LinkedIn2Username – an OSINT Tool for Red Teams

Introduction

LinkedIn2Username is an OSINT tool that generates username lists from companies on LinkedIn. What’s great about LinkedIn2Username is it’s easy to setup and doesn’t require an API key. You need only supply your LinkedIn username and password to operate it. One disclaimer before we get started is this tool will likely not deliver quality results from a pseudo/alias account unless you’ve built many connections through it. Additionally, LinkedIn will cap search results to 1000 employees so if you’re scrape a very large company, results will vary.

Emails

Emails are one of the easiest OSINT data points to pivot from. If you can discover a email, you can likely find a social media account, a username, or a phone number. They’re also incredibly useful for phishing campaigns and other red team operations. They’re also a data point that is unlikely to change. Users may change their username, profile photo, or description frequently, but they will unlikely change their email or phone number as often. Linked2Username will let you harvest emails at scale, simplifying your workflow.

LinkedIn2Username Setup

Prerequisites to using LinkedIn2Username are Python 3.x and Git. LinkedIn2Username is a bit tricky to setup as it doesn’t provide a requirements.txt file; however, by viewing the script, you can see which modules it imports. In this case, you’ll likely only need to use pip to install requests and urllib.  If you’re an OSINT power user, you’ll likely have these installed already. Once you have all the requirements installed, running the script is easy. After you’ve provided your login information, here are a few sample queries:

$ python linkedin2username.py myname@email.com uber-com
$ python linkedin2username.py myname@email.com uber-com -d 5 -n 'uber.com'

You can also explore the entire list of options by entering: python3 linkedin2username.py -h.  It should look something like this:

usage: linkedin2username.py [-h] [-p PASSWORD] [-n DOMAIN] [-d DEPTH]
                            [-s SLEEP]
                            username company

positional arguments:
  username              A valid LinkedIn username.
  company               Company name.

optional arguments:
  -h, --help            show this help message and exit
  -p PASSWORD, --password PASSWORD
                        Specify your password on in clear-text on the command
                        line. If not specified, will prompt and not display on
                        screen.
  -n DOMAIN, --domain DOMAIN
                        Append a domain name to username output. [example: '-n
                        uber.com' would ouput jschmoe@uber.com]
  -d DEPTH, --depth DEPTH
                        Search depth. If unset, will try to grab them all.
  -s SLEEP, --sleep SLEEP
                        Seconds to sleep between pages. defaults to 3.
  -x PROXY, --proxy PROXY
                        HTTPS proxy server to use. Example: "-p
                        https://localhost:8080" WARNING: WILL DISABLE SSL
                        VERIFICATION.

  -k KEYWORDS, --keywords KEYWORDS
                        Filter results by a a list of command separated
                        keywords. Will do a separate loop for each keyword,
                        potentially bypassing the 1,000 record limit.
                        [example: "-k 'sales,human resources,information
                        technology']
  -g, --geoblast        Attempts to bypass the 1,000 record search limit by
                        running multiple searches split across geographic
                        regions.

Run a few sample queries to see if everything it setup properly and if you’re getting the results you expect.

Verification

Here’s the big question. LinkedIn2Username will provide you with multiple name variations matching the email extension identified, but how do you know which email is valid? You can use a service called Hunter to test each name variation for validity. Using the “Verifier” tool in their toolkit, you’ll be able to see if an email address is able to receive emails or not. This will likely conclude that the email you gathered is usable.

There may be a situation where all emails provided are invalid. This may be a defensive mechanism by the corporation you’re collecting on. Some corporations randomly generate a username based on the accounts first and last name. For example, instead of using jakecreps@email.com, a company may use crepsjak@email.com or jacrep@email.com.  This will throw off your results as LinkedIn2Username currently only provides general combinations like:

  • first.last: Usernames like Joe.Schmoe
  • flast: Usernames like JSchmoe
  • firstl: Usernames like JoeS
  • first: Usernames like Joe
  • lastf: Usernames like SchmoeJ
  • rawnames: Full name like Joe Schmoe

OSINT Insight

So now that you can extract potential usernames from a target company at scale, what do you do with that information? There are many applications for this, but I’ll cover what I understand to be the most valuable application of this tool. If you are conducting a company wide phishing campaign as part of a red team operation, combining LinkedIn2Username, Hunter, and a phishing campaign tool like GoPhish will create impressive results. If you want to take your Phishing to the next level, you can conduct OSINT investigations on each discovered and verified user across social media to generate spearphishing campaigns that will likely have a higher conversion rate. GoPhish will capture all the data you need to produce a report that creates value.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s