WEBVTT

00:00.840 --> 00:04.080
In this video, we're going to be taking a look at reverse email searches.

00:04.280 --> 00:09.840
So you may be in a situation where you have an email address, but you're not sure who it belongs to,

00:09.880 --> 00:16.880
where they're from, or what else is email account is associated to.

00:17.880 --> 00:20.760
So there's a few ways we could take a look at this.

00:20.760 --> 00:33.280
So one way is you could use a people search program Pipl Spokeo I have a couple up here I got Beenverified.

00:33.320 --> 00:36.520
Com um, let's start with this one here.

00:36.520 --> 00:40.720
So I already have our email address in here displayed at gmail.com.

00:41.160 --> 00:42.320
I'm going to click search.

00:45.800 --> 00:46.000
Okay.

00:46.000 --> 00:50.400
And this is going to be pretty common with all the all the um people search ones.

00:50.400 --> 00:51.720
You're going to see a progress bar.

00:51.720 --> 00:57.320
You'll see a spinning circle, or it'll flash a bunch of random pictures of people that are supposedly

00:57.320 --> 00:58.160
searching through.

00:58.880 --> 01:00.120
Uh, this is going to take a little bit.

01:00.120 --> 01:01.560
So I'm going to let that run.

01:01.560 --> 01:03.890
And I ran a couple other ones here.

01:03.890 --> 01:06.610
Another one that I pulled up was Info Tracer.

01:06.810 --> 01:10.490
Um, let me go back one screen here.

01:11.090 --> 01:13.610
And it's info tracer.com.

01:14.890 --> 01:23.370
Uh, this one came up with a IP address, country address, ISP.

01:24.290 --> 01:31.450
Now, a lot of times these people search sites will come up with information like this or email search

01:31.450 --> 01:32.250
programs.

01:32.810 --> 01:35.050
So this IP is actually not my IP.

01:35.530 --> 01:37.410
It's not IP that I've used before.

01:37.450 --> 01:39.250
This is actually Google's IP address.

01:39.250 --> 01:40.170
If you look it up.

01:41.130 --> 01:44.450
Um, country is us, which is actually true.

01:44.770 --> 01:48.890
Uh, that's only because Google's located in the US.

01:49.650 --> 01:51.730
Mountain view, California.

01:52.090 --> 01:54.570
That's nowhere really near where I'm at.

01:54.610 --> 01:55.890
This is actually Google.

01:55.930 --> 01:57.170
Again, Google's address.

01:57.170 --> 02:05.850
So, um, trying to track down a Gmail users address, uh, even using email headers, you're not going

02:05.850 --> 02:06.810
to be real successful.

02:07.090 --> 02:14.250
You're going to come up with Google's information just like pretty much any other email address.

02:14.250 --> 02:17.210
So that's going to be the problem with email nowadays.

02:17.210 --> 02:21.290
It's not like how it was, say, 20 years ago.

02:21.570 --> 02:26.530
Um, you used to be able to grab the email headers, parse out where the location was.

02:26.770 --> 02:32.530
Um, nowadays that information is masked by not ISP by the email provider.

02:33.290 --> 02:39.050
Uh, so as you see here, you know, the information that it pulled is all of Google's information.

02:41.530 --> 02:46.690
Now, another thing that you could do is you could do a Google advanced search.

02:47.290 --> 02:52.530
So what I did here was I put uh, games at gmail.com in quotes.

02:52.890 --> 02:58.570
So what that will do is it isolates that search Gmail search down to that email address.

02:59.370 --> 03:04.490
So in here you could see, um, a few Amazon.com hits.

03:06.180 --> 03:07.220
for a couple apps.

03:07.220 --> 03:13.740
And these are apps that actually did develop under the game's name or email address, rather.

03:14.340 --> 03:16.780
So that's actually very accurate.

03:17.740 --> 03:23.420
Um, scrolling down in here, I also see that, uh, some of my apps were actually stolen upload to,

03:23.460 --> 03:24.820
uh, foreign websites.

03:24.820 --> 03:29.220
So, um, that's actually good information for me personally.

03:29.700 --> 03:30.100
Um.

03:32.260 --> 03:37.980
So as you can see here, again, it really just isolated down the search results.

03:37.980 --> 03:46.740
So instead of, um, well, see, we have, uh, two pages of Google results, so pretty, pretty short

03:47.820 --> 03:53.380
now versus if I did if I took this out of quotes, let's see how many hits we would get.

04:01.660 --> 04:02.140
Okay.

04:02.180 --> 04:03.260
So this wasn't too bad.

04:03.260 --> 04:05.300
It came up with the same number of results.

04:06.020 --> 04:07.540
Two pages, 80 hits.

04:07.940 --> 04:09.180
So still pretty good.

04:10.180 --> 04:12.460
All right, so let me show you another.

04:12.820 --> 04:15.300
Another way to find email addresses.

04:16.180 --> 04:22.420
So if you want to see if that email address was used for a certain social media site like say, Facebook,

04:22.700 --> 04:25.620
Twitter, LinkedIn, any of these sites.

04:26.140 --> 04:30.940
One way you could do it is, uh, you could say you forgot your account.

04:31.460 --> 04:36.380
Uh, a lot of times this will either allow you to type in a phone number or email address, or both

04:36.380 --> 04:37.980
to try to recover your account.

04:38.820 --> 04:44.340
So in this case, if we go on facebook.com and click forgot account, it's going to come up with this

04:44.340 --> 04:45.020
page here.

04:45.820 --> 04:48.060
So I already populated the email address.

04:48.060 --> 04:53.580
And again we can at least for this example, we can actually type in a phone number to if we had a phone

04:53.580 --> 04:54.820
number that we're searching.

04:55.540 --> 04:57.380
But right now we're talking about email.

04:57.740 --> 05:01.420
So in here I have Dispo games at gmail.com.

05:02.740 --> 05:04.180
And I'm going to click search.

05:06.180 --> 05:07.310
And it's going to go through.

05:07.310 --> 05:14.630
And lo and behold, it actually found a, a a that Gmail account on Facebook's server.

05:14.630 --> 05:19.070
So going this route I, I verified that yes.

05:19.390 --> 05:23.630
Um, this email account does have in fact have a Facebook account.

05:24.070 --> 05:27.990
And I could see the Facebook username here disposable GM.

05:28.270 --> 05:36.470
So now I could actually start searching Facebook under for disposable GM and actually find more information

05:36.470 --> 05:37.670
about my target.

05:39.590 --> 05:44.990
So another way we could find information out is we could do have I Been Pwned.

05:50.630 --> 05:51.190
Okay.

05:51.350 --> 05:54.150
So if we go to Haveibeenpwned.com.

05:56.630 --> 06:01.670
We could type in an email address, Dispo games at gmail.com.

06:03.430 --> 06:06.870
And we click the phone button and here we go.

06:07.590 --> 06:13.750
So we can see if this was part of any data breaches, and we could potentially find out what other sites

06:13.750 --> 06:16.510
they have emails are linked to.

06:17.270 --> 06:22.510
So in here I see it was actually linked to a Dropbox account, an Adobe account.

06:22.830 --> 06:30.430
So again this is great information, especially especially if that email if they are target's email

06:30.430 --> 06:36.270
address was used for a lot of other sites, say a pastebin account or a Instagram or LinkedIn account.

06:36.310 --> 06:42.750
Again, that'll just save us time from going to each site and doing a search on those email addresses.

06:45.790 --> 06:47.990
Okay, there's one last one I want to show you.

06:47.990 --> 06:53.030
So I got our Buscador VM running here.

06:53.070 --> 06:54.310
Let me log back in here.

06:54.990 --> 07:00.030
And I fired up Maltego, which we could actually just run from this icon right here.

07:01.590 --> 07:09.310
Now once you have maltego loaded up and you start a new, uh, new graph by clicking this button here,

07:09.680 --> 07:14.760
I'm just going to drag this email address right over here okay.

07:15.360 --> 07:17.080
And then I'm going to double click on this.

07:17.800 --> 07:19.200
And I'm going to clear this one out.

07:19.200 --> 07:27.680
I'm going to type in Dispo games at gmail.com okay I'm going to click okay.

07:30.640 --> 07:32.200
And I'm going to right click this.

07:33.400 --> 07:38.160
And I'm going to run this C to C.

07:38.200 --> 07:40.400
And I'm going to just run all the transforms.

07:43.480 --> 07:43.760
Okay.

07:43.800 --> 07:45.600
Give that a second while it's running.

07:45.600 --> 07:47.800
And here we go.

07:48.160 --> 07:52.160
So it verified the email address does exist.

07:53.040 --> 07:54.480
It is a Gmail address.

07:55.000 --> 08:00.400
And it looks like this is one of the accounts that's tied to is a Flickr.

08:02.400 --> 08:07.280
So um, going off or have I Been Pwned?

08:07.400 --> 08:11.400
Uh, that found a Dropbox account, uh, which Maltego didn't.

08:11.720 --> 08:17.600
However, have I Been Pwned didn't find the Flickr account, so it's good to run multiple tools to help

08:17.600 --> 08:19.000
verify your data.

08:20.040 --> 08:24.400
So if I just run this, I can try to do Flickr and friends.

08:24.800 --> 08:27.160
I don't think there's going to be a lot of information that comes up.

08:27.960 --> 08:28.240
Yep.

08:28.280 --> 08:28.960
Nothing.

08:30.120 --> 08:37.320
And if I just run a transform on the Gmail, it's just going to find more Gmail stuff.

08:38.880 --> 08:39.320
So.

08:41.640 --> 08:47.920
Say if this was a corporate email address or a private one, if they have a host in their own website,

08:47.920 --> 08:51.560
this would actually probably be a lot more informative to us.

08:51.560 --> 08:56.280
But in this case, since it's just a generic Gmail address, it's coming.

08:56.400 --> 09:03.520
Um, you know, we could actually just see a lot of the Google stuff in here, which is this.

09:03.520 --> 09:05.120
Want to show you that real quick.

09:07.960 --> 09:12.760
So again, um, these are a lot of tools that you could.