Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • Improvements
  • Preparation
  • Streamlining Collection
  • Future Developments

Was this helpful?

  1. Red Team
  2. Reconaissance

Reconnaissance using LinkedInt

PreviousReconaissanceNextDomLink — Automating domain discovery

Last updated 5 years ago

Was this helpful?

Note: posted on June 2017

This post was originally published on when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.

A key step in an adversary simulation is the reconnaissance phase which almost always requires obtaining e-mail addresses for employees within the organisation. LinkedIn is probably one of the most widely used sources for reliable profiling of employees.

Although a great source of information, not many tools are readily available to the public for scraping this information and obtaining a list of e-mail addresses. Existing tools were using the LinkedIn API or were non-functional due to the numerous user interface (UI) updates over the past year.

Improvements

The original scraper by Danny Chrastil was modified in the following ways to improve and suit ActiveBreach’s operational requirements for performance scraping of LinkedIn.

  • Fixed to work with latest UI

  • Changed query to focus on using LinkedIn’s company filter after automatic discovery of company ID.

  • Automated e-mail prefix detection for a given company domain name. This is used in scenarios where we are attacking a client and we do not know their e-mail format

  • Streamline process

Preparation

For preparation purposes, a LinkedIn account needs to be created. All you have to do is take that new account and connect it with an active account that you use. That will then allow the account to see all your connections up to the 3rd degree. If the account cannot see many people in a target company it is suggested that you go ahead and connect to a few key members of their company that may have a lot of contacts — such as HR.

Streamlining Collection

The idealistic scenario would be that the operator only has to insert a company name, and all the intelligence gathering and scraping will be performed automatically and a list of e-mails comes out on the other end. LinkedInt is not at this level yet.

Currently the operator must navigate a number of choices and options within the tool. The following video shows an example usage:

Future Developments

In the future, we hope to develop this to the level where only the Company name is required and all other aspects are performed automatically with no intervention required. Furthermore, support for horizontal scraping and the ability to mass predict company names to company domains then convert these to email prefixes is a desired feature. We would also like to add Natural Language Processing (NLP) to discover the types of roles and departments that could allow us to separate departments and groups of employees for brief visualisation of relationships.

The ActiveBreach team found a reliable scraping method produced by Danny Chrastil () which was available . This tool was modified and improved upon for our requirements to streamline the process of collection.

Additionally, you will require a Hunter.io API key. You can register for one at

You can download LinkedInt from my page.

This blog post was written by .

@DisK0nn3cT
here
https://hunter.io
github
@vysecurity
https://www.mdsec.co.uk/blog/