Harvesting
mails online is something which all ethical hacker require .The
simplest method involves spammers purchasing or trading lists of email
addresses from other spammers . But being etchical hackers you might
need to get mail lists .Another common method is the use of special
software known as “harvesting bots” or “harvesters”, which spider Web
pages, postings on Usenet, mailing list archives, internet forums and
other online sources to obtain email addresses from public data.
Harvesting emails is process of
collecting the mail address present online that can be located using
search engines . It is the process of obtaining lists of email addresses
using various methods for use in bulk email or other purposes usually
grouped as spam.
Email harvesting is also used by hackers
to spam their RAT’s and create large botnets . Phishing campaigns are
also run using the publicly available email addresses .
This technique therefore is an important
task to be performed during a penetration test . We will be using our
favorite Metasploit framework to perform an email harvesting .
How to Perform Email Harvesting using Metasploit :
Start by opening a terminal and just type msfconsole to start Metasploit for mail Harvesting Tutorial using Metasploit.
msfconsole
search collector
This might take some time depending on the machine you use .
When you see the search has completed , you must see something similar as in the below screenshot .
When you see the search has completed , you must see something similar as in the below screenshot .
Now you need to use one of the exploits available . I prefer search_email_collector to perform the email harvesting attack .
use gather/search_email_collectorNow I will configure this exploit to make it useful for our purpose . To see what all I need to configure in this exploit just type :
show optionsThis is what you must see :
DOMAIN and OUTFILE .
The Domain specifies the domain for
which the email addresses will be harvested . OUTFILE is the output file
that will be created in your root folder with all the email address in
it .
Now I will configure this exploit to
suit my needs . Since this is not a professional penetration test , I
will use a free web domain to harvest emails . My choice is Yahoo.com .
Now I must get the email addresses on domain yahoo.com in my email list
that can be harvested online .
To do so type the following :set DOMAIN yahoo.com set OUTFILE yahoo-list.txtTo check if I did all right type :
show optionsSee the below screenshot for reference :
Seems all is good and we are set to do some email harvesting . To start the exploit to run just type EXPLOIT !!
exploit
This must create the email list in .txt format . This will have all the emails that have been harvested for Yahoo.com .
Enjoy email harvesting !!
I hope you all have enjoyed the email harvesting tutorial using metasploit
0 comments: