GHunt Review
Queries Google's internal APIs from the command line to extract account metadata from a Gmail address — name, photo, linked services, Maps reviews, and more — for free.
Quick Verdict
Investigators comfortable with Python who run frequent email lookups and don't need phone data or a web UI.
Pros
- + Free and open source — no per-lookup cost regardless of volume
- + Returns Google account name, profile photo, last active timestamp, and linked services when data is exposed
- + Can investigate Google Drive document owners and public Calendar URLs, not just email addresses
- + Same core methodology as Epieos — what you'd pay €19–149/mo for, minus the UI
Cons
- − CLI only — no web interface, requires Python 3.10+ and periodic re-authentication
- − Breaks when Google changes API behavior; fix timelines depend entirely on one maintainer
- − No phone lookup — a meaningful gap vs Epieos
- − Results vary widely by target privacy settings; some accounts return almost nothing
- − No Holehe integration for cross-platform account existence checks
What GHunt Is
GHunt queries Google's internal APIs, extracting metadata from Gmail and Google accounts. It was created by French security researcher mxrch.
GHunt retrieves an account holder's name, profile photo, linked services, Maps contributions, YouTube channel. The information is based on what the target has exposed through Google's sharing settings. There are no subscription or per-lookup charges. It is a CLI tool that runs against the same endpoints as Epieos, but without a commercial wrapper.
The current release is GHunt v2, a significant rewrite with a different authentication approach than v1. If you're looking at old documentation or tutorials, make sure they reference v2.
GHunt isn't a vulnerability exploit. It surfaces information that users made accessible through Google's settings. It automates querying endpoints that Google exposes, such as account enumeration, calendar sharing, and Drive metadata, and related services including account enumeration, calendar sharing, Drive metadata.
What It's Good For
GHunt Use Cases
GHunt excels in specific scenarios.
GHunt is useful for determining Gmail ownership. The command ghunt email target@gmail.com quickly returns the owner's name, photo, and active services. If no results are found, it indicates that the address may be a throwaway and you can avoid wasting time.
GHunt can also find connections between a Gmail address and other Google services. It can uncover public Maps reviews and YouTube channels linked to a Gmail address, providing location data, behavioral patterns, and an OSINT lead.
Additionally, GHunt can identify the owner of a Google Drive document. The command ghunt drive extracts metadata from a shared Google Drive document and links it to an account.
GHunt can also pull information from a public Google Calendar. The command ghunt calendar retrieves event history, timezone, and account connections.
GHunt is suitable for bulk lookups. Its free and scriptable nature makes it a good fit for a list of email addresses, with no per-query costs.
Getting Started
Getting Started with GHunt
To start using GHunt, ensure you have Python 3.10 or higher and pip installed. Then, run these commands: pip install ghunt ghunt login.
The tricky part is ghunt login. GHunt uses a Google session cookie from your own account. You'll need to grab a __Secure-1PSID cookie from a logged-in Chrome session and give it to GHunt. The tool guides you through this process. Just be aware you'll need to do this again when the session expires.
Core Commands
You can use GHunt with the following commands. ghunt email target@gmail.com to investigate an email address. ghunt gaia to search by Google's internal ID. ghunt drive to look up the owner of a Drive doc. ghunt calendar to pull calendar metadata.
Output appears in the terminal. For automation, GHunt can run as a local API server. Check the GitHub README for API mode details.
Keeping GHunt Working
Keep GHunt updated. Google API changes can break it without notice. Most empty result issues come from running an outdated version.
GHunt vs Epieos
GHunt and Epieos use similar Google enumeration methods, but they aren't identical. Key differences lie in their approaches.
GHunt seems more geared towards specific investigative workflows. Epieos casts a wider net.
One is more polished, the other prioritizes depth. You pick based on your case needs.
| Factor | GHunt | Epieos |
|---|---|---|
| Price | Free | €19–149/mo |
| Interface | CLI | Web UI |
| Google account enumeration | Yes | Yes |
| Phone lookup | No | Yes |
| Holehe (100+ site check) | No | Yes |
| Drive/Calendar investigation | Yes | No |
| API access | Local server mode | Pro/Elite tiers |
| Setup required | Python, cookie auth | Browser login only |
| Re-authentication | Periodic, manual | Handled automatically |
| Breakage risk | Google API changes; fix depends on mxrch | Same risk; Epieos absorbs it |
| Maintainer | Single (mxrch) | Commercial team |
| Data returned when working | Name, photo, last active, services, Maps, YouTube, Calendar | Name, photo, last active, Holehe hits, phone carrier |
GHunt handles volume well; you're scripting in Python, no phone data needed.
Epieos brings value with a user interface, phone data, and zero maintenance on your end; that's what you pay for.
Pricing
GHunt is free and open-source, MIT-licensed. There are no tiers, no limits, and no API fees. You only pay in setup and maintenance time, and you have to shrug off the occasional breakage when Google changes something.
Limitations
- Single maintainer, no SLA: GHunt is a personal open-source project. When Google changes API behavior, GHunt breaks until mxrch releases a fix. This timeline can range from a few days to a few weeks.
- Re-authentication is friction at scale: The Google session cookie authentication works, but it expires. For a practitioner who uses GHunt daily, this is a minor inconvenience. For someone who comes back to it after two weeks away, it's a mandatory setup step before the first query runs.
- Results depend entirely on target privacy settings: A target who has set their Google account to maximum privacy returns almost nothing. The tool isn't broken; it's working as expected. However, the hit rate across a cold list of email addresses will vary widely.
- No phone lookup: GHunt doesn't provide carrier identification or social account linkage from a phone number. Epieos and OSINT Industries cover this; GHunt does not.
- No Holehe integration: GHunt is scoped to Google's ecosystem. For cross-platform site existence checking, Holehe is the tool — either standalone or through Epieos.
Alternatives
- Epieos: A commercial UI wrapping the same Google enumeration methodology, plus phone lookup and Holehe integration. Choose Epieos when you need a web interface, phone data, or reliability guarantees.
- Holehe: A free, open-source, command-line tool that checks 100+ platforms for account existence from an email address. Use Holehe for site-existence checking.
- OSINT Industries: A broader multi-source intelligence platform that includes breach data, social account mapping, international phone data, and historical records. Priced at $275/mo.
- Maigret: A username-based OSINT tool that checks 3,000+ sites. Use Maigret when you have a username rather than an email address.
Bottom Line
GHunt is a solid choice for Google account enumeration. It's free and can run on Python. You'll need to handle some setup and occasional breakdowns.
The main question is whether you're okay with the technical hurdles and some downtime. If you're doing many investigations and don't need to look up phone numbers, GHunt saves you money compared to Epieos.
If you prefer a user interface, need phone data, or want a hassle-free tool, consider Epieos Basic. The cost is €19 a month, which is reasonable for the convenience.
See Also
Breach Lookup Tools for OSINT
When investigating an identity, breach data can provide valuable context. You want to know if an email or username has been compromised.
What Breach Lookup Tools Do
Breach lookup tools search aggregated breach data, which includes email addresses, usernames, and sometimes passwords.
Top Breach Lookup Tools
The top breach lookup tools are Have I Been Pwned, BreachDirectory, and DeHashed. Have I Been Pwned checks email addresses and domains against known breaches, and it's a popular choice for verifying breach data. BreachDirectory offers a searchable database of breached credentials, searchable by email, username, or phone number. DeHashed provides access to breached data, including email addresses, usernames, and passwords.
Using Breach Lookup Tools
You start with an email or username, then check it against a breach lookup tool. The results show if the identity has been compromised.
Best Practices
Don't assume breach data is complete; gaps exist. Combine breach data with other OSINT techniques.
Next Steps
Learn more about using phone numbers for OSINT. Check out our Phone Number OSINT Guide. Explore comparisons of breach lookup tools on our Best Breach Lookup Tools page.
Further Reading
Tool Relationships
Similar Tools
ExifTool
The definitive open source tool for extracting hidden metadata from images, video, and documents.
Sherlock
Hunt usernames across 400+ social networks simultaneously with no API keys or accounts required.
Have I Been Pwned
The fastest way to confirm whether an email address appears in known data breaches — free, accurate, and maintained by a single researcher who vets every dataset.
Awesome OSINT
A massive, investigator-friendly directory for finding the right OSINT tools before you waste time using the wrong ones.
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →