OSINT 0x02 - LinkedIn is not just for jobs


(Command-Line Ninja) #1

OSINT 0x02 - LinkedIn is not just for jobs

Sup 0x00’ers, that’s right, I am back with another banger of an article, ready?

If you read my last article on OSINT, you’ll know a little bit on how to find dirt on companies, their assets, and how to do all of that passively. Well now I am going to show you a little bit about researching individuals, and specifically those who work at a specific company.

If you read the title, which I am sure you have, you’ll know that we’re going to utilize LinkedIn for this. LinkedIn really is a very very very useful tool for enumerating users, and their emails.

‘Generating’ email addresses

From my last article, I mentioned a tool called hunter.io, you can use it to search for company email addresses, and it even gives you a break down on what it thinks the current email structure is for a company.

Stage 1 - Figure out the naming conventions

Lets make up a fake company, say even google.com.

Now lets assume we found a few emails with the format of [email protected], and then we see another email, [email protected]. We can soon start to get a feel for the kind of structure they’re using for emails, typically, {first initial}{lastname}@{companyname}.com, this could vary from organisation to organisation, but we can quickly come up with the naming convention, and then we can move onto stage 2.

You can do this with hunter.io. Notice the ‘most common pattern’ section?

Stage 2 - Get the employees and Generate the Emails

This is where LinkedIn plays nicely with us. If we can get a list of first and last names of everybody working at a company, we can then take that infomation and feed it into a python script, and generate email addresses from the convention.

We can easily obtain these names through google dorking. Try my new tool GoogLinked, when coupled with ProxyDock (another shameless plug), you can scrape google all day with inpunity.

One thing you’ll want to do before you run this is modify the script, at the moment it contains Microsoft and microsoft.com as the arguments, you’ll want to modify it to be “company name”, (as shown on linkedin), and the company email domain name. In the above example, I piped all results into a file, otherwise it will just dump them onto the standard output.

enter image description here
Wow, that’s a lot of email addresses, lets take a look and see what it came back with.

enter image description here

So as you can see, there are a few generated email addresses. What this has done, under the hood, is using a Google Dork, captured the titles for each person that has microsoft listed under their portfolio as working or have worked. Then, it takes the format defined in the run_search() function.

Notice that names.each section? Modify that depending on the format you discovered for the company (as we learned how to do in the section before). In this case, tarr[0] and tarr[-1] are firstname and lastname respectively. *

This script is one I use personally, and so I modify it myself, if you want to make a PR to add custom functionality, feel free.

* Note, things can get a bit whacky when middle names are introduced. So just know this is not a fool proof method.

Now you have these emails, the world is your oyster. Pass them into weleakinfo.com? (See my last article).

Bonus: Password Spraying

If you’re doing a pentest, you can use these emails to your advantage. Quite often, bruteforcing a companies email with a single email and 100k passwords, is your way to getting blocked by a SIEM, or even getting the account locked which impacts on production (if you’re a pentester you’ll know the struggle :P), which we don’t want.

One very unique way to acheive this, as taught to me by atoscher, is to try each email with a single password, such as Summer2018, or Fall2018. Many companies implement quarterly password rotation policies, in the hope to make passwords more unpredictable and secure. What actually ends up happening is people resort to using weaker passwords as they can’t remember a new password every quarter. A very common usage of this is people using passwords like Summer2018.

What else is cool about this method, is you can usually feed it through a load of VPN’s, (cough ProxyDock cough), and then try legitmate services like gmail, microsoft link, sharepoint, the list can go on. Your chances of getting blocked, especially if you regularly rotate IP addresses, useragents, and individuals, is very low.

That’s all for this week 0x00’ers! Stay tuned, next week I am going to bring you “Active Recon - Deeper than Nmap”, the name might change, we’ll see.

Make sure you drop a comment if you loved this article, please like it if I helped you, and share this everywhere. The more shares we get on this article, the more people we can educate, and bring to 0x00sec. Lets see if we can get 1000 reads on this article!

Stay Snappy :wink:

- pry0cc


Clientside Exploitation in 2018 - How Pentesting Has Changed
(haalim) #2

awesome stuff…


(fxbg) #3

Do you have a suggestion for the phone verification with hunter.io? Apparently they don’t allow VOIP phones to be used, since it’s the only type of phone service I use. Also, this happened, “Delivery failed : You requested too many codes. Contact us if you think the error in on our side.”

Maybe hunter.io shouldn’t be relied on so heavily. I also tested some of the emails, and a lot of them are fake or no longer exist.


(Command-Line Ninja) #4

This is used for phishing campaigns, or for simple password reuse/spraying, as well as leak recon. Not for a fully 100% accurate database of emails. Hunter is a great place to start. And you could always use your real phone.

Hope this helps :slight_smile:


(fxbg) #5

I don’t have a “real phone” and don’t plan on getting a “real phone”, since security is pretty lackadaisical with major (even minor) phone carriers.

I am still confused as to how fake emails are helping in a pentest? Even looking at some of the emails, one of them has a comma in it. It would seem a bit redundant to pay for a service that generates fake emails or uses emails that are no longer a valid address. (not to mention without giving them a cell phone number you can’t even use the service)

Maybe you know another method that works instead of using hunter.io?


(Frey) #6

Hm… interesting stuff, but couldn’t you just create your own email ‘wordlist’ using a script instead of scraping google? I mean that would be time consuming but if you know the pattern then doing that should be easier. Maybe something to look into?

P.S. I could do this using Perl if need be or use already pre-existing tools (looking at you crunch)


(Command-Line Ninja) #7

This seems like people are misunderstanding how this works.

This is pulling names from LinkedIn, and guessing email addresses from those names. Assuming they have an email address for their company.


(Frey) #8

I see now. Sorry for misinterpreting.


(Command-Line Ninja) #9

This topic was automatically closed after 30 days. New replies are no longer allowed.