What is GHunt?

Origin of the project

GHunt is an open-source Python tool focused on Google account OSINT. From an email, it pulls together the linked Gaia ID, the public Google profile, Maps contributions, public Calendar events and Play Games activity into a single report.

The original project is written in Python and requires Python 3.10 or newer. It runs as a command-line tool that you install locally, authenticate once through the GHunt Companion browser extension, and then drive from your terminal.

What GHunt actually does

GHunt does not crack passwords, it does not bypass two-factor authentication, and it does not scrape private content. It queries the same public endpoints that Google itself exposes, then stitches the responses together into a single dossier. The pivot key is the Gaia ID, a numeric identifier Google uses internally for every account, which stays stable even when the user renames the account.

From an email address, GHunt typically recovers:

• The public Google profile: display name, profile photo, cover photo, locale.
• The Gaia ID and other internal identifiers used by Google services.
• Whether the account is a personal Gmail or a Google Workspace account.
• Active Google services attached to the account.
• Public Google Maps contributions: reviews, photos, places added.
• Public Google Calendar events, when the account exposes a public calendar.
• The Play Games profile, when the user has one.

From there, GHunt can pivot. The Gaia ID acts as the key to chain lookups across Google's public services, so a single starting email can unfold into a multi-surface report without ever leaving the public side of Google.

Why people use it

GHunt sits in the toolkit of penetration testers, threat intelligence analysts, journalists and academic researchers. The common thread is that they need to attribute or characterize a Google identity quickly: confirming the owner of an email surfaced in a leak, mapping the public side of a social-engineering target during an authorized engagement, or validating a tip in an investigation.

The reason GHunt became the reference tool for this kind of work is that it is the only project that consistently chains Google's own services through their internal IDs, rather than scraping a profile page and hoping the markup does not change.

What ghunt.sh is

ghunt.sh is an independent reimplementation of GHunt, made usable from a browser. The original GHunt is shipped as a Python CLI; ghunt.sh rewrites the same lookups and exposes them through a web interface. You type an email in the box on the home page, the server runs the reimplemented flow against the public Google endpoints, and you get the consolidated report back in your browser. There is nothing to install, no Python to configure, no Companion extension to set up, no tokens to manage on your side.

The trade-off is that the lookups go through the credentials configured on the ghunt.sh side rather than your own. That is fine for most public-facing research and for getting a quick read on whether a deeper investigation is worth running locally with the original CLI.

What GHunt is not

GHunt is not a hacking tool in the sense the term is sometimes thrown around. It cannot log into an account, it cannot read DMs, it cannot recover passwords, it cannot bypass MFA, it cannot access content the account has kept private, it cannot pull location history. Every piece of data it returns is data the account owner has chosen, at some point, to make public through Google's own privacy settings.

If a target has a locked-down account with no public profile, no public reviews, no public calendar and no Play Games activity, GHunt will return very little. That is by design and that is also the safest property of the tool: it cannot give you what the target has not given the public.

Related reading

• Running GHunt online without installing anything
• ghunt.sh vs the original CLI: which one to use
• GHunt for Windows without Python or WSL
• GHunt Companion: what it is and when you do not need it