Open Source Intelligence Through Messaging Apps

By Red Siege | August 19, 2019

During red team engagements, we try to gather information about our targets as quietly as possible. One piece of information that can be difficult to find is employee cell phone numbers. While researching a different subject, I stumbled across a way to correlate cell phone numbers with real people using Facebook Messenger.


Recently, I had to reset my phone. When I reinstalled Signal, I went through all of the “*phone number* is on Signal!” messages and found that a friend I hadn’t spoken to in a while was on the list. I didn’t realize I still had his number in my contacts. This got me to thinking: if I had every phone number in a block in my contacts, could I start mapping every Signal user? Also, would this work for other messaging services?

Virtual Machine Setup

To avoid filling up the contacts on my phone, I set up an Android x86 ISO in VirtualBox. ISOs for the operating system can be found at During Signal account creation, I knew that a text message confirmation would be required before I would be given a valid account. I had tried to use a free throw-away SMS site in the past but the confirmation text never came through. My remaining options were to buy a cheap sim card, set up a Google Voice number, or set up a Twilio phone number. I chose to go with a Twilio number since it would be easier to generate extra phone numbers as necessary. To receive confirmation messages, I set up text message and phone call forwarding on Twilio to my cell phone.

Contacts Setup

Next, I needed a block of phone numbers that would largely contain cell phones. A lot of the reverse phone number lookup sites were a waste of time and would not verify the carrier associated with the number. I found that the site would show the carrier without having to pay for the results. This site also provided a list of phone number prefixes for each area code.

People By Name Number Search

Once I had chosen an area code and prefix, the final part of setup was to create a VCard file with all possible phone numbers in the suffix block. I exported a contact from my phone and opened the VCard file (.vcf) in a text editor to see what kind of format I would need. I then created a Bash one-liner to iterate through all possible numbers in a block and output them to a VCard file.

for i in {0000..9999}; do echo -e "BEGIN:VCARD\r\nVERSION:2.1\r\nN:$i;200;;704;\r\nFN:704 200$i\r\nTEL;CELL:704200i\r\nEND:VCARD\r\n" >> 704200.vcf; done

Android imported the contacts after opening the VCard file and I was ready to start going through the messaging apps.

Android VCard Import


I started with Signal Messenger. Within a few minutes, messages started showing up telling me different contacts were on Signal. I did not receive messages for every valid Signal account in my Android contacts list. However, when I went to start a new message in Signal, the valid numbers showed up at the top of the Signal Messenger contacts list. Overall, I found 31 Signal accounts in this cell phone block.

New Contacts in Signal

Next, I signed up for Telegram. I had trouble receiving the confirmation text message but the automated call came through without a problem. Almost immediately after giving access to my contacts, I started getting messages about which phone numbers were on Telegram. In total, 35 Telegram accounts were shown in the app. Some of these had profile pictures with the person’s real face. While this doesn’t directly give us their true identity, it can help when continuing searches with tools such as Maltego or Intel Techniques’ resources.

New Contacts in Telegram

WhatsApp had similar results to Telegram but with a much larger portion of my contacts. After importing my contacts, the app showed that 1492 of my contacts were valid.  Again, some of the phone numbers had real pictures and profiles associated with their accounts. This doesn’t give us a direct correlation with their identity but it confirms a large number of valid cell phone numbers and profile pictures that can be cross-referenced against other open source intelligence resources.  

New Contacts in WhatsApp

The final messenger app I tried was Facebook Messenger. As expected, a large number of my contacts were confirmed to be on the service. The Messenger app also started matching up phone numbers to actual names! While not all of the profile names were accurate, a large number of them seemed to be real names with profile pictures. 751 of my contacts were found to be on the service and, of those, 149 different numbers showed the “In your phone contacts as *phone number*” message. After the initial import, the app stopped showing these messages in the “Add Contacts” area. I’ll have to figure out a way to capture the requests and pull out the name – phone number pairs or see if there’s an API to pull this information from directly.

Numbers to Names


Messaging App Information Gathered
Signal Messenger • 31 cell phone numbers
Telegram • 35 cell phone numbers
• 9 profile pictures of real people
WhatsApp • 1492 cell phone numbers
• Hundreds of profiles with pictures of real people
Facebook Messenger • 751 cell phone numbers
• 149 cell phone numbers matched to real names
• Most profiles contained information such as current occupation, college/school they went to, and their current home city

I found it very interesting to see just how easily I could start gathering information about people through the messaging apps they use. Now that I know these apps can be used in this manner, I want to continue researching for a way to pull this information into a more digestible form. I feel like I’ve only scratched the surface of what is possible to pull and look forward to future research.

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Extend Your Browser

By Red Siege | May 9, 2024

by Ian Briley, Security Consultant In my last blog, I discussed using only a browser for web application testing, emphasizing how useful built-in browser tools like the Inspector and Console […]

Learn More
Extend Your Browser

Find Out What’s Next

Stay in the loop with our upcoming events.