LinkedIn2Username is an OSINT tool that generates username lists from companies on LinkedIn. What’s great about LinkedIn2Username is it’s easy to setup and doesn’t require an API key. You need only supply your LinkedIn username and password to operate it. One disclaimer before we get started is this tool will likely not deliver quality results from a pseudo/alias account unless you’ve built many connections through it. Additionally, LinkedIn will cap search results to 1000 employees so if you’re scrape a very large company, results will vary.
Emails are one of the easiest OSINT data points to pivot from. If you can discover a email, you can likely find a social media account, a username, or a phone number. They’re also incredibly useful for phishing campaigns and other red team operations. They’re also a data point that is unlikely to change. Users may change their username, profile photo, or description frequently, but they will unlikely change their email or phone number as often. Linked2Username will let you harvest emails at scale, simplifying your workflow.
Prerequisites to using LinkedIn2Username are Python 3.x and Git. LinkedIn2Username is a bit tricky to setup as it doesn’t provide a requirements.txt file; however, by viewing the script, you can see which modules it imports. In this case, you’ll likely only need to use pip to install requests and urllib. If you’re an OSINT power user, you’ll likely have these installed already. Once you have all the requirements installed, running the script is easy. After you’ve provided your login information, here are a few sample queries:
$ python linkedin2username.py email@example.com uber-com
$ python linkedin2username.py firstname.lastname@example.org uber-com -d 5 -n 'uber.com'
You can also explore the entire list of options by entering: python3 linkedin2username.py -h. It should look something like this:
usage: linkedin2username.py [-h] [-p PASSWORD] [-n DOMAIN] [-d DEPTH] [-s SLEEP] username company positional arguments: username A valid LinkedIn username. company Company name. optional arguments: -h, --help show this help message and exit -p PASSWORD, --password PASSWORD Specify your password on in clear-text on the command line. If not specified, will prompt and not display on screen. -n DOMAIN, --domain DOMAIN Append a domain name to username output. [example: '-n uber.com' would ouput email@example.com] -d DEPTH, --depth DEPTH Search depth. If unset, will try to grab them all. -s SLEEP, --sleep SLEEP Seconds to sleep between pages. defaults to 3. -x PROXY, --proxy PROXY HTTPS proxy server to use. Example: "-p https://localhost:8080" WARNING: WILL DISABLE SSL VERIFICATION. -k KEYWORDS, --keywords KEYWORDS Filter results by a a list of command separated keywords. Will do a separate loop for each keyword, potentially bypassing the 1,000 record limit. [example: "-k 'sales,human resources,information technology'] -g, --geoblast Attempts to bypass the 1,000 record search limit by running multiple searches split across geographic regions.
Run a few sample queries to see if everything it setup properly and if you’re getting the results you expect.
Here’s the big question. LinkedIn2Username will provide you with multiple name variations matching the email extension identified, but how do you know which email is valid? You can use a service called Hunter to test each name variation for validity. Using the “Verifier” tool in their toolkit, you’ll be able to see if an email address is able to receive emails or not. This will likely conclude that the email you gathered is usable.
There may be a situation where all emails provided are invalid. This may be a defensive mechanism by the corporation you’re collecting on. Some corporations randomly generate a username based on the accounts first and last name. For example, instead of using firstname.lastname@example.org, a company may use email@example.com or firstname.lastname@example.org. This will throw off your results as LinkedIn2Username currently only provides general combinations like:
- first.last: Usernames like Joe.Schmoe
- flast: Usernames like JSchmoe
- firstl: Usernames like JoeS
- first: Usernames like Joe
- lastf: Usernames like SchmoeJ
- rawnames: Full name like Joe Schmoe
So now that you can extract potential usernames from a target company at scale, what do you do with that information? There are many applications for this, but I’ll cover what I understand to be the most valuable application of this tool. If you are conducting a company wide phishing campaign as part of a red team operation, combining LinkedIn2Username, Hunter, and a phishing campaign tool like GoPhish will create impressive results. If you want to take your Phishing to the next level, you can conduct OSINT investigations on each discovered and verified user across social media to generate spearphishing campaigns that will likely have a higher conversion rate. GoPhish will capture all the data you need to produce a report that creates value.