1.声明
require 'msf/core'
require 'net/http'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
2.作者信息与模块介绍
super(update_info(info,
'Name' => 'Search Engine Domain Email Address Collector with Baidu.com',
'Description' => %q{
This module uses Baidu to create a list of
valid email addresses for the target domain.
},
'Author' => [ '7HE_K1NG (2013)' ],
'License' => MSF_LICENSE))
3.选项（show options的那个）
域名 页数和输出文件
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to locate email addresses for"]),
OptString.new('PAGENUMBER', [ false, "The page to locate email addresses for",5]),
OptString.new('OUTFILE', [ false, "A filename to store the generated email list"]), ], self.class)
代理设置
register_advanced_options(
[
OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
], self.class)
I

5.将结果写入文件
打开选项设置里面OUTFILE指定的文件，然后写入结果
def write_output(data)
print_status("Writing email address list to #{datastore['OUTFILE']}...")
::File.open(datastore['OUTFILE'], "ab") do |fd|
fd.write(data)
end
end
I

百度吞楼………………………………………………

4.搜索方法（重点）
def search_baidu(targetdom)
print_status("Searching Baidu for email addresses from #{targetdom}")
response = ""
emails = []
#构造请求头
header = { 'User-Agent' =&gt; "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"}
#百度搜索引擎
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("百度的网址，防止吞楼省略，详细见源代码文件")
print_status("Get #{datastore['PAGENUMBER'].to_i} Page")
#每一页开始的数据条数，如：0,100,200,300……
searches=Array.new
i = 0
while i &lt; datastore['PAGENUMBER'].to_i do
searches[i]=i*100
i=i+1
end
searches.each { |num|
#搜索
resp = clnt.get2("/s?wd=%40#{targetdom}&amp;pn=#{num}&amp;tn=baiduhome_pg&amp;rn=100&amp;ie=utf-8&amp;usm=1&amp;rsv_page=1",header)
print_status("#{num} done...")
response &lt;&lt; resp.body
}
print_status("All done...")
print_status("Extracting emails from Baidu search results...")
#结果替换掉那些html标签，然后使用正则表达式来提取邮箱
response.gsub!(/&lt;.?strong?[&gt;]*&gt;/, "")
response.scan(/[A-Z0-9._%+-]+@#{targetdom}/i) do |t|
emails &lt;&lt; t.downcase
end
return emails.uniq
end
I

6.运行部分
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@proxyuser = datastore['PROXY_USER']
@proxypass = datastore['PROXY_PASS']
else
@proxysrv,@proxyport = nil, nil
end
#开始搜索并提取结果排序
print_status("Harvesting emails .....")
target = datastore['DOMAIN'] emails = []
emails &lt;&lt; search_baidu(target)
emails.flatten!
emails.uniq!
emails.sort!
#输出并写入文件，如果有设置文件的话
print_status("Located #{emails.length} email addresses for #{target}")
emails.each do |e|
print_status("\t#{e.to_s}")
end write_output(emails.join("\n")) if datastore['OUTFILE']
end
I

代码保存在 安装目录下的apps\pro\msf3\modules\auxiliary\gather下。
文件名为search_email_collector_baidu.rb
然后启动Metasploit即可。

使用刚编写好的脚本模块。
1.加载模块
use auxiliary/gather/search_email_collector_baidu
2.选项列表
show options
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The domain name to locate email addresses for
OUTFILE no A filename to store the generated email list
PAGENUMBER 5 no The page to locate email addresses for
DOMAIN ：目标邮箱域名
OUTFILE ：保存文件
PAGENUMBER ：几页搜索结果
3.设置参数
set DOMAIN 163.com
set OUTFILE 163com.txt
set PAGENUMBER 10
4.开始采集
run
I

运行结果：
[*] Harvesting emails .....
[*] Searching Baidu for email addresses from 163.com
[*] Get 10 Page
[*] 0 done...
[*] 100 done...
[*] 200 done...
[*] 300 done...
[*] 400 done...
[*] 500 done...
[*] 600 done...
[*] 700 done...
[*] 800 done...
[*] 900 done...
[*] All done...
[*] Extracting emails from Baidu search results...
[*] Located 406 email addresses for 163.com

搜索到406个email。
I

生成的结果文件保存在安装目录下。
这个主要是用于搜集那些邮箱域名较为少见的email地址，如果是像163，qq等email用户量大的，如果要采集邮箱，倒不如直接查社工数据库，那里面的多用户的邮箱很多。

文件下载：
http://pan.baidu.com/s/1FufSh