Hopefully a useful day in the life of a pentest post...
So there I was, trying to gather emails for our pentest. The only problem is that we were doing an assessment of city.domain.com but all the emails are listed as @domain.com. Just for clarification, searching domain.com for email addresses wouldn't necessarily give me emails that were in scope, so I had to think of something.
First step was some google-fu of "site:city.domain.com + @domain.com" that brought in a few emails addresses in. Next step was metagoofil. Metagoofil is awesome because it will download ms office, open office, and pdf documents from the domain you specify. It will parse the metadata and give you a list of the usernames in the documents and the path to where the document was saved.
How it works (images from the Edge-Security site)
It downloads the documents to your local computer so you can view them for extra info gatherings. It also gives you a nice little html page with the results.
After that I took the possible usernames, put them in the proper naming convention for the domain, rocketed off my SE email and crossed my fingers.
The result? Metagoofil for the win! Overall I had about 160 possible email addresses, 20 actually made it to someone's inbox...sad face but not bad considering how I got the possibles.
5 of the 20 opened it :-)
2 were forwarded (meaning the user that opened it was not initially emailed), 1 was from google, and 2 of the 5 were from metagoofil :-)
Not bad if you ask me.