Recon Methods Part 3 – OSINT Employee Discovery

In the first part of this series, we explored options we typically use to discover domain names, subdomains, available services on those hosts, historical data on the target, and indicators of security and software suites in use. We will turn our focus now to employee discovery through OSINT methods using Wikipedia, Hunter.io, various methods using LinkedIn, and public breach data.

Links to posts in this series:

Recon Methods Part 1 – OSINT Host Discovery

Recon Methods Part 2 – OSINT Host Discovery Continued

Recon Methods Part 4 – Automated OSINT

Recon Methods Part 5 – Traffic on the Target

Wikipedia

We’ll begin our employee recon with Wikipedia once again.  While we typically won’t find email addresses on a company’s Wikipedia page, we can find other helpful information such as number of employees and names of high-ranking employees (C-Level employees, board members, etc). Another bit of information we look for on Wikipedia are recent awards or recognition. Examples include ‘Voted Best Place to Work’, celebrated a landmark anniversary, moved into a new Fortune 50/100/500 category, etc. These awards can be turned into pretexts when phishing the target’s employees.

Hunter.io

Hunter.io compiles email addresses from open-source intelligence gathering and makes them searchable by domain. The search results will also show a most common email format pattern in the results. We use that pattern to rule out false positives found in other sources as well as when we brute force user enumeration at a later stage of the engagement.

LinkedInt

The best source for employee names and email addresses nowadays is usually LinkedIn (rest in peace connect.data.com). To begin employee enumeration through LinkedIn, we start with the tool LinkedInt. LinkedInt uses a combination of LinkedIn API calls and Hunter.io searches to find the correct company. The tool then finds LinkedIn profiles registered with the domain you originally searched for and generates an HTML page with profile picture, name, email address, and job title. LinkedInt will not be able to completely map out an organization due to restrictions put in place by LinkedIn. As we will see soon, though, this can be bypassed.

Peasant

Another tool we use is Peasant. Peasant has a lot of
the same functionality of LinkedInt but also provides functionality to blanket
a company with connection requests and spoof your profile to look like another.
For purely OSINT purposes, we can use Peasant like LinkedInt to gather employee
profiles quietly.

On a recent red team, we used Peasant to spoof our throwaway profile into looking like a recruiter at a reputable recruiting firm. We then blanketed multiple non-target organizations with connection requests to build up our profile and make it appear more reputable. Once we had a large number of connections, we started sending the target organization’s employees connection requests. In less than an hour, we had connections with over 100 of the target’s employees. LinkedIn allowed us to see the entire company’s employee list once we had established enough connections. Peasant was then able to harvest employee information for a larger portion of the target’s organization than LinkedInt. Generating all of these connections from a recruiter profile also created opportunities for social engineering. When the target’s employees started requesting information about the job opportunity that we originally messaged about, we were able to send malicious documents.

Public
Breach Data

Another rich source of email addresses are public breach data dumps. Attackers will often sell or distribute email and password combinations once a website or company has been breached. Eventually, the data ends up on torrent sites, forums, and sites like HaveIBeenPwned, Dehashed, and Pastebin. While Red Siege is not advising anyone to download or own the dumps, the information is out there for anyone to find and use.  

Conclusion

Using the methods described above, we would be able to gather a large set of email addresses and employee names from LinkedIn and Hunter.io, possible passwords and email addresses to try from public breach data, and general information about the size of the workforce from Wikipedia. Now that we understand how to find information about our target’s external hosts and employees manually, we will show some automated ways of gathering this information through theHarvester, Amass, and Recon-ng.