OSINT 0x02 - LinkedIn is not just for jobs
Sup 0x00’ers, that’s right, I am back with another banger of an article, ready?
If you read my last article on OSINT, you’ll know a little bit on how to find dirt on companies, their assets, and how to do all of that passively. Well now I am going to show you a little bit about researching individuals, and specifically those who work at a specific company.
If you read the title, which I am sure you have, you’ll know that we’re going to utilize LinkedIn for this. LinkedIn really is a very very very useful tool for enumerating users, and their emails.
‘Generating’ email addresses
From my last article, I mentioned a tool called hunter.io, you can use it to search for company email addresses, and it even gives you a break down on what it thinks the current email structure is for a company.
Stage 1 - Figure out the naming conventions
Lets make up a fake company, say even google.com.
Now lets assume we found a few emails with the format of [email protected], and then we see another email, [email protected]. We can soon start to get a feel for the kind of structure they’re using for emails, typically, {first initial}{lastname}@{companyname}.com
, this could vary from organisation to organisation, but we can quickly come up with the naming convention, and then we can move onto stage 2.
You can do this with hunter.io. Notice the ‘most common pattern’ section?
Stage 2 - Get the employees and Generate the Emails
This is where LinkedIn plays nicely with us. If we can get a list of first and last names of everybody working at a company, we can then take that infomation and feed it into a python script, and generate email addresses from the convention.
We can easily obtain these names through google dorking. Try my new tool GoogLinked, when coupled with ProxyDock (another shameless plug), you can scrape google all day with inpunity.
One thing you’ll want to do before you run this is modify the script, at the moment it contains Microsoft and microsoft.com as the arguments, you’ll want to modify it to be “company name”, (as shown on linkedin), and the company email domain name. In the above example, I piped all results into a file, otherwise it will just dump them onto the standard output.
Wow, that’s a lot of email addresses, lets take a look and see what it came back with.
So as you can see, there are a few generated email addresses. What this has done, under the hood, is using a Google Dork, captured the titles for each person that has microsoft listed under their portfolio as working or have worked. Then, it takes the format defined in the run_search()
function.
Notice that names.each section? Modify that depending on the format you discovered for the company (as we learned how to do in the section before). In this case, tarr[0]
and tarr[-1]
are firstname and lastname respectively. *
This script is one I use personally, and so I modify it myself, if you want to make a PR to add custom functionality, feel free.
* Note, things can get a bit whacky when middle names are introduced. So just know this is not a fool proof method.
Now you have these emails, the world is your oyster. Pass them into weleakinfo.com? (See my last article).
Bonus: Password Spraying
If you’re doing a pentest, you can use these emails to your advantage. Quite often, bruteforcing a companies email with a single email and 100k passwords, is your way to getting blocked by a SIEM, or even getting the account locked which impacts on production (if you’re a pentester you’ll know the struggle :P), which we don’t want.
One very unique way to acheive this, as taught to me by atoscher, is to try each email with a single password, such as Summer2018
, or Fall2018
. Many companies implement quarterly password rotation policies, in the hope to make passwords more unpredictable and secure. What actually ends up happening is people resort to using weaker passwords as they can’t remember a new password every quarter. A very common usage of this is people using passwords like Summer2018
.
What else is cool about this method, is you can usually feed it through a load of VPN’s, (cough ProxyDock cough), and then try legitmate services like gmail, microsoft link, sharepoint, the list can go on. Your chances of getting blocked, especially if you regularly rotate IP addresses, useragents, and individuals, is very low.
That’s all for this week 0x00’ers! Stay tuned, next week I am going to bring you “Active Recon - Deeper than Nmap”, the name might change, we’ll see.
Make sure you drop a comment if you loved this article, please like it if I helped you, and share this everywhere. The more shares we get on this article, the more people we can educate, and bring to 0x00sec. Lets see if we can get 1000 reads on this article!
Stay Snappy
- pry0cc