In the first part of this series, we explored options we typically use to discover domain names, subdomains, available services on those hosts, historical data on the target, and indicators of security and software suites in use. We will turn our focus now to employee discovery through OSINT methods using Wikipedia, Hunter.io, various methods using LinkedIn, and public breach data.
Links to posts in this series:
We’ll begin our employee recon with Wikipedia once again. While we typically won’t find email addresses on a company’s Wikipedia page, we can find other helpful information such as number of employees and names of high-ranking employees (C-Level employees, board members, etc). Another bit of information we look for on Wikipedia are recent awards or recognition. Examples include ‘Voted Best Place to Work’, celebrated a landmark anniversary, moved into a new Fortune 50/100/500 category, etc. These awards can be turned into pretexts when phishing the target’s employees.
Hunter.io compiles email addresses from open-source intelligence gathering and makes them searchable by domain. The search results will also show a most common email format pattern in the results. We use that pattern to rule out false positives found in other sources as well as when we brute force user enumeration at a later stage of the engagement.
The best source for employee names and email addresses nowadays is usually LinkedIn (rest in peace connect.data.com). To begin employee enumeration through LinkedIn, we start with the tool LinkedInt. LinkedInt uses a combination of LinkedIn API calls and Hunter.io searches to find the correct company. The tool then finds LinkedIn profiles registered with the domain you originally searched for and generates an HTML page with profile picture, name, email address, and job title. LinkedInt will not be able to completely map out an organization due to restrictions put in place by LinkedIn. As we will see soon, though, this can be bypassed.
Another tool we use is Peasant. Peasant has a lot of
the same functionality of LinkedInt but also provides functionality to blanket
a company with connection requests and spoof your profile to look like another.
For purely OSINT purposes, we can use Peasant like LinkedInt to gather employee
On a recent red team, we used Peasant to spoof our throwaway profile into looking like a recruiter at a reputable recruiting firm. We then blanketed multiple non-target organizations with connection requests to build up our profile and make it appear more reputable. Once we had a large number of connections, we started sending the target organization’s employees connection requests. In less than an hour, we had connections with over 100 of the target’s employees. LinkedIn allowed us to see the entire company’s employee list once we had established enough connections. Peasant was then able to harvest employee information for a larger portion of the target’s organization than LinkedInt. Generating all of these connections from a recruiter profile also created opportunities for social engineering. When the target’s employees started requesting information about the job opportunity that we originally messaged about, we were able to send malicious documents.
Another rich source of email addresses are public breach data dumps. Attackers will often sell or distribute email and password combinations once a website or company has been breached. Eventually, the data ends up on torrent sites, forums, and sites like HaveIBeenPwned, Dehashed, and Pastebin. While Red Siege is not advising anyone to download or own the dumps, the information is out there for anyone to find and use.
Using the methods described above, we would be able to gather a large set of email addresses and employee names from LinkedIn and Hunter.io, possible passwords and email addresses to try from public breach data, and general information about the size of the workforce from Wikipedia. Now that we understand how to find information about our target’s external hosts and employees manually, we will show some automated ways of gathering this information through theHarvester, Amass, and Recon-ng.
Related StoriesView More
Introduction to Sliver
By Red Siege | November 7, 2022
By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]Learn More
Moving beyond T4 – Deconstructing Nmap Tuning
By Red Siege | July 6, 2022
by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4
By Red Siege | June 23, 2022
By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]Learn More