Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Generic Email Address Discovery
  • Email Finder
  • emailGuesser
  • o365 User Discovery
  • OneDrive Enum
  • G-Suite User Discovery
  • G-Suite email finding
  • Email Address Discovery via LinkedIn
  • linkedin2username
  • Email Address Discovery via Third Party Sources
  1. OFFENSIVE SECURITY
  2. External Infrastructure
  3. Discovery

Email Address Discovery

How to find email addresses.

Generic Email Address Discovery

Email Finder

Find emails via search engines using a domain.

  • https://github.com/Josue87/EmailFinder

./emailfinder -d domain.com

emailGuesser

Guess email addresses based on multiple inputs and preferences. The tool will then try and check that the generated email address is valid.

  • https://github.com/WhiteHatInspector/emailGuesser

python3 emailGuesser.py

o365 User Discovery

OneDrive Enum

Enumerate valid o365 users

  • https://github.com/nyxgeek/onedrive_user_enum

python3 onedrive_enum.py -t microsoft -d microsoft.com -U firstlastname.txt

G-Suite User Discovery

G-Suite email finding

Find valid email accounts using Gmail/G-Suite

  • https://github.com/evilsocket/legba

legba http.enum --payloads <employees-names.txt> --http-success-string "COMPASS" --http-success-codes 204 --quiet --target "https://mail.google.com/mail/gxlu?email={PAYLOAD}@broadcom.com"

Email Address Discovery via LinkedIn

linkedin2username

Generate username lists for companies on LinkedIn

  • https://github.com/initstring/linkedin2username

python3 linkedin2username.py -u <GitHub Email> -c linkedin <Company> -p

Email Address Discovery via Third Party Sources

The following websites actively track and record valid email addresses for marketing purposes. But, we can make use of them in offensive security too.

  • Hunter.io

  • https://rocketreach.co

PreviousDiscoveryNextSubdomain Discovery

Last updated 10 months ago