Google OSINT with GHunt

2020-12-15 3 min read fud0

Have you ever wondered what is one of the fastest ways to retrieve as much information as possible about a Google user? That generic person X having the usual email account ending with @gmail.com.

In this article we will talk about a tool that allows you to carry out this operation in a very simple and immediate way. The tool is GHunt and it is, as reported in the Github page, an “OSINT tool to extract information from any Google Account using an email”.

Before digging into how it works with a practical example, let’s do a little execursus on the theory behind it.

First, any user in the Google ecosystem (and all related services) has a unique identifier called GAIA ID, or Google Accounts and ID Administration ID. Quoting the official documentation pages Developers di Google:

A user is an individual user identified by a GAIA (Google Accounts and ID Administration) ID. This ID may be a e-mail address associated with a Google domain (for example, user@gmail.com) or an e-mail address in another domain that has been configured by a G Suite domain administrator.

Through this important detail, it is possible to trace public information on the services used by the user.

To learn more specifically about the whole mechanism behind it, I recommend this two-part reading on the blog by Sector035:

Let’s now see how to install and configure GHunt tool.

# Cloning remote repository
git clone https://github.com/mxrch/GHunt.git
# Installing all requirements
cd GHunt
python3 -m pip install -r requirements.txt
# Cookies check and validation
python3 check_and_gen.py

Once here, we will have to insert the cookies for a valid Gmail account, used to interact with the Google API. The advice is to use a test account, not linked to your main one.

Where to find the required values in the browser? Take a look below at the example with Firefox.

GHunt - Google cookies need in Firefox developer console

GHunt - Configuring Google cookies in GHunt

Once confirmed that everything has gone well, we can then use the command to locate the info on the specified contact.

python3 hunt.py <TARGET_USER>@gmail.com

The tool will take care of recovering all the accessible public information.

GHunt - Running GHunt against a target Gmail account

It is unknown whether the tool will continue to work in the near future. As both Sector035 and mxrch point out, there have been some recent changes to the way GAIAID is managed by Google:

Google has removed the gaia_id from the source code of YouTube pages around August 2020, locked down the public accessibility of photo albums early September 2020 and the trick to find connected email address via de Webmaster tools is closed off since September 2020 too. It seems that Google is slowly removing all publicly accessible gaia_id references in the near future.

So for now GHunt is still a good tool that should be of course used together with the classic “manual” information gathering techniques. Starting from the simple email or name / surname / nickname of the target user.