Skip to main content

Overview

People Hunter identifies people associated with a target organization by discovering publicly exposed email addresses and social media profiles. It combines web crawling with external API queries to build a list of contacts. People Hunter is a discovery tool: it gathers publicly available contact information but does not test for vulnerabilities. It does not add data to your Attack Surface or generate findings.

Parameters

ParameterDescription
TargetIP address or hostname to scan

How it works

1

Port discovery

Scans port 443 to check if the target runs an HTTPS web server.
2

Hostname extraction

If scanning an IP address, extracts the hostname from the SSL certificate’s Common Name (CN).
3

API queries

Queries the Tomba.io API to retrieve indexed email addresses associated with the domain.
4

Web crawling

Uses the Katana crawler to discover and crawl pages on the target website (up to 10 minutes).
5

Information extraction

Searches crawled content for email addresses and social media profile links using regex patterns.
6

Validation

Validates discovered emails by performing DNS MX lookups and filters out emails from external domains.
7

Pattern analysis

Groups discovered emails by username patterns and calculates the percentage of each pattern.

Email discovery

The tool discovers emails using two techniques:
TechniqueDescription
ActiveRegex pattern matching in crawled web pages (HTML, JavaScript, JSON, XML)
PassiveExternal API queries via Tomba.io for indexed email addresses
Discovered emails are:
  • Validated via DNS MX lookup (domain must have valid mail servers)
  • Filtered to only include emails matching the target domain
  • Organized by username pattern

Username patterns

Emails are analyzed and grouped by their local part format:
PatternExample
Single namejohn@company.com
First and last name with dotjohn.doe@company.com
First and last name with underscorejohn_doe@company.com
First and last name with hyphenjohn-doe@company.com
Unidentified patternOther formats (e.g., jdoe123@company.com)
The pattern analysis shows the percentage of emails following each format, helping you predict email addresses for other employees.

Social media profiles

The tool identifies links to social media profiles by matching URL patterns in crawled content:
PlatformDetected URLs
LinkedInlinkedin.com/in/, linkedin.com/company/
Facebookfacebook.com/, fb.com/, m.facebook.com/
Twitter/Xtwitter.com/
Instagraminstagram.com/
The tool filters out non-profile URLs like share buttons, login pages, and embedded content to reduce false positives.
Use discovered information responsibly and in accordance with applicable laws. Always ensure you have proper authorization before using this data for security testing.

Technical details

  • Port scanned: 443 (HTTPS)
  • Crawl duration: Up to 10 minutes per port
  • Crawler: Katana (high-speed web crawler)
  • Email validation: DNS MX record lookup with 2-second timeout
  • Content types scanned: HTML, JavaScript, JSON, XML

Limitations

  • Only scans port 443 by default
  • Requires an HTTPS web server on the target
  • Email discovery depends on publicly accessible content
  • Tomba API has rate limits that may affect results
  • Social media detection is limited to major platforms

Follow-up actions

After discovering people and contact information:
  1. Expand your search: Use Google Hacking to find additional exposed data on paste sites and code repositories
  2. Fingerprint technologies: Run Website Recon to understand the target’s technology stack
  3. Discover more subdomains: Use Subdomain Finder to find additional subdomains that may expose more contacts
  4. Find related domains: Use Domain Finder to discover other domains owned by the organization
  5. Test credentials: With proper authorization, use Password Auditor for credential testing