Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Generic Email Address Discovery
  • Email Finder
  • emailGuesser
  • o365 User Discovery
  • OneDrive Enum
  • G-Suite User Discovery
  • G-Suite email finding
  • Email Address Discovery via LinkedIn
  • linkedin2username
  • Email Address Discovery via Third Party Sources
  1. OFFENSIVE SECURITY
  2. External Infrastructure
  3. Discovery

Email Address Discovery

How to find email addresses.

PreviousDiscoveryNextSubdomain Discovery

Last updated 1 year ago

Generic Email Address Discovery

Email Finder

Find emails via search engines using a domain.

./emailfinder -d domain.com

emailGuesser

Guess email addresses based on multiple inputs and preferences. The tool will then try and check that the generated email address is valid.

python3 emailGuesser.py

o365 User Discovery

OneDrive Enum

Enumerate valid o365 users

G-Suite User Discovery

G-Suite email finding

Find valid email accounts using Gmail/G-Suite

legba http.enum --payloads <employees-names.txt> --http-success-string "COMPASS" --http-success-codes 204 --quiet --target "https://mail.google.com/mail/gxlu?email={PAYLOAD}@broadcom.com"

Email Address Discovery via LinkedIn

linkedin2username

Generate username lists for companies on LinkedIn

python3 linkedin2username.py -u <GitHub Email> -c linkedin <Company> -p

Email Address Discovery via Third Party Sources

The following websites actively track and record valid email addresses for marketing purposes. But, we can make use of them in offensive security too.

  • Hunter.io

  • https://rocketreach.co

python3 onedrive_enum.py -t microsoft -d -U firstlastname.txt

https://github.com/Josue87/EmailFinder
https://github.com/WhiteHatInspector/emailGuesser
https://github.com/nyxgeek/onedrive_user_enum
microsoft.com
https://github.com/evilsocket/legba
https://github.com/initstring/linkedin2username