Email Intelligence

Reconnaissance

Email intelligence reveals employee information, organizational structure, and potential targets for social engineering. Understanding email naming conventions is crucial for credential attacks.

Naming Convention Discovery

Discovering an organization's email naming convention (e.g., first.last@company.com) allows you to generate valid email addresses from employee names found on LinkedIn or other sources.

Tool Installation

theHarvester

Email
Docs

Email, subdomain, and hostname harvester from multiple sources.

Installation

bash 
pip install theHarvester

h8mail

Breach
Docs

Email OSINT and breach hunting tool.

Installation

bash 
pip install h8mail

Infoga

Email
Docs

Email information gathering from different public sources.

Installation

bash 
git clone https://github.com/m4ll0k/Infoga.git && pip install -r requirements.txt

EmailFinder

Email
Docs

Find company emails from various public sources.

Installation

bash 
pip install emailfinder

CrossLinked

LinkedIn
Docs

LinkedIn enumeration to extract valid employee names.

Installation

bash 
pip install crosslinked

linkedin2username

LinkedIn
Docs

Generate usernames from LinkedIn company employees.

Installation

bash 
pip install linkedin2username

Email Harvesting

email-harvesting.sh
bash 
# theHarvester - comprehensive harvesting
theHarvester -d target.com -b all
theHarvester -d target.com -b google,linkedin,twitter,bing
theHarvester -d target.com -b all -l 500  # Limit results

# Search specific sources
theHarvester -d target.com -b linkedin   # LinkedIn profiles
theHarvester -d target.com -b hunter     # Hunter.io (needs API)
theHarvester -d target.com -b anubis     # Anubis DB

# EmailFinder
emailfinder -d target.com

# Infoga
python infoga.py --domain target.com --source all
python infoga.py --info email@target.com  # Single email lookup

# h8mail for breach data
h8mail -t email@target.com
h8mail -t target.com -c h8mail_config.ini  # With API keys

Email Discovery APIs

email-apis.sh
bash 
# Hunter.io API (free tier: 25 searches/month)
# Domain search - find all emails for a domain
curl "https://api.hunter.io/v2/domain-search?domain=target.com&api_key=YOUR_KEY"

# Email finder - find specific person's email
curl "https://api.hunter.io/v2/email-finder?domain=target.com&first_name=John&last_name=Smith&api_key=YOUR_KEY"

# Email verifier - check if email exists
curl "https://api.hunter.io/v2/email-verifier?email=john@target.com&api_key=YOUR_KEY"

# Snov.io API
curl "https://api.snov.io/v1/get-domain-emails-with-info" \
  -d "domain=target.com" \
  -d "type=all" \
  -d "access_token=YOUR_TOKEN"

# Clearbit (enrichment)
curl "https://person.clearbit.com/v2/people/find?email=john@target.com" \
  -H "Authorization: Bearer YOUR_KEY"

# Phonebook.cz - free (use browser or scrape)
# https://phonebook.cz - search domain for emails

Email Format Discovery

Once you discover a few valid emails, you can deduce the naming convention and generate more.

email-format.sh
bash 
# Common email naming conventions:
# first.last@company.com     (john.smith@target.com)
# flast@company.com          (jsmith@target.com)
# firstl@company.com         (johns@target.com)
# first_last@company.com     (john_smith@target.com)
# first@company.com          (john@target.com)
# last.first@company.com     (smith.john@target.com)
# lastf@company.com          (smithj@target.com)

# Generate email list from names using CrossLinked
crosslinked -f '{first}.{last}@target.com' "Target Company"
crosslinked -f '{f}{last}@target.com' "Target Company"

# linkedin2username - scrapes LinkedIn for employee names
python linkedin2username.py -u USERNAME -c "Target Company" -s "target.com"

# Manual format testing (be careful - can alert target)
# Use email verification services or check responses

# Email permutator tools
# https://github.com/jakehaddard/email-permutator
# https://metricsparrow.com/toolkit/email-permutator/

Breach Data Sources

Legal Considerations

Accessing breach databases may have legal implications. Only use legitimate services and always have proper authorization. Never download or store leaked credentials.
breach-search.sh
bash 
# Have I Been Pwned - check if email was in breaches
# Website: https://haveibeenpwned.com
# API (requires subscription for domain search)
curl "https://haveibeenpwned.com/api/v3/breachedaccount/email@target.com" \
  -H "hibp-api-key: YOUR_KEY"

# h8mail with local breach compilation
h8mail -t target.com -lb /path/to/breach_compilation/

# h8mail with APIs configured
h8mail -t email@target.com -c config.ini

# DeHashed (subscription required)
# https://dehashed.com - search by email, domain, username

# IntelX (Intelligence X)
# https://intelx.io - comprehensive breach search

# Snusbase
# https://snusbase.com - breach data search

# LeakCheck
# https://leakcheck.io - check email/username against leaks

# Check specific breaches via HIBP
curl "https://haveibeenpwned.com/api/v3/breach/Adobe" -H "hibp-api-key: KEY"

Email Verification

email-verify.sh
bash 
# SMTP verification (may be logged/blocked)
# Check MX records first
dig target.com MX +short

# Manual SMTP check
nc -v mail.target.com 25
HELO test.com
MAIL FROM:<test@test.com>
RCPT TO:<target@target.com>
# 250 = exists, 550 = doesn't exist, 252 = can't verify

# Python email verifier script
python3 << 'EOF'
import smtplib
import dns.resolver

def verify_email(email):
    domain = email.split('@')[1]
    records = dns.resolver.resolve(domain, 'MX')
    mx_host = str(records[0].exchange)
    
    server = smtplib.SMTP(timeout=10)
    server.connect(mx_host)
    server.helo('verify.com')
    server.mail('verify@verify.com')
    code, msg = server.rcpt(email)
    server.quit()
    return code == 250

# verify_email('john@target.com')
EOF

# Online verification services (safer)
# https://hunter.io/email-verifier
# https://www.emailhippo.com/
# https://www.zerobounce.net/

Google Dorking for Emails

email-dorks.txt
text 
# Search for emails on target site
site:target.com "@target.com"
site:target.com "email" | "contact"

# Search documents for emails
site:target.com filetype:pdf "@target.com"
site:target.com filetype:doc "@target.com"
site:target.com filetype:xls "@target.com"

# LinkedIn email hunting
site:linkedin.com "@target.com"
site:linkedin.com "target company" email

# GitHub leaks
site:github.com "@target.com"
site:github.com "target.com" password | api_key

# Pastebin leaks
site:pastebin.com "@target.com"
site:pastebin.com "target.com" email

# Conference presentations
site:slideshare.net "@target.com"
site:speakerdeck.com "@target.com"

# Support forums
site:stackoverflow.com "@target.com"
site:reddit.com "@target.com"

External Resources

Hunter.io

Professional email finder with verification

Phonebook.cz

Free email and domain intelligence

Have I Been Pwned

Check if email was in data breaches

DeHashed

Breach data search engine

Intelligence X

Comprehensive breach and leak search

Epieos

Email address investigation tool

Related Topics

OSINT Overview

People Intelligence

Credential Attacks