Gathering Usernames from LinkedIn using Burp Suite Pro
During a recent red team operation, my team needed to gather potential usernames for phishing and password spraying attacks. I was specifically interested in pulling data from LinkedIn. Searching for the company name provided me a list of users that listed the company as their current employer. But how to get that list of users in a workable format?
I dug through GitHub looking for existing projects, but none accomplished what I needed. I found a couple of articles —
(1)https://tw.saowen.com/a/9f39df44bb391b274d5a0115ac4b9bf66c472f5e07acdbf4a55bcb1692e1cc68
— that used Burp Suite to scrape data from Google searches but the search results were incomplete compared with the data found on LinkedIn. Then I found an blog post — https://blog.leetsys.com/2012/08/05/social-engineering-scraping-data-from-linkedin/ — that discussed using the Intruder module of Burp Suite to automate crawling through the LinkedIn results. This provided me with the foundation of what I was looking for.
The LinkedIn page structure has changed since the post was written so I needed to find the correct request/response that provided the results I needed.
Once I found the correct request entry, I right clicked it and selected ‘Send to Intruder’.
On the Positions tab for Intruder, remove all the variables by clicking the ‘Clear §’ button. Then select the 0 after the start variable and click the ‘Add §’ button.
On the Payloads tab for intruder we need to define the Payload type and the Payload Options. The Payload type needs to be set to Numbers. In order to determine the Payload Options, I examined the request/response from several pages while browsing the results and determined that the start variable increased by 10 for each page of results. The initial search page had a value of 0 so the From field needs to be set to 0. I navigated to the last page of results and the start variable had a value of 990 so the To field was set to 990. Each page of results increased the start variable by 10 so the Step field was set to 10.
To avoid potential account issues or causing connection timeouts, I modified the Request Engine settings on the Options tab to lower the number of threads and throttle the requests. I then clicked the ‘Start attack’ button.
Once the attack is finished, highlight all the requests, right-click and select ‘Save selected items’. Be sure the option to save the output as base64 encoded is unchecked. Enter a file name and select a location to save the data. All the requests will be saved in one file which will allow us to filter out the data we’re looking for.
There are several locations in the file that contain the users first and last name but I noticed a couple were in areas that also contained names not part of the company I was interested in. The location I determined was best for getting the most accurate data were the sections that started with “title”:{“textDirection”:”FIRST_STRONG”,”text”:. The issue with the output was all the important information was contained in one string of data so I had to figure out a way of extracting just the first and last names from the string. It’s a bit long, but this is the command I came up with:
cat burp_output.txt | tr , ‘\n’ | sed ‘s/\”//g’ | pcregrep -M ‘title:{textDirection:FIRST_STRONG.*\n’.*text | grep ‘text:’ | cut -d’:’ -f2 | sed ‘s/.\. //g’ | cut -d’ ‘ -f1,2 | sort | uniq
The output will be a list of first and last names. I then imported that data into an Excel spreadsheet, the first and last names in separate columns. I removed the rows that didn’t have a last name (blank) or contained only an initial. I then used a formula to create the email address in another column.
I can now use this data to perform target spear phishing or password spraying attacks against a list of users with a high likelihood they are employed by the target company.
