Conducting OSINT on LinkedIn the Right Way

LinkedIn is no doubt an invaluable source of information not only for Job seekers but for OSINT researchers and investigators. It’s basically an online resume that contains information such as your current and former job, education, country/city where you are working, and more. It was developed as a social network for Business-oriented job seekers back in May, 2003. It was sold off to Microsoft in December, 2016. The information on LinkedIn can come very handy when targeting a specific employee of a company or researching a particular individual. The biggest issue we face while conducting research is that LinkedIn will show the target who visited their profile in the form of Search Appearances. Even if you have a fully locked down and private account, it shows up if you click on their profile.

Sinwindie’s LinkedIn Attack Surface

Conducting Research on a Specific Individual

If we are researching an Individual, we will have some basic details like name, email, location of them to cross-verify. To do that we will automate this process using a tool called InSpy. You’ll just need an API key from Hunter.io and add it to the python script. The output of the tool prints the result to the screen as well as writes the result to an HTML file. It’ll contain names, titles, and email addresses. From there, using manual enumeration techniques we can further expand on the profile by adding jobs, locations.

Another way to do it is through theHarvester tool. It’s a simple, yet powerful tool designed to be used in the early stages of a penetration test. We can use it for OSINT gathering as it gathers emails, names, as well as subdomains, IPs, and URLs using multiple public data sources.

Conducting Research on a Group/Organization

If we have no specific targets in mind but the objective is to conduct a recon of an Organization and the employees, we can start with validation on employees.

For that Hunter.io is an amazing email verification and validation tool. It gives us access to free 50 searches/month as well as allows searching for all publicly identifiable emails belonging to a company’s domain name, a specific email finder, and a bulk search option. You will need to make an account to use Hunter.io

Using Hunter.io to find emails of Microsoft employees. Note that if you are not signed up you will not see the entire email.

If we were to use Google operators to manually find the target, we can do it through specific operators. Do note that LinkedIn profile Indexing by search engines can be turned off by individual users.

• site:http://linkedin.com/in “<person name>”
• site:http://linkedin.com/in “<company name>”
• site:http://linkedin.com/in “<job title>”
• site:http://linkedin.com/in “<keyword of interest>”

Using Google Advanced Search as an example to search on LinkedIn for Google employees

The profile picture and background image of a LinkedIn Profile can be downloaded and reverse image searched using any Image Search Engines. To name a few: Google Images, Yandex Images, Tin Eye, Shutterstock, etc.

Clicking on the profile picture gives us the expanded image. The same can be achieved by adding /detail/photo to the profile URL

We can investigate a user’s profile by using URLs as the profile name will show up in it. Though the name is generated by LinkedIn based on the User’s Name and surname fields, it can be customized. The URL profile name should be treated as a unique identifier to the target account. Sometimes, users may have a profile on another platform that may closely resemble the LinkedIn Profile. In that case, you can manually search the profile or you can use the Google Advanced Search Operators to find it.

We also can conduct a manual detailed search on LinkedIn by manipulating the URL which will give us more varying results than using a built-in search function. Few Examples of URL modifications are:

• https://www.linkedin.com/search/results/people/?firstName=[name]&keywords=[name]%20[surname]&lastName=[surname]
• https://www.linkedin.com/search/results/people/?firstName= [name]&lastName=[surname]&company=[company name]&title=[job title]

Using manual detailed search by manipulating the URL gives us specific results

A useful feature every LinkedIn profile has is the option to download the content of the account into a Resume-type document through the “Save to PDF” option. You will not download any personal information or activity but just a profile overview. You can add screenshots to the details that are missing from the document.

Downloading the Resume will not only bolster your investigation but also will help you in cross-verifying certain aspects of an investigation

Further Reading

• https://www.secjuice.com/linkedin-osint-part-1/
• https://www.secjuice.com/linkedin-osint-techniques-part-ii/

This blog was just a quick info regarding OSINT on LinkedIn , in the upcoming blogs I will be presenting more insights onto this 😄! Till then happy investigating .

Blog by Nerd of Axial . Join us at our discord server .