Conducting OSINT on LinkedIn the Right Way
LinkedIn is no doubt an invaluable source of information not only for Job seekers but for OSINT researchers and investigators. It’s basically an online resume that contains information such as your current and former job, education, country/city where you are working, and more. It was developed as a social network for Business-oriented job seekers back in May, 2003. It was sold off to Microsoft in December, 2016. The information on LinkedIn can come very handy when targeting a specific employee of a company or researching a particular individual. The biggest issue we face while conducting research is that LinkedIn will show the target who visited their profile in the form of Search Appearances. Even if you have a fully locked down and private account, it shows up if you click on their profile.
Conducting Research on a Specific Individual
If we are researching an Individual, we will have some basic details like name, email, location of them to cross-verify. To do that we will automate this process using a tool called InSpy. You’ll just need an API key from Hunter.io and add it to the python script. The output of the tool prints the result to the screen as well as writes the result to an HTML file. It’ll contain names, titles, and email addresses. From there, using manual enumeration techniques we can further expand on the profile by adding jobs, locations.
Another way to do it is through theHarvester tool. It’s a simple, yet powerful tool designed to be used in the early stages of a penetration test. We can use it for OSINT gathering as it gathers emails, names, as well as subdomains, IPs, and URLs using multiple public data sources.
Conducting Research on a Group/Organization
If we have no specific targets in mind but the objective is to conduct a recon of an Organization and the employees, we can start with validation on employees.
For that Hunter.io is an amazing email verification and validation tool. It gives us access to free 50 searches/month as well as allows searching for all publicly identifiable emails belonging to a company’s domain name, a specific email finder, and a bulk search option. You will need to make an account to use Hunter.io
If we were to use Google operators to manually find the target, we can do it through specific operators. Do note that LinkedIn profile Indexing by search engines can be turned off by individual users.
- site:http://linkedin.com/in “<person name>”
- site:http://linkedin.com/in “<company name>”
- site:http://linkedin.com/in “<job title>”
- site:http://linkedin.com/in “<keyword of interest>”
The profile picture and background image of a LinkedIn Profile can be downloaded and reverse image searched using any Image Search Engines. To name a few: Google Images, Yandex Images, Tin Eye, Shutterstock, etc.
We can investigate a user’s profile by using URLs as the profile name will show up in it. Though the name is generated by LinkedIn based on the User’s Name and surname fields, it can be customized. The URL profile name should be treated as a unique identifier to the target account. Sometimes, users may have a profile on another platform that may closely resemble the LinkedIn Profile. In that case, you can manually search the profile or you can use the Google Advanced Search Operators to find it.
We also can conduct a manual detailed search on LinkedIn by manipulating the URL which will give us more varying results than using a built-in search function. Few Examples of URL modifications are:
- https://www.linkedin.com/search/results/people/?firstName=[name]&keywords=[name]%20[surname]&lastName=[surname]
- https://www.linkedin.com/search/results/people/?firstName= [name]&lastName=[surname]&company=[company name]&title=[job title]
A useful feature every LinkedIn profile has is the option to download the content of the account into a Resume-type document through the “Save to PDF” option. You will not download any personal information or activity but just a profile overview. You can add screenshots to the details that are missing from the document.
Further Reading
- https://www.secjuice.com/linkedin-osint-part-1/
- https://www.secjuice.com/linkedin-osint-techniques-part-ii/
This blog was just a quick info regarding OSINT on LinkedIn , in the upcoming blogs I will be presenting more insights onto this 😄! Till then happy investigating .