May 24, 2018

Phishing: Email Enumeration & Construction

So you want to phish someone?! Maybe an entire corporation?! We’ll you’re gonna need valid email addresses. Let’s get to it!

(mumbles something about legal authorization something something don’t get caught something something seven proxies...)

Email Schema

First thing we need are sample emails. This not only gives us known good targets, it helps us establish the email naming schema. Is it first initial, followed by lastname (abbreviated , e.g. or is it the full first name, followed by the last name with a period in the middle (abbreviated e.g.

With the schema, we’ll be able to build out valid email addresses with nothing but an employee’s name.

So. Let’s get some valid sample email addresses!

Finding Email Address Samples

Easiest place to do this is a search engine. Google is solid but they track you. And you don’t need anyone tracking you doing weird things. So, go through seven proxies, some VPNs, a couple Tor’s or some such, and use DuckDuckGo. Once at a search engine, you can use some simple dorks such as:


Be sure to check out the Google Hacking Database for more dorks for finding email addresses in nonstandard places!

Some open sourced tools out there automate this for you. My favorites are theHarvester and SimplyEmail.

This is often all you’ll need, but what if this doesn’t produce results? Take look through breach dumps. My favorites for corporate emails are the LinkedIn dump (obviously) and the Ashley Madison dump (creepy… but really good for government and military email addresses!).

Now that you have sample emails, look for the pattern and establish the schema. It’s often first initial followed by last name (, first name, last name, with a period in the middle ( or other similar schema. For small companies it’s often just the first name ( until they get another “Brad”, then it’s first name followed by a number ( … sorry other Brad).

Once you’ve figured it out, document it. You’ll use it later.

Now we need to build our target list!

Target Lists

Easiest way to find valid targets is LinkedIn. A key element to LinkedIn is connections. So spin up a sockpuppet account with a popular and crucial to society profession… say Machine Learning Blockchain Development God-Emperor, or the like. Take some time on this sockpuppet. Give them an avatar that is subtly attractive but still professional and fill in the work history. We’ll cover sockpuppet creation later, but for now, just make it look reasonable enough.

Once you have a LinkedIn account, connect with your target company’s internal recruiter. We do this for two reasons. One, recruiters are promiscuous on LinkedIn. They connect with anyone. Bonus points if they have LION (LinkedIn Open Networker) in their names! Eesh!

And, two, with recruiters on LinkedIn, they connect with anyone and everyone at their own company. Once you connect with your target’s internal recruiter, EVERYONE at that target company is now a 2nd level connection. This means you get to see their full names and professions. Go to the company’s LinkedIn profile and click on “View Employees” to get a full list.

That was easy!

Another simple way to find key personnel or targets, especially in whaling campaigns, is to just visit the company’s website. Look for an “About Us” or “Corporate Information” page and then over to the “Leadership” section. This lists out all of the C-Level and other high value targets. (Remember, the CIO/CISO always has Domain Admin creds out of pure hubris. He also logs into his laptop with those Domain Admin creds. Phish him and you have instant complete control of their entire network!!! YAY!!!)

Take all of these names and put them into a simple text file, one on each line, with the first and last names separated by a space. It’s also easier to make every letter lower case.

john doe
jane doe
taylor swift

You can do this by hand or script it out. Here's a good run through of how to create a script to do this. With your target name list created, let’s build our email list!

Email Address Construction

You should have two pieces of information at this point: the target’s email address schema and a list of first and last names of your targets.

From here, we can use some awk-fu and build out a list. I like the bash terminal, you find it on Linux and OSX. You can use PowerShell… if you want a headache (you should know PowerShell cause you’ll be hacking a lot of Windows computers, but why would you want to work in it natively?!?!).

What follows are a couple awk examples to build out emails based on different schema. For the sake of these examples, we’ll assume you put your first and last names into a text file named “firstlastnames.txt”. We’ll ouput the resulting emails to a text file called “emailaddy.txt”. We’ll use the domain of “” as the example target domain.

For an email schema of first name followed by last name (e.g.

~/$ awk '{print $1$2""}' < firstlastnames.txt > emailaddy.txt
~/$ cat emailaddy.txt

Now let’s add a period in the middle for a schema that is first name, followed by a dot, followed by the last name (e.g.

~/$ awk '{print $1"."$2""}' < firstlastnames.txt > emailaddy.txt
~/$ cat emailaddy.txt


Lastly, we’ll do a first initial followed by last name (e.g.

~/$ awk '{print substr ($1,1,1)$2""}' < firstlastnames.txt > emailaddy.txt
~/$ cat emailaddy.txt

Now you should have your email address list and can begin phishing to your hearts content!

Creating Generic Lists

One last thing! If you’re doing a mass campaign, you can create generic lists of common names and combinations. Many of these will fail, but you’ll cover many names that you might not find on LinkedIn.

Go ahead and download top 100 surname lists (english, spanish, indian, etc) then throw the letters ‘a’ through ‘z’ in front of each of them for a first initial last name email.

Here's a simple bash oneliner to do that:

~/$ while read surname; do for letter in {a..z}; do echo $letter$surname""; done; done < surnamelist.txt > emailaddy.txt
~/$ cat emailaddy.txt

Hell, if you’ve got an email schema with or similar and want to get real fancy, just do some nested while loops with common first names and common surnames!

~/$ while read surname; do while read firstname; do echo $firstname"."$surname""; done < firstnamelist.txt; done < surnamelist.txt > emailaddy.txt
~/$ cat emailaddy.txt

Go on and Hack the Planet! The world is your burrito!