huntsman

huntsman

Email enumerator, username generator, and context validator providing detailed coverage of the hunter.io, snov.io, and skrapp.io APIs with several enhancements to streamline processing for engagements.

Features

• Confirms email and first/last name context within source URIs to create realistic pretexts for phishing or SE
• Identifies social media accounts associated with target email addresses
• Generates usernames based on common first and last name combinations for targetting corporate logins, brute forcing web apps, password reset user enum, etc.
• Automatically validates emails with Entra ID (Azure AD) using python implementation of AADInternal's Invoke-UserEnumerationAsOutsider
• Confirms validity of source URIs and the presence of emails or user related information
• Detailed hunter.io and snov.io API coverage
  • Limited skrapp.io coverage
• Asynchronously resolves source URIs

Demo

huntsman.webm

Installation

Install from PyPI with pip:

pip install huntsman

OR git clone and install:

git clone https://github.com/mlcsec/huntsman.git
cd huntsman
pip install .
huntsman -h

Setup

Run huntsman setup and enter the required API key(s) when prompted or manually update .huntsman.conf

Usage

usage: huntsman.py [-h]  ...

positional arguments:

    setup     API key(s) setup for huntsman
    hunterio  hunter.io commands
    snovio    snov.io commands
    skrappio  skrapp.io commands

options:
  -h, --help  show this help message and exit

To view available commands for each of the services:

huntsman hunterio -h

To view available options for each subcommand:

huntsman hunterio domain-search -h

Options

The optional arguments include all flags and parameters available from the API documentation. The 'company' option has been removed from hunter.io commands as the documentation states that specifying the domain returns better results.

"Note that you'll get better results by supplying the domain name as we won't have to find it. If you send a request with both the domain and the company name, we'll use the domain name. It doesn't need to be in lowercase."

The following options are the main features of huntsman for gathering actionable data for engagements.

--uri-confirm

Confirm positive HTTP responses for hunter.io source URIs and the presence of emails and user information. Does NOT provide any context (see --uri-context):

--uri-context

Confirm positive HTTP responses, presence of email address, first name, last name, and the surrounding context for the user information identified in hunter.io source URIs. This aids in confirming the validity of the account information as I have encountered false positives in the past.

The primary purpose of this functionality is identifying the context the email or user information was used in to create realistic pretexts for phishing or SE. The example below demonstrates this as the lisa@stripe.com email should be used for emailing CVs. This provides us with a 'pre-configured' pretext for the user as opposed to blindly creating one based on a list of emails for the target company.

Another example identified a personal GitHub account associated with the email through source URI context validation:

Personal user accounts and usernames for external services such as betalist, hackernews, and nomadlist were discoverd in this example:

--socials

Identify social media accounts associated with supplied user emails (LinkedIn/Twitter primarily):

--usergen

Generate common usernames from gathered first and last name combinations using the formats specified below. Automates the generation of username lists for targeting corporate logins, brute forcing company web apps, password reset user enumeration, etc.

{first}.{last}
{first}_{last}
{first}{last}
{first}{last_initial}
{first}_{last_initial}
{first}.{last_initial}
{first_initial}.{last}
{first_initial}_{last}
{first_initial}{last}
{first_three}{last_three}
{last}.{first}
{last}_{first}
{last}{first}
{last}{first_initial}
{last}_{first_initial}
{last}.{first_initial}
{last_initial}.{first}
{last_initial}_{first}
{last_initial}{first}
{last_three}{first_three}

--entraid

Automatically confirm gathered emails against Entra ID (Azure AD) using AADInternal's user enumeration as outsider port from Graphpython:

Commands

hunter.io

huntsman hunterio [COMMAND] [OPTIONS] [-h] 

    domain-search       Perform a domain name search
    email-finder        Find email addresses for domain
    email-verifier      Verify email addresses
    email-count         Get email count for a domain
    account-info        Get information about your hunter.io account

snov.io

huntsman snovio [COMMAND] [OPTIONS] [-h] 

    domain-search       Perform a domain name search
    get-profile         Get profile information for email addresses
    email-verifier      Verify email addresses
    email-count         Get email count for a domain
    get-balance         Get your snov.io credit balance

skrapp.io

huntsman skrappio [COMMAND] [OPTIONS] [-h] 

    company-search      Dump and explore the employment details of company members
    account-data        Get information about your skrapp.io account

References

• hunter.io API documentation
• snov.io API documentation
• skrapp.io API documentation