It has been a while now since my last blog post, so I thought it was time I got the keyboard out. I hadn’t realised how long it had actually been until I started migrating my Medium content to my own website.
I want to write a small blog on how we can use an email address to pivot onto a username and how we can expand our search capabilities.
The three tools I am going to use are, haveibeenpwned.com, epieos.com and whatsmyname.app. I accept that other tools are available and that this is not an exhaustive list. I would always verify and aggregate any results. The reason for choosing these particular three, are that they return clear easy to digest results, without the need to create and log into an account.
I find some of the other Username sites a bit cluttered and not easy to initially assess with the different traffic lights they use, whatsmyname.app simply tells you what it finds as well as providing a view of the URL, plus its supported by @webBreacher and @osintcombine so, nuff said. Dehashed is another tool that I use for checking emails and usernames that I like. Which sites you use is personal preference, it is as much about the methodology and mindset as it is the tools.
Sometimes our starting point for OSINT, is simply, a name, or a mobile telephone number, a username perhaps, or even an email address.
My starting point is an email address, a Gmail one in fact, I have deliberately redacted a lot of detail for privacy reasons but I can guarantee you the end results reflects my starting point.
As you can see below, my first port of call is, haveibeenpwned.com. You can see that the email address has been in 2 data breaches. Are any of them of use to us though?
Clearly we have the possibility to go looking through breached data sites to see what else we can find about this email address. That is outside the scope of this blog however. What it does confirm is that we have an email address that appears to be a verified account.
Now I wasn’t over excited about what I found on this email address. There wasn’t many pivot points to be honest.
I decided I would play about with the email address, so I removed the full stop. Lets see if this makes any difference. Gmail does not recognise dots (.) in an email address. If johndoe@gmail.com was your email address you own all the dotted versions of your address, for example:-
john.doe@gmail.com
j.o.h.n.d.o.e@gmail.com
This potentially allows an individual the ability to created multiple user accounts on a single platform but they only need to ever log into the one email account.
This was in far more breaches and revealed potentially some interesting pivot points, one being the LinkedIn breach.
What we can also do is alter the email domain further to see if the altered address is in any breaches too. We can continue doing this as long as we want. We could also use an email permutator site to give us some ideas of the different versions we could use. What I tend to look for are accounts where further OSINT is possible, Linkedin as discussed, or MyFitnessPal, this may indicate someone is using Strava.
At this point I have found three email addresses that have been breached, these were the only three permutations I tried and you will see later when I use whatsmyname.app that there was potentially a fourth email address permutation I could have used.
I will now move onto a really useful site https://tools.epieos.com/ Recently when the site went down, it forced me to install the cmd line versions of the tools used on the site from GitHub. This I would recommend, just in case the site goes down again or disappears forever, so that you have resilience. The Google account research has certainly come on since @Sector035 first posted about what he had discovered.
https://github.com/mxrch/GHunt
https://github.com/megadose/holehe
As I am using a Gmail account we get the extra functionality of GHunt, however even without GHunt we can still use the tool and methodology to research over email domains.
The original email that I started with which included the (.) I got the following result, a name and a profile photo. Not a bad start.
The second email also provides me with the same profile photo too, the Google Ids also match. I now feel confident that the two email addresses are linked to the same person.
The original email that was my starting point was only linked to two accounts, one being MySpace, so not exactly overwhelming.
The list of accounts that the second email is potentially linked to is quite good though. The list mirrors what we discovered on haveibeenpwned.com, as well as discovering new accounts.
But I suppose the real bonus is that I potentially have some data from LinkedIn,
Now for the last part, can I find more accounts linked to this individual? Onto whatsmyname.app and I am not going to use the original email I started with, I will use the second one I found.
My search term will be the first part of the email address and I will drop the domain. It is quite common for people to use the first part of their email address as a username.