:15.900000 --> 0:07:20.720000
 but let's just run this, and let's
 see what this brings up.

0:07:20.720000 --> 0:07:23.160000
 So I brought up RapidDNS.

0:07:23.160000 --> 0:07:27.460000
 There we are. Okay, so let's see
 whether we get any results here.

0:07:27.460000 --> 0:07:30.260000
 Okay, now we're talking.

0:07:30.260000 --> 0:07:35.260000
 So it looks like in this case, we were
 not able to find any IPs, but we

0:07:35.260000 --> 0:07:38.360000
 did, but no emails found,
 but we found hosts.

0:07:38.360000 --> 0:07:40.100000
 So we found subdomains.

0:07:40.100000 --> 0:07:43.140000
 So this time around, it looked like
 it worked for Hackersploit.org.

0:07:43.140000 --> 0:07:48.020000
 So we have apps.community, cloud.hackersploit
.org, community.hackersploit

0:07:48.020000 --> 0:07:51.960000
.org, demo, forum, et cetera.

0:07:51.960000 --> 0:07:53.020000
 We're interested in.

0:07:53.020000 --> 0:07:57.040000
 So we're going to now switch
 this over to another domain.

0:07:57.040000 --> 0:08:02.740000
 And in this case, let's try
 zonetransfer.me, right?

0:08:02.740000 --> 0:08:07.540000
 And let's actually see
 what this looks like.

0:08:07.540000 --> 0:08:14.420000
 So let's see whether we're able to
 find any emails associated with the

0:08:14.420000 --> 0:08:16.680000
 domain zone transfer.me.

0:08:16.680000 --> 0:08:21.220000
 All right, so it looks like we have a
 much better luck with zone transfer

0:08:21.220000 --> 0:08:24.060000
.me. No IPs found, but
 we did find an email.

0:08:24.060000 --> 0:08:26.320000
 So pipper, add zonetransfer.me.

0:08:26.320000 --> 0:08:31.460000
 Now, as I said, the zone transfer.me
 website was essentially set up to

0:08:31.460000 --> 0:08:35.880000
 teach students how to essentially interact
 with the DNS server and perform

0:08:35.880000 --> 0:08:39.480000
 zone transfers, which
 we will be exploring.

0:08:39.480000 --> 0:08:40.780000
 But we do get an email.

0:08:40.780000 --> 0:08:43.580000
 Now, why is this information important?

0:08:43.580000 --> 0:08:48.220000
 Well, if you remember and go back to the
 introductory video to this course,

0:08:48.220000 --> 0:08:53.280000
 I mentioned in a simple scenario that
 when we find emails pertinent to

0:08:53.280000 --> 0:08:58.180000
 a particular target, the target could
 be a company, could be a domain,

0:08:58.180000 --> 0:09:02.780000
 then an attacker could use that to
 send a phishing email or they could

0:09:02.780000 --> 0:09:07.120000
 use it to send an email with a malicious
 attachment that when opened and

0:09:07.120000 --> 0:09:12.920000
 executed, on a system, our target system,
 could provide us with initial

0:09:12.920000 --> 0:09:16.360000
 access. So this is very, very
 important information.

0:09:16.360000 --> 0:09:20.760000
 Under the host, you can see we found
 a couple of, we found a couple of

0:09:20.760000 --> 0:09:26.040000
 sub-domains. So you can see we have contact
 DC office and of course, INT,

0:09:26.040000 --> 0:09:29.480000
 NS1. So, very good success there.

0:09:29.480000 --> 0:09:32.820000
 The final side I'm going to try
 it on is of course, iony.com.

0:09:32.820000 --> 0:09:37.360000
 I expect a lot of success with this
 one, but we can actually see what

0:09:37.360000 --> 0:09:41.460000
 comes up. And by the way, all of this
 information that we're gathering

0:09:41.460000 --> 0:09:43.900000
 will tie into the next video.

0:09:43.900000 --> 0:09:48.040000
 The next video will be taking a look
 at leaked password databases and

0:09:48.040000 --> 0:09:53.800000
 how we can potentially find passwords
 for specific emails or passwords

0:09:53.800000 --> 0:09:57.980000
 linked to specific emails that can
 then be used to perform a password

0:09:57.980000 --> 0:10:02.440000
 spray attack. A password spray attack,
 while this is actually performing

0:10:02.440000 --> 0:10:08.200000
 the actual search, a password spray attack
 is when you identify a password,

0:10:08.200000 --> 0:10:11.740000
 you know, for a particular
 email for one site.

0:10:11.740000 --> 0:10:16.780000
 So let's say I have found a password
 for a particular email, let's say

0:10:16.780000 --> 0:10:17.980000
 for Facebook.com.

0:10:17.980000 --> 0:10:22.160000
 Well, many users tend to reuse
 password for different sites.

0:10:22.160000 --> 0:10:25.120000
 So I can put, that's essentially what
 a password spray attack is, it's

0:10:25.120000 --> 0:10:29.740000
 where I use the password I got from one
 site and I try and I can authenticate

0:10:29.740000 --> 0:10:34.680000
 with other services like maybe Gmail
 or maybe QuickBooks, for example,

0:10:34.680000 --> 0:10:38.180000
 as I have done before with previous engagements
 and it has actually worked

0:10:38.180000 --> 0:10:44.400000
 quite well. So this, all of the emails
 we find here or that you typically

0:10:44.400000 --> 0:10:49.540000
 find when performing email harvesting
 will tie into the next video, which

0:10:49.540000 --> 0:10:51.280000
 is again, going to be really interesting.


0:10:51.280000 --> 0:10:53.620000
 We'll actually see what
 we're able to find.

0:10:53.620000 --> 0:10:57.580000
 Now, you might be thinking to yourself,
 well, Alexis, you're showing us

0:10:57.580000 --> 0:10:58.340000
 all of this stuff.

0:10:58.340000 --> 0:11:00.080000
 Is in any of this illegal?

0:11:00.080000 --> 0:11:03.160000
 Well, as I said, all of this
 is available on the internet.

0:11:03.160000 --> 0:11:08.160000
 Now, it's what we do with this information
 that might become or, you know,

0:11:08.160000 --> 0:11:12.080000
 might get into the territory of being
 illegal, which is why I have separated

0:11:12.080000 --> 0:11:16.100000
 the activity, you know, that you typically
 perform in passive information

0:11:16.100000 --> 0:11:20.600000
 gathering, you know, from the actual
 active information gathering, which

0:11:20.600000 --> 0:11:23.120000
 does require authorization.

0:11:23.120000 --> 0:11:27.200000
 So again, as a penetration test, I
 ensure that you abide by a code of

0:11:27.200000 --> 0:11:32.620000
 ethics when it comes down to, you know,
 public, to sites that are available,

0:11:32.620000 --> 0:11:34.120000
 you know, on the internet.

0:11:34.120000 --> 0:11:36.900000
 So you can see these all
 the subdomains for any.

0:11:36.900000 --> 0:11:39.640000
 No emails were found, which
 is very, very interesting.

0:11:39.640000 --> 0:11:44.240000
 But I guess we can add a couple of
 more sources, but you get the idea,

0:11:44.240000 --> 0:11:47.980000
 the harvester is extremely comprehensive
 because it not only performs

0:11:47.980000 --> 0:11:51.080000
 email harvesting, but also
 subdomain enumeration.

0:11:51.080000 --> 0:11:55.100000
 And you can probably fine tune your searches
 and limit them to particular

0:11:55.100000 --> 0:12:00.180000
 sources. One really cool one that I
 would recommend checking out is the

0:12:00.180000 --> 0:12:01.880000
 SPICE integration.

0:12:01.880000 --> 0:12:03.680000
 This requires an API key.

0:12:03.680000 --> 0:12:08.120000
 The SPICE search engine is a search
 engine built for penetration testers

0:12:08.120000 --> 0:12:13.900000
 for, you know, essentially performing
 passive reconnaissance of a target

0:12:13.900000 --> 0:12:18.160000
 like a website or an IP address, but
 it does require a subscription, which

0:12:18.160000 --> 0:12:19.300000
 is why I'm not covering it.

0:12:19.300000 --> 0:12:24.040000
 But if you are getting into penetration
 testing, do check out SPICE as

0:12:24.040000 --> 0:12:27.860000
 it really is very, very useful.

0:12:27.860000 --> 0:12:32.020000
 Yeah, okay. So I think that's going to
 conclude the practical demonstration

0:12:32.020000 --> 0:12:35.000000
 side of this video.

0:12:35.000000 --> 0:12:38.900000
 In the next video, we're going to be
 taking a look at leaked password

0:12:38.900000 --> 0:12:42.780000
 databases that are freely available
 online that can be used to identify

0:12:42.780000 --> 0:12:47.800000
 whether a specific email or a specific
 user's password has been leaked

0:12:47.800000 --> 0:12:50.300000
 previously during a data breach.

0:12:50.300000 --> 0:12:52.720000
 So I'll be seeing you in the next video.