Open Source Intelligence Through Messaging Apps

During red team engagements, we try to gather information about our targets as quietly as possible. One piece of information that can be difficult to find is employee cell phone numbers. While researching a different subject, I stumbled across a way to correlate cell phone numbers with real people using Facebook Messenger.

Background

Recently, I had to reset my phone. When I reinstalled Signal, I went through all of the “*phone number* is on Signal!” messages and found that a friend I hadn’t spoken to in a while was on the list. I didn’t realize I still had his number in my contacts. This got me to thinking: if I had every phone number in a block in my contacts, could I start mapping every Signal user? Also, would this work for other messaging services?

Virtual Machine Setup

To avoid filling up the contacts on my phone, I set up an Android x86 ISO in VirtualBox. ISOs for the operating system can be found at https://www.android-x86.org/download. During Signal account creation, I knew that a text message confirmation would be required before I would be given a valid account. I had tried to use a free throw-away SMS site in the past but the confirmation text never came through. My remaining options were to buy a cheap sim card, set up a Google Voice number, or set up a Twilio phone number. I chose to go with a Twilio number since it would be easier to generate extra phone numbers as necessary. To receive confirmation messages, I set up text message and phone call forwarding on Twilio to my cell phone.

Contacts Setup

Next, I needed a block of phone numbers that would largely contain cell phones. A lot of the reverse phone number lookup sites were a waste of time and would not verify the carrier associated with the number. I found that the site http://www.peoplebyname.com would show the carrier without having to pay for the results. This site also provided a list of phone number prefixes for each area code.

Once I had chosen an area code and prefix, the final part of setup was to create a VCard file with all possible phone numbers in the suffix block. I exported a contact from my phone and opened the VCard file (.vcf) in a text editor to see what kind of format I would need. I then created a Bash one-liner to iterate through all possible numbers in a block and output them to a VCard file.

for i in {0000..9999}; do echo -e "BEGIN:VCARD\r\nVERSION:2.1\r\nN:$i;200;;704;\r\nFN:704 200$i\r\nTEL;CELL:704200i\r\nEND:VCARD\r\n" >> 704200.vcf; done

Android imported the contacts after opening the VCard file and I was ready to start going through the messaging apps.

Results

I started with Signal Messenger. Within a few minutes, messages started showing up telling me different contacts were on Signal. I did not receive messages for every valid Signal account in my Android contacts list. However, when I went to start a new message in Signal, the valid numbers showed up at the top of the Signal Messenger contacts list. Overall, I found 31 Signal accounts in this cell phone block.

Next, I signed up for Telegram. I had trouble receiving the confirmation text message but the automated call came through without a problem. Almost immediately after giving access to my contacts, I started getting messages about which phone numbers were on Telegram. In total, 35 Telegram accounts were shown in the app. Some of these had profile pictures with the person’s real face. While this doesn’t directly give us their true identity, it can help when continuing searches with tools such as Maltego or Intel Techniques’ resources.

WhatsApp had similar results to Telegram but with a much larger portion of my contacts. After importing my contacts, the app showed that 1492 of my contacts were valid.  Again, some of the phone numbers had real pictures and profiles associated with their accounts. This doesn’t give us a direct correlation with their identity but it confirms a large number of valid cell phone numbers and profile pictures that can be cross-referenced against other open source intelligence resources.  

The final messenger app I tried was Facebook Messenger. As expected, a large number of my contacts were confirmed to be on the service. The Messenger app also started matching up phone numbers to actual names! While not all of the profile names were accurate, a large number of them seemed to be real names with profile pictures. 751 of my contacts were found to be on the service and, of those, 149 different numbers showed the “In your phone contacts as *phone number*” message. After the initial import, the app stopped showing these messages in the “Add Contacts” area. I’ll have to figure out a way to capture the requests and pull out the name – phone number pairs or see if there’s an API to pull this information from directly.

Conclusion

I found it very interesting to see just how easily I could start gathering information about people through the messaging apps they use. Now that I know these apps can be used in this manner, I want to continue researching for a way to pull this information into a more digestible form. I feel like I’ve only scratched the surface of what is possible to pull and look forward to future research.