Additional Validation methods - Gmail/Google Apps/Office 365 #937
Comments
|
This is gold. If someone wants to work on this, hit me up. |
|
@AmauryM, would you accept a PR for each individually? Wouldn't mind attempting at least the Gmail one. |
|
Yes, for sure! Go ahead for gmail. Please make it optional though, e.g. using a |
PsypherPunk
pushed a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 4, 2022
- check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
pushed a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 4, 2022
- check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
pushed a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 4, 2022
- check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
pushed a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 5, 2022
- check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates reacherhq#937
amaury1093
pushed a commit
that referenced
this issue
Oct 6, 2022
* feat: additional Gmail validation - check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates #937 * refactor: split out HTTP client move the `create_client` method to a separate file; have the `yahoo` and `gmail` modules reference this. * test: add test for Gmail HTTP API verify Gmail HTTP API behaviour with `[email protected]`, failure indicating that the API is no longer reliable. * fix: correct host checks for Gmail HTTP API should check as per the MX host: - for gmail.com or googlemail.com, this will look like `*.gmail-smtp-in.l.google.com.`. - for Google Apps/Workspace domains, this will look like `*.aspmx.l.google.com.`. Co-authored-by: PsypherPunk <[email protected]>
|
I'll take a look at the Office 365 validation now, if that's okay? |
|
Yes, sure! I would also like to compare the blog's implementation versus a headless version using Outlook's password recovery page. It seems that the latter doesn't work for custom domains in MS 365 (see #1185), so we might need to use this blog's API endpoint for those. |
PsypherPunk
added a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 6, 2022
- check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
added a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 6, 2022
- check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
added a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 6, 2022
- check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates reacherhq#937
PsypherPunk
added a commit
to PsypherPunk/check-if-email-exists
that referenced
this issue
Oct 10, 2022
- check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates reacherhq#937
amaury1093
added a commit
that referenced
this issue
Oct 11, 2022
* feat: add Outlook HTTP API validation - check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates #937 * fix: restrict Office 365 domain use `.mail.protection.outlook.com.` for domains backed by Outlook/Office 365. * fix: continue for non-definitive responses from Outlook API if using `--outlook-use-api`, only return immediately in the event of a positive response: negative responses are ambiguous and the process should fall back to subsequent checks. * fix: amend Outlook references update references to "Microsoft 365" to make is more explicit that this pertains to the underlying services, not Outlook addresses. * fix: continue in the event of a ReqwestError allow both failures in the HTTP request and 404 responses to continue. Co-authored-by: Amaury <[email protected]>
juhniorsantos
pushed a commit
to juhniorsantos/check-if-email-exists
that referenced
this issue
Apr 11, 2024
* feat: additional Gmail validation - check the validity of `gmail.com`/`googlemail.com` email addresses via the method outlined [here](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-mail-addresses-41544b62b2). - run only via the `--gmail-use-api`/`gmail_use_api` flags (defaulting to `false`.) relates reacherhq#937 * refactor: split out HTTP client move the `create_client` method to a separate file; have the `yahoo` and `gmail` modules reference this. * test: add test for Gmail HTTP API verify Gmail HTTP API behaviour with `[email protected]`, failure indicating that the API is no longer reliable. * fix: correct host checks for Gmail HTTP API should check as per the MX host: - for gmail.com or googlemail.com, this will look like `*.gmail-smtp-in.l.google.com.`. - for Google Apps/Workspace domains, this will look like `*.aspmx.l.google.com.`. Co-authored-by: PsypherPunk <[email protected]>
juhniorsantos
pushed a commit
to juhniorsantos/check-if-email-exists
that referenced
this issue
Apr 11, 2024
* feat: add Outlook HTTP API validation - check the validity of Outlook/Office 365 email addresses via the method outlined [here](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/). - run only via the `--outlook-use-api` flags (defaulting to `false`.) relates reacherhq#937 * fix: restrict Office 365 domain use `.mail.protection.outlook.com.` for domains backed by Outlook/Office 365. * fix: continue for non-definitive responses from Outlook API if using `--outlook-use-api`, only return immediately in the event of a positive response: negative responses are ambiguous and the process should fall back to subsequent checks. * fix: amend Outlook references update references to "Microsoft 365" to make is more explicit that this pertains to the underlying services, not Outlook addresses. * fix: continue in the event of a ReqwestError allow both failures in the HTTP request and 404 responses to continue. Co-authored-by: Amaury <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Gmail / Google Apps email addresses can be validated with 100% accuracy using this method, and here's an example implementation.
Alternative Google implementation: https://github.com/megadose/holehe/tree/master/holehe/modules/mails/google.py
Office 365 email addresses are a bit trickier. There are some older enumeration options that no longer work reliably. The method outlined in this blog post still works today - with one caveat. It detects valid Office 365 email addresses with 100% accuracy IF the user has opened OneDrive at least once. However, it cannot tell the difference between an invalid email, or a valid email belonging to a user who has never opened OneDrive. Still it's useful as it generates no false positives. Here's an example implementation.
If any external contributor wants to pick an individual provider to work on, feel free to open a PR.
The text was updated successfully, but these errors were encountered: