Open Source Intelligence Through Messaging Apps

By Red Siege | August 19, 2019

During red team engagements, we try to gather information about our targets as quietly as possible. One piece of information that can be difficult to find is employee cell phone numbers. While researching a different subject, I stumbled across a way to correlate cell phone numbers with real people using Facebook Messenger.

Background

Recently, I had to reset my phone. When I reinstalled Signal, I went through all of the “*phone number* is on Signal!” messages and found that a friend I hadn’t spoken to in a while was on the list. I didn’t realize I still had his number in my contacts. This got me to thinking: if I had every phone number in a block in my contacts, could I start mapping every Signal user? Also, would this work for other messaging services?

Virtual Machine Setup

To avoid filling up the contacts on my phone, I set up an Android x86 ISO in VirtualBox. ISOs for the operating system can be found at https://www.android-x86.org/download. During Signal account creation, I knew that a text message confirmation would be required before I would be given a valid account. I had tried to use a free throw-away SMS site in the past but the confirmation text never came through. My remaining options were to buy a cheap sim card, set up a Google Voice number, or set up a Twilio phone number. I chose to go with a Twilio number since it would be easier to generate extra phone numbers as necessary. To receive confirmation messages, I set up text message and phone call forwarding on Twilio to my cell phone.

Contacts Setup

Next, I needed a block of phone numbers that would largely contain cell phones. A lot of the reverse phone number lookup sites were a waste of time and would not verify the carrier associated with the number. I found that the site http://www.peoplebyname.com would show the carrier without having to pay for the results. This site also provided a list of phone number prefixes for each area code.

People By Name Number Search

Once I had chosen an area code and prefix, the final part of setup was to create a VCard file with all possible phone numbers in the suffix block. I exported a contact from my phone and opened the VCard file (.vcf) in a text editor to see what kind of format I would need. I then created a Bash one-liner to iterate through all possible numbers in a block and output them to a VCard file.

for i in {0000..9999}; do echo -e "BEGIN:VCARD\r\nVERSION:2.1\r\nN:$i;200;;704;\r\nFN:704 200$i\r\nTEL;CELL:704200i\r\nEND:VCARD\r\n" >> 704200.vcf; done

Android imported the contacts after opening the VCard file and I was ready to start going through the messaging apps.

Android VCard Import

Results

I started with Signal Messenger. Within a few minutes, messages started showing up telling me different contacts were on Signal. I did not receive messages for every valid Signal account in my Android contacts list. However, when I went to start a new message in Signal, the valid numbers showed up at the top of the Signal Messenger contacts list. Overall, I found 31 Signal accounts in this cell phone block.

New Contacts in Signal

Next, I signed up for Telegram. I had trouble receiving the confirmation text message but the automated call came through without a problem. Almost immediately after giving access to my contacts, I started getting messages about which phone numbers were on Telegram. In total, 35 Telegram accounts were shown in the app. Some of these had profile pictures with the person’s real face. While this doesn’t directly give us their true identity, it can help when continuing searches with tools such as Maltego or Intel Techniques’ resources.

New Contacts in Telegram

WhatsApp had similar results to Telegram but with a much larger portion of my contacts. After importing my contacts, the app showed that 1492 of my contacts were valid.  Again, some of the phone numbers had real pictures and profiles associated with their accounts. This doesn’t give us a direct correlation with their identity but it confirms a large number of valid cell phone numbers and profile pictures that can be cross-referenced against other open source intelligence resources.  

New Contacts in WhatsApp

The final messenger app I tried was Facebook Messenger. As expected, a large number of my contacts were confirmed to be on the service. The Messenger app also started matching up phone numbers to actual names! While not all of the profile names were accurate, a large number of them seemed to be real names with profile pictures. 751 of my contacts were found to be on the service and, of those, 149 different numbers showed the “In your phone contacts as *phone number*” message. After the initial import, the app stopped showing these messages in the “Add Contacts” area. I’ll have to figure out a way to capture the requests and pull out the name – phone number pairs or see if there’s an API to pull this information from directly.

Numbers to Names

Conclusion

Messaging App Information Gathered
Signal Messenger • 31 cell phone numbers
Telegram • 35 cell phone numbers
• 9 profile pictures of real people
WhatsApp • 1492 cell phone numbers
• Hundreds of profiles with pictures of real people
Facebook Messenger • 751 cell phone numbers
• 149 cell phone numbers matched to real names
• Most profiles contained information such as current occupation, college/school they went to, and their current home city

I found it very interesting to see just how easily I could start gathering information about people through the messaging apps they use. Now that I know these apps can be used in this manner, I want to continue researching for a way to pull this information into a more digestible form. I feel like I’ve only scratched the surface of what is possible to pull and look forward to future research.

Introduction to Sliver

By Red Siege | November 7, 2022

By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]

Learn More
Introduction to Sliver

Moving beyond T4 – Deconstructing Nmap Tuning

By Red Siege | July 6, 2022

by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]

Learn More
Moving beyond T4 – Deconstructing Nmap Tuning

Creating a Simple Windows Domain for Offensive Testing: Part 4

By Red Siege | June 23, 2022

By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4

Find Out What’s Next

Stay in the loop with our upcoming events.