Email Harvesting in Kali Linux (Find out Login IDs to Bruteforce) | Kali Linux

For the purpose of mass spamming or spear phishing, hackers use a module available in Metasploit that pulls email accounts of a particular organization from ‘Google’, ‘Bing’ and ‘Yahoo’.

Hackers find it useful to perform online password attacks later on–it is important to know the IDs or usernames to before commencing the cracking process–during targeted attacks. As I mentioned, the list of email addresses can also be used for the purpose of mass mailing, phishing, or spear phishing.

So I conduct a such a test to pull email addresses from an organization of interest to me. First, I list all the options available to me relating to this module–using a standard Metasploit command ‘show options’

Then, I set the ‘domain’ of the organization and the ‘output’ file where I wants the results (email addresses) saved, and ’execute’ the module.

After a while, these are the results given back to me:

Bots crawl over the Internet looking for email addresses. In order to avoid being spammed, a mitigation strategy is to insert the email address in a graphic file, or to mention it in a custom format that the bot will not be able to comprehend as an email address. For instance, name [at] gmail [dot] com.

Pranshu Bajpai
Pranshu Bajpai
Principal Security Architect

Pranshu Bajpai, PhD, is a principle security architect..