| description |
|---|
MITRE ATT&CK, Reconnaissance, Technique T1589 |
Once we have identified a list of employee names, we can place them into a list to use throughout the engagement in multiple phases.
Below are my personal recommendations:
- Identify the username schema that the organization uses.
- Collect emails from Hunter.io, Data breaches, Phonebook, etc
- Run tooling against LinkedIn, Google, etc
- Run BridgeKeeper against any names identified to place them into the correct format.
- Place all of the identified usernames into a file and run
sort -uto clean up the file. - Verify these against the domain controller if possible, alternatively utilize all of these emails in external phishing campaigns.
# Grep a list of emails from a .JSON (or any other) file:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
# Quick awk magic to add "@client.com" after every username:
awk '{print $0 "@client.com"}' usernames.txt
# Quick sed magic to remove "@client.com" after every email:
sed 's/@.*//' emails.txt- Hunter.io
- Phonebook.cz
- ZoomInfo
- Snov
- RocketReach
- Data breaches (self promotion, use my tool breach-rip to parse these fast)
{% embed url="https://dehashed.com" %}
{% embed url="https://github.com/FreeZeroDays/breach-rip" %}
Parsing data breaches to obtain previously compromised credentials can assist an attacker in obtaining initial access to a company by performing credential stuffing attacks.
{% embed url="https://dehashed.com" %}
{% embed url="https://github.com/FreeZeroDays/breach-rip" %}