Recon Methods Part 3 – OSINT Employee Discovery

By Red Siege | February 27, 2020

In the first part of this series, we explored options we typically use to discover domain names, subdomains, available services on those hosts, historical data on the target, and indicators of security and software suites in use. We will turn our focus now to employee discovery through OSINT methods using Wikipedia, Hunter.io, various methods using LinkedIn, and public breach data.

Links to posts in this series:

Recon Methods Part 1 – OSINT Host Discovery

Recon Methods Part 2 – OSINT Host Discovery Continued

Recon Methods Part 4 – Automated OSINT

Recon Methods Part 5 – Traffic on the Target

 

Wikipedia

We’ll begin our employee recon with Wikipedia once again.  While we typically won’t find email addresses on a company’s Wikipedia page, we can find other helpful information such as number of employees and names of high-ranking employees (C-Level employees, board members, etc). Another bit of information we look for on Wikipedia are recent awards or recognition. Examples include ‘Voted Best Place to Work’, celebrated a landmark anniversary, moved into a new Fortune 50/100/500 category, etc. These awards can be turned into pretexts when phishing the target’s employees.

Hunter.io

Hunter.io compiles email addresses from open-source intelligence gathering and makes them searchable by domain. The search results will also show a most common email format pattern in the results. We use that pattern to rule out false positives found in other sources as well as when we brute force user enumeration at a later stage of the engagement.

LinkedInt

The best source for employee names and email addresses nowadays is usually LinkedIn (rest in peace connect.data.com). To begin employee enumeration through LinkedIn, we start with the tool LinkedInt. LinkedInt uses a combination of LinkedIn API calls and Hunter.io searches to find the correct company. The tool then finds LinkedIn profiles registered with the domain you originally searched for and generates an HTML page with profile picture, name, email address, and job title. LinkedInt will not be able to completely map out an organization due to restrictions put in place by LinkedIn. As we will see soon, though, this can be bypassed.

Peasant

Another tool we use is Peasant. Peasant has a lot of
the same functionality of LinkedInt but also provides functionality to blanket
a company with connection requests and spoof your profile to look like another.
For purely OSINT purposes, we can use Peasant like LinkedInt to gather employee
profiles quietly.

On a recent red team, we used Peasant to spoof our throwaway profile into looking like a recruiter at a reputable recruiting firm. We then blanketed multiple non-target organizations with connection requests to build up our profile and make it appear more reputable. Once we had a large number of connections, we started sending the target organization’s employees connection requests. In less than an hour, we had connections with over 100 of the target’s employees. LinkedIn allowed us to see the entire company’s employee list once we had established enough connections. Peasant was then able to harvest employee information for a larger portion of the target’s organization than LinkedInt. Generating all of these connections from a recruiter profile also created opportunities for social engineering. When the target’s employees started requesting information about the job opportunity that we originally messaged about, we were able to send malicious documents.

Public
Breach Data

Another rich source of email addresses are public breach data dumps. Attackers will often sell or distribute email and password combinations once a website or company has been breached. Eventually, the data ends up on torrent sites, forums, and sites like HaveIBeenPwned, Dehashed, and Pastebin. While Red Siege is not advising anyone to download or own the dumps, the information is out there for anyone to find and use.  

Conclusion

Using the methods described above, we would be able to gather a large set of email addresses and employee names from LinkedIn and Hunter.io, possible passwords and email addresses to try from public breach data, and general information about the size of the workforce from Wikipedia. Now that we understand how to find information about our target’s external hosts and employees manually, we will show some automated ways of gathering this information through theHarvester, Amass, and Recon-ng.

Using Microsoft Dev Tunnels for C2 Redirection

By Red Siege | April 9, 2024

by Justin Palk, Senior Security Consultant   As penetration testers, we’re always on the lookout for new ways to get our command-and-control (C2) traffic out of a client’s network, evading […]

Learn More
Using Microsoft Dev Tunnels for C2 Redirection

SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access

By Red Siege | April 1, 2024

By: Alex Reid, Current Red Siege Intern   In the April 2018 release of Windows 10 version 1803, Microsoft announced that the Windows OpenSSH client would ship and be enabled […]

Learn More
SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access

Navigating Active Directory Security with EDD

By Red Siege | March 21, 2024

Tool developed by: Chris Truncer   Leverage EDD for Advanced Offensive Strategies EDD serves as a critical tool for offensive security professionals, enhancing domain reconnaissance with .NET efficiency. It facilitates a […]

Learn More
Navigating Active Directory Security with EDD

Find Out What’s Next

Stay in the loop with our upcoming events.