Computer Based Social Engineering Tools: The Harvester
From Learn to be a true Social Engineer
The Harvester is an open source intelligence tool (OSINT) for obtaining email addresses and user names from public sources such as Google or Linkedin.
This is very valuable to the Social Engineering and Intelligence world - When conducting passive reconnaissance about you target trying to build a valid target profile which includes a list of user names and email addresses. - Emails and user names are similar to your real name. They can be used to identify you in the virtual world and or in your workplace. They can lead to identifying your friends, your family, and your social groups.
For mining of email accounts go for the conventional choices first: Personal (e.g @gmail, @hotmail, @aol, @yahoo, etc.) Search the internet for common first and last names for both male and female and use variations of these (first.last, first_last, first initial+last, last+first initial)
Work Use same name approach as above but also add common titles such as admin, abuse, administrator, etc.
User Created - These are from user-groups created expressions email@example.com
Some good sites you would want user names from in order to build a profile would be: Facebook, Twitter, Blippy, MySpace, Linkedin, Friendster
Enter The Harvester
The application can be found in http://www.backtrack-linux.org/downloads Backtrack4]in /pentest/enumeration/google/theharvester/theharvester.py
To execute simply navigate to the /pentest/enumeration/google/theharvester/ directory and enter ./theharvester.py
If your not using Backtrack 4, you can download it directly from the [http://www.edge-security.com/theHarvester.php developers
Simply navigate to the /tmp/ directory and execute wget http://www.edge-security.com/soft/theHarvester-1.5.tar use tar xvf theHarvester-1.5.tar to open the package. This creates the following directory/files: theHarvester/ theHarvester/COPYING theHarvester/LICENSES theHarvester/README theHarvester/theHarvester.py Now move these files to where you would like them to reside and from which you will be executing them going forward.
- Which ever route you take once you've got it done and opened should be looking like this.*
This was interesting just off of limiting to 500 query's We pulled the 6 email addresses and went with a human like one Ballard -@ - bestbuy.com
With a little digging we found some good information:
Using some simple searches and reading we were able to determine that Ballard@bestbuy.com was Shari.Ballard@bestbuy.com who is the Executive Vice President, Retail Channel. Going from there we were able to determine the email addresses of most of the senior executives at BestBuy. As well as, determining that the email naming convention for bestbuy.com is firstname.lastname.
From this you can take many routes. Add these email addresses to strengthen your target profile, create a good list for spear fishing attacks going for senior executives in the company, as well as having some valuable background information to use should you every get inside the corporate building for further reconnaissance or social
Passive Reconnaissance Flowchart
Using another example of some schools lets see what else theHarvester can do:
As shown above we ran the schools names through theHarvester(Source Information stage), just using the end tag of .edu, as you can see lots of email addresses are listed. This is typical of the results you can expect from a target like a school. From a social engineering, security, and intelligence perspective this is a gold mine of information for you to capitalize on.
The next step is to document all three categories. A very good multitasking note taking application is Basket Note Pads http://basket.kde.org/index.php
Our next step is both manual and time consuming work where we plug all these email addresses into our applications (Plug-in stage) Pipl, Facebook, Twitter, and Blippy. As you can see we have a large number of targets we can choose from but for the sake of demonstration and brevity we will just choose two of them.
From the Louisville section we will go with the one at the top of the list firstname.lastname@example.org. Following the flow chart where going to plug this into all four (4) of our applications and see what we get. While we did not get anything back from Twitter, Facebook, or Blippy but with Pipl and we got something to work with and even a picture.
By going to the link seen above, we can determine that he’s a part of the World Psychiatric Association (WPA) Executive Committee this is a very important piece of information. This is valuable information for using the Social Engineering Toolkit, also a part of the BackTrack 4 distribution.
By launching the link and entering Facebook, you can see his "Networks" section validates our email and the location of University of Louisville. We see this guy has some capacity in him having a Philosophical quote in Latin and kinda humorous "Bibo ergo sum" (I drink, therefore I am)
From just an email address we have built a profile. From here you can go further into passive reconnaissance of what friends he has to gathering additional intelligence. This enables us to gain a perspective on what kind of guy he is, what kind of lifestyle leads, or tried to portray, which would help you greatly in building up a fake profile enabling us to move to the next step of direct reconnaissance, which will be covered later.