Users & Emails

Manual Querying

Username Investigation Tools

- Sherlock (github.com/sherlock-project)

To install:

cd ~/Downloads/Programs

git clone https://github.com/sherlock-project/sherlock.git

cd sherlock

python3 -m venv SherlockEnvironment

source SherlockEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

To query for an user and export output into a csv file:

python3 sherlock.py inteltechniques --csv -o ~/Documents/Report.csv

- SocialScan (github.com/iojw/socialscan)

! This tool alows email investigation as well as username investigation.

To install:

mkdir ~/Downloads/Programs/socialscan

cd ~/Downloads/Programs/socialscan

python3 -m venv socialscanEnvironment

source socialscanEnvironment/bin/activate

sudo pip install -U socialscan

deactivate

To query for an user or email:

socialscan inteltechniques

socialscan inteltechniques@gmail.com

To install:

cd ~/Downloads/Programs

git clone https://github.com/WebBreacher/WhatsMyName.git

cd WhatsMyName/whatsmyname

python3 -m venv WhatsMyNameEnvironment

source WhatsMyNameEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

To submit a query:

python3 whats_my_name.py -u inteltechniques

You can also use the web version (whatsmyname.app). There you can export your results to clipboard, XISX, CSV, or PDF.

- Blackbird

To install:

cd ~/Downloads/Programs

git clone https://github.com/p1ngul1n0/blackbird

cd blackbird

python3 -m venv blackbirdEnvironment

source blackbirdEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

To submit a query:

python3 blackbird.py -u inteltechniques

- Maigret

To install:

mkdir ~/Downloads/Programs/Maigret

cd ~/Downloads/Programs/Maigret

python3 -m venv maigretEnvironment

source maigretEnvironment/bin/activate

sudo pip install maigret

deactivate

To force all modules to be used, and outputs data to both a text file and PDF

maigret -a -P -T inteltechniques

- KnowEm (knowem.com)

Check for the presence of the supplied username on the most popular social network sites.

https://knowem.com/checkusernames.php?u=inteltechniques

https://knowem.com/checksocialnames.php?u=inteltechniques

- CheckUserNames (checkusernames.com)

This site searches approximately 1/3 of the sites on KnowEm, but it links directly to target profiles.

- Name Check (namecheck.com)

Same type of search as the previous competitors. The only slight advantage here is that the search is conducted faster than other sites.

- User Search (usersearch.org)

While this service is the slowest of all options, this could be an indication of account verification for more accurate results.

https://usersearch.org/results_normal.php?URL_username=inteltechniques

https://usersearch.org/results_advanced.php?URL_username=inteltechniques

https://usersearch.org/results_advanced1.php?URL_username=inteltechniques

https://usersearch.org/results_advanced2.php?URL_username=inteltechniques

https://usersearch.org/results_advanced4.php?URL_username=inteltechniques

https://usersearch.org/results_advanced5.php?URL_username=inteltechniques

https://usersearch.org/results_advanced6.phpPURL_username=inteltechniques

https://usersearch.org/results_advanced7.php?URL_username=inteltechniques

https://usersearch.org/results_dating.php?URL_username=inteltechniques

https://usersearch.org/results_forums.php?URL_username=inteltechniques

https://usersearch.org/results_crypto.php?URL_username=inteltechniques

- NameVine (namevine.com)

Provides a unique feature missing in the rest. It allows you to begin typing any partial username and it will immediately identify registered accounts within the top ten social networks.

URL submission is as follows:

https://namevine.com/#/inteltechniques

- Social Searcher (social-searcher.com)

static URL is as follows.

https://www.social-searcher.com/search-users/Pntw=&q6=inteltechniques

https://linktr.ee/ambermac

- Gravatar (gravatar.com)

Better solution for emails, but can be used for usernames:

https://en.gravatar.com/inteltechniques

- IntelTechniques Usernames Tool

Automatically query an username through the services discussed in the previous and following sections.

Code in Username.html.

Usernames Assumptions and Dictionary Creation

For a list of names we can create possible usernames with:

./username-anarchy --input-file fullnames.txt --select-format first,flast,first.last,firstl > unames.txt

~/namemash.py names.txt > possible.txt

head -n 5 possible.txt

Email Verification Tools

- Emailrep.io (emailrep.io)

Email verification service with many additional features.

Email Investigation Tools

- Holehe (github.com/megadose/holehe)

To install:

mkdir ~/Downloads/Programs/holehe

cd ~/Downloads/Programs/holehe

python3 -m venv holeheEnvironment

source holeheEnvironment/bin/activate

sudo pip install -U holehe

deactivate

To query an email address through all services:

holehe test@gmail.com

- Email2Phone (github.com/martinvigo/email2phonenumber)

This tool queries an email address within various online services in an attempt to display any partial telephone numbers associated with the account.

To install:

cd ~/Downloads/Programs

git clone https://github.com/martinvigo/email2phonenumber.git

cd email2phonenumber

python3 -m venv email2phonenumberEnvironment

source email2phonenumberEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

To search for test@gmail.com:

python3 email2phonenumber.py scrape -e test@gmail.com

- Gravatar (gravatar.com)

This service is responsible for many of the small image icons that you see next to a contact in your email client.

While the Gravatar home page does not offer an email address search option, we can conduct a query directly from the following URL, this image can then be searched with a reverse image query:

https://en.gravatar.com/site/check/test@gmail.com

- Hunter (hunter.io/email-verifier)

It provide details such as the validity of the email and internet links which contain the email address.

- OCCRP (data.occrp.org)

A query of any email address immediately displays documents associated with the account.

Search for "target", click on the "Email" option, and you will be notified that a list of the email addresses are included within these documents.

- Spytox (spytox.com)

You will potentially see a name, city, and telephone number associated with the account. The paid options are never worth the money.

- XLEK (xlek.com)

It does not allow you to query by email address, we will need to rely on Google:

site:xlek.com "mike@gmail.com"

- That's Them (thatsthem.com)

Usually does not give good results. However, on occasion I received detailed results such as full name, address, phone number, and vehicle information.

- Search People Free (searchpeoplefree.com/cyberbackgroundchecks.com)

Data set generated from various marketing database leaks. Much more complete results. Most results include full name, age, current home address, previous addresses, telephone numbers, family members, and business associations.

- Proton Mail (proton.mail.com)

Most popular secure and encrypted email service. Because of this, many criminals flock to it.

To know the date of account creation:

  • Log in to a free Proton Mail account.

  • Create a new "Contact", add the target email address, then save it.

  • Access the contact and click the "Email Settings" icon.

  • Click the "Show advanced PGP settings" link.

  • The result should display the creation date of the "Public key". This is usually the creation date of the email account, but not always. If your target generated new security keys for an account, you will see that date instead.

We can replicate this entire process without a requirement to log in to an account, but the results are not as reliable.

https://api.protonmail.ch/pks/lookup?op=get&search=notmyemail@protonmail.com

If your browser prompts you to download a file titled "pubkey asc", this indicates that the address exists. If you receive a message of "No Key Found', then it does not. If the address exists, navigate to the following URL.

https://api.protonmail.ch/pks/lookup?op=index&search=notmyemail@protonmail.com

The last set of digits represents an Epoch Unix timestamp. We can convert that number into a date and time at https://www.unixtimestamp.com/index.php.

- ScamSearch (scamsearch.io)

This free service allows query of an email address to identify any association with reported online scams.

https://scamsearch.io/searchadvanced?_emailwild=email&search=protonmail.com

- IntelTechniques Email Addresses Tool

Automatically query an email through the services discussed in the previous and following sections.

Code in Email.html.

Email Assumptions

It can be productive to make assumptions of possible email addresses and use the verifiers to see if they exist.

Example: We have the email jay112003@yahoo.com, then we should conduct additional searches for jay112003@gmail.com, jay112003@hotmail.com, jay112003@live.com, and others. If we have the name we could create new ones with Username Anarchy or a simmilar tool.

- Email Format (email-format.com)

Searches a provided domain name and attempts to identify the email structure of employee addresses.

Email Compromised Accounts

This helps us in two ways. First, it confirms an email address as valid. Second, you know the services which need to be investigated.

- Have I Been Pwned (haveibeenpwned.com)

Allows entry of either a username or email address, but only the email option is reliable. The result is a list and description of any public breaches which contain the provided email address.

The following URI, queries test@test.com against the HIBP database.

https://haveibeenpwned.com/unifiedsearch/test@test.com

Is an amazing tool, but it does not contain all known breaches.

- Dehashed (dehashed.com)

More aggressive approach and seeks breached databases for their own collection.

When combining results from both of these services, you would now know that this target email address was likely a real account.

Have I Been Pwned and Dehashed complement each other, and one should never be searched without the other.

- Spycloud (spycloud.com)

Extremely aggressive in regard to obtaining fresh database breaches.

They do not display details about accounts which you do not own. Our only option is general details through their free API. The following URL submits a query for test@email.com.

https://portal.spycloud.com/endpoint/enriched-stats/test@email.com

They basically tell you that the email address queried is present within multiple database breaches, but the identity of each is not available. I use this service to simply verify an email address.

- Hudson Rock (hudsonrock.com)

Hudson Rock identifies whether it has been seen within stealer log data.

We can query their API with the following URL:

https://cavalier.hudsonrock.com/api/json/v2/preview/search-by-login/osint-tools?email=test@email.com

- Cybernews (cybernews.com/ personal-data-leak-check)

This service only provides a 'true" or "false" identifying the presence of the email within a breach.

https://check.cybernews.com/chk/Plang=en_US&e=test@test.com

- Leak Peek (leakpeek.com)

Displays a partial view of passwords associated with email addresses within a breach.

Leak Peek allows query by email address, username, password, keyword, and domain.

- Breach Directory (breachdirectory.org)

Similar to Leak Peek, but redundancy is always valuable. However, full passwords are available if you are willing to do some work.

Right column displays SHA-1 hash values of the full passwords.

Then use MD5 Decrypt (md5decrypt.net/en/ Shal1).

- PSBDMP (psbdmp.ws)

It monitors Pastebin for any posts including email addresses and/of passwords.

There is no search field, but their free API presents detailed results with the following URI structure.

https://psbdmp.ws/api/search/test@test.com

The "id" is the Pastebin identifier. We can access the original file with the following URI.

https://pastebin.com/69yKWrZE

By visiting the Pastebin URL, we can see the full data.

We can also sort through their archives with the following Google query.

site:psbdmp.ws "test@gmail.com"

- IntelligenceX intelx.io

You can search IntelligenceX for free and receive partial results, or create a free trial to see everything.

You are only limited to the number of burner "trial" email addresses with which you have access.

- Avast Hack Check (avast.com/hackcheck)

Identifies email addresses which appear within known data breaches. However, it should be avoided. Avast enrolls the email address into their invasive email newsletter database. Instead consider the "Friends Check" option at the following URL.

https://www.avast.com/hackcheck/friends-check

This website queries the same database maintained by Avast, but does not add the email address to their marketing campaigns or notify the account ownet.

- LeakIX leakix.net

This service indexes various areas of the internet looking for data leaks

We can query through the site or directly via the following URL structure:

https://leakix.net/search?scope=leak&q=%22test@test.com%22

- OSINT Industries

https://osint.industries/

- Epieos

https://epieos.com/

Email Reputation

When I am investigating an email address, I want to know its reputation or spam score. If the address has been blacklisted or reported as spam, I won't waste too much time attempting to identify the true owner. There are two reliable services which we can query with the following URLs.

https://cleantalk.org/email-checker/michael@inteltechniques.com

https://spamdb.org/blacklists?q=michael@inteltechniques.com

Domain Connections with an email

Every domain name registration includes an email address associated with the site.

Many free services have been collecting domain registration details and offer queries of current and archived domain registration data.

This is beneficial when you have a tech-savvy target that may have registered websites of which you are not aware.

- Whoxy (whoxy.com/reverse-whois)

- Whoisology (whoisology.com)

- AnalyzelD (analyzeid.com)

Email Provider Identification

If your target's email address ends in gmail.com or yahoo.com, the identity of the email provider is quite obvious.

However, business addresses and those with custom domain names do not notify you of the service that hosts the email. The email provider may be the same as the domain's hosting company, but could also be a separate company.

The following will obtain the email provider from almost any address:

Navigate to MX Toolbox (mstoolbox.com) and enter the domain of the email address, such as phonelosers.org.

The result should include a hostname and IP address. These identify the email provider for the target domain.

Imitation Technique

Imitation of any target email addresses can reveal more details, and confirm association with online activities.

Your target email address is bill@microsoft.com, and you want to know if he is a Mac or Windows user.

First navigate to apple.com/ account and attempt to make an Apple account with that address. If allowed to proceed past the first screen, then that user does not already have an account associated with the target address. If you are informed that the email address is already in use, then you know that your target is a Mac user. You could navigate to signup.live.com and attempt to create an account with the address. If denied, you know that your target is already a Windows user and that address controls the account.

This technique can be used to confirm that target email addresses or usernames are associated with services.

Tools for Google Accounts

To install it:

sudo pip install pipx

pipx ensurepath

pipx install ghunt

pipx ensurepath

Next, you must possess valid login cookies from an active Google account. This is because the Google API.

Use an account which you rarely access. As long as you do not log in to this account from a web browser AFTER you obtain these cookies, they should stay valid for long term usage.

  • Navigate to gmail.com and log in to an active Google account.

  • Right-click within this page and choose "Inspect"

  • Click the "Network Tab" in the lower box and navigate to mail.google.com within this tab.

  • Click the "Cookies" tab in right window.

Find each of the fields which are listed below, and document the data associated with your own account:

SID: EthaBDv-SLCzi5-fGYFsgQEpsniuXp4vFdhSyxbfsgt]hePrKh7HWRhgfX4214MoDa2Da

SSID: AhMQD6hufgMRsthCsVh

APISID: 90zgIYkLxDhgsLusoOl/AfJvEF8ihm_TIHOh86C1s

SAPISID: XsCNhC7DVIEShNY4St/ A]fwurhpUkbFvsfUqBrP

HSID: Afmo3fgHjaUfpPhmfgRxfhZFQ

LSID: o.chat.google.com| o.mail.google.com | s.youtube:EQhaBIp83rHin-E_4hhykliVKWSZqPSfWI

Secure-3PSID: EQjhaBDv-SCzi5-fGWYFsEpp4vFSf65yxbsgt]ePrK7iOvBWuPnsdBiyw

Now that you possess the vatious account details required by GHunt, you can supply this data to the program: ghunt login

To automatically identify this information, put GHunt on listening mode, install the GHunt browser extension, log in to your Google account and press the "Synchronize to hunt" button in the extension.

Once this has been done we can start using the tool.

To query an email address:

ghunt email larry@google.com

To search a Google Drive ID:

ghunt drive BxiMVs0XRA5nFMdKvBdBZjgmUUgpt1bs740gvE2upms

To query a Google Accounts and ID Administration ID (GAIA):

ghunt gaia 105144584335156066992

Custom Script

- Script

#!/usr/bin/env bash
opt1="Sherlock"
opt2="SocialScan"
opt3="Holehe"
opt4="WhatsMyName"
opt5="Blackbird"
opt6="Maigret"
opt7="Email2Phone"
opt8="GHunt Email"
opt9="GHunt Drive"
opt10="GHunt GAIA"
opt11="GHunt Configuration"
timestamp=$(date +%Y-%m-%d:%H:%M)
usermenu=$(zenity  --list  --title "Username/Email Utilities" --radiolist  --column "" --column "" TRUE "$opt1" FALSE "$opt2"  FALSE "$opt3" FALSE "$opt4" FALSE "$opt5" FALSE "$opt6" FALSE "$opt7" FALSE "$opt8" FALSE "$opt9" FALSE "$opt10" FALSE "$opt11" --height=400 --width=300)
case $usermenu in
$opt1 )
handle=$(zenity --entry --title "Sherlock" --text "Enter Username")
cd ~/Downloads/Programs/sherlock/sherlock
echo Working...
python3 sherlock.py $handle > ~/Documents/$handle-$timestamp-Sherlock.txt
open ~/Documents/$handle-$timestamp-Sherlock.txt
exit;;
$opt2 )
handle=$(zenity --entry --title "SocialScan" --text "Enter Username or Email")
socialscan $handle
read -rsp $'Press enter to continue...\n'
exit;;
$opt3 )
handle=$(zenity --entry --title "Holehe" --text "Enter Email")
holehe $handle
read -rsp $'Press enter to continue...\n'
exit;;
$opt4 )
handle=$(zenity --entry --title "WhatsMyName" --text "Enter Username")
cd ~/Downloads/Programs/WhatsMyName
python3 whats_my_name.py -u $handle > ~/Documents/$handle-$timestamp-WhatsMyName.txt
open ~/Documents/$handle-$timestamp-WhatsMyName.txt
exit;;
$opt5 )
handle=$(zenity --entry --title "Blackbird" --text "Enter Username")
cd ~/Downloads/Programs/blackbird
python3 blackbird.py -u $handle
firefox ~/Downloads/Programs/blackbird/results/$handle.json
exit;;
$opt6 )
handle=$(zenity --entry --title "Maigret" --text "Enter Username")
cd ~/Downloads/Programs/Maigret
maigret -a -P -T $handle
open ~/Downloads/Programs/Maigret/reports/
exit;;
$opt7 )
handle=$(zenity --entry --title "Email2Phone" --text "Enter Email")
cd ~/Downloads/Programs/email2phonenumber
python3 email2phonenumber.py scrape -e $handle
read -rsp $'Press enter to continue...\n'
exit;;
$opt8 )
handle=$(zenity --entry --title "GHunt Email" --text "Enter Gmail Address")
ghunt email $handle > ~/Documents/$handle-$timestamp.txt
open ~/Documents/$handle-$timestamp.txt
exit;;
$opt9 )
handle=$(zenity --entry --title "GHunt Drive" --text "Enter Google Drive ID")
ghunt drive $handle > ~/Documents/$handle-$timestamp.txt
open ~/Documents/$handle-$timestamp.txt
exit;;
$opt10 )
handle=$(zenity --entry --title "GHunt GAIA" --text "Enter GAIA")
ghunt gaia $handle > ~/Documents/$handle-$timestamp.txt
open ~/Documents/$handle-$timestamp.txt
exit;;
$opt11 )
ghunt login
exit;;
esac

- Desktop Shortcut

[Desktop Entry]
Type=Application
Name=Users-Emails Tool
Categories=Network;OSINT
Exec=/home/osint/Documents/scripts/users-emails.sh
Icon=/home/osint/Documents/icons/users-emails.png
Terminal=true

Last updated