In the first part of this series, we explored options we typically use to discover domain names, subdomains, available services on those hosts, historical data on the target, and indicators of security and software suites in use. We will turn our focus now to employee discovery through OSINT methods using Wikipedia, Hunter.io, various methods using LinkedIn, and public breach data.
Links to posts in this series:
We’ll begin our employee recon with Wikipedia once again. While we typically won’t find email addresses on a company’s Wikipedia page, we can find other helpful information such as number of employees and names of high-ranking employees (C-Level employees, board members, etc). Another bit of information we look for on Wikipedia are recent awards or recognition. Examples include ‘Voted Best Place to Work’, celebrated a landmark anniversary, moved into a new Fortune 50/100/500 category, etc. These awards can be turned into pretexts when phishing the target’s employees.
Hunter.io compiles email addresses from open-source intelligence gathering and makes them searchable by domain. The search results will also show a most common email format pattern in the results. We use that pattern to rule out false positives found in other sources as well as when we brute force user enumeration at a later stage of the engagement.
The best source for employee names and email addresses nowadays is usually LinkedIn (rest in peace connect.data.com). To begin employee enumeration through LinkedIn, we start with the tool LinkedInt. LinkedInt uses a combination of LinkedIn API calls and Hunter.io searches to find the correct company. The tool then finds LinkedIn profiles registered with the domain you originally searched for and generates an HTML page with profile picture, name, email address, and job title. LinkedInt will not be able to completely map out an organization due to restrictions put in place by LinkedIn. As we will see soon, though, this can be bypassed.
Another tool we use is Peasant. Peasant has a lot of
the same functionality of LinkedInt but also provides functionality to blanket
a company with connection requests and spoof your profile to look like another.
For purely OSINT purposes, we can use Peasant like LinkedInt to gather employee
On a recent red team, we used Peasant to spoof our throwaway profile into looking like a recruiter at a reputable recruiting firm. We then blanketed multiple non-target organizations with connection requests to build up our profile and make it appear more reputable. Once we had a large number of connections, we started sending the target organization’s employees connection requests. In less than an hour, we had connections with over 100 of the target’s employees. LinkedIn allowed us to see the entire company’s employee list once we had established enough connections. Peasant was then able to harvest employee information for a larger portion of the target’s organization than LinkedInt. Generating all of these connections from a recruiter profile also created opportunities for social engineering. When the target’s employees started requesting information about the job opportunity that we originally messaged about, we were able to send malicious documents.
Another rich source of email addresses are public breach data dumps. Attackers will often sell or distribute email and password combinations once a website or company has been breached. Eventually, the data ends up on torrent sites, forums, and sites like HaveIBeenPwned, Dehashed, and Pastebin. While Red Siege is not advising anyone to download or own the dumps, the information is out there for anyone to find and use.
Using the methods described above, we would be able to gather a large set of email addresses and employee names from LinkedIn and Hunter.io, possible passwords and email addresses to try from public breach data, and general information about the size of the workforce from Wikipedia. Now that we understand how to find information about our target’s external hosts and employees manually, we will show some automated ways of gathering this information through theHarvester, Amass, and Recon-ng.
Related StoriesView More
Attacking SAML implementations
By Red Siege | November 2, 2021
SAML and SAML Attacks Recently a client mentioned that they wanted me to pay particular attention to the SAML authentication on an app I was going to be testing. It’s […]Learn More
Bypassing Signature-Based AV
By Red Siege | August 25, 2021
If you want to execute arbitrary code on an endpoint during a penetration test, red team, or assumed breach, chances are you’ll have to evade some kind of antivirus solution. […]Learn More
Sans Core Netwars Tournament of Champions Europe
By Red Siege | August 9, 2021
From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]Learn More