Mike Larch

Mike has a BS in Information Technology Security from St. Cloud State University. He has worked with companies in many industries, including information technology, healthcare, and financial services. At NetSPI, Mike's primary duties include web application and network penetration testing. He also contributes to the research and development of tools used by the NetSPI penetration testing team.
More by Mike Larch
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "25"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "25"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "25"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "25"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "25"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "25"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "25"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "25"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
					SELECT   wp_posts.ID
					FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{d0d4f0da5ea7cf2de6c60b7b671b17ed9e41fd42c456d949616e6518fb151d13}\"25\"{d0d4f0da5ea7cf2de6c60b7b671b17ed9e41fd42c456d949616e6518fb151d13}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{d0d4f0da5ea7cf2de6c60b7b671b17ed9e41fd42c456d949616e6518fb151d13}\"25\"{d0d4f0da5ea7cf2de6c60b7b671b17ed9e41fd42c456d949616e6518fb151d13}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					GROUP BY wp_posts.ID
					ORDER BY wp_posts.post_date DESC
					
				
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 4293
                    [post_author] => 25
                    [post_date] => 2015-06-01 07:00:44
                    [post_date_gmt] => 2015-06-01 07:00:44
                    [post_content] => 

Linkedin_crawl is a module for the recon-ng framework that can be used for collecting employee names and titles from a specified company on LinkedIn. It operates by spidering through the "People also Viewed” pane that's available on most LinkedIn user public pages, and scraping user data. That information can be used  to generate a list of emails for phishing campaigns, or usernames for online dictionary attacks executed during internal/external penetration tests.

Install

Since Linkedin_crawl is part of the Recon-ng framework a simple

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

should do the trick. For more information follow the usage guide here.

Usage

*examples are edited for anonymity*
1. A seed employee for the targeted company must be identified. This is pretty easy with Google, search “company name Linkedin.” Or use this Google dork by Tim Tomes:

site:linkedin.com inurl:pub -inurl:dir "at " "Current"

Img E Fa D
2. This seed employee should have the name of the targeted company spelled correctly and the “Viewers of this profile also viewed…” section should exist. Copy this employee's URL.  In the example below, we will be using a seed page for John Doe from the “Example Company”.
Img E C Be

3. Load up the Recon-ng framework and navigate to the linkedin_crawl module, set the options and run.

root@kali:~/recon-ng# ./recon-ng
                                                                                        
[recon-ng][default] > use recon/companies-contacts/linkedin_crawl
[recon-ng][default][linkedin_crawl] > show options

  Name     Current Value  Req  Description
  -------  -------------  ---  -----------
  COMPANY                 no   override the company name harvested...
  URL                     yes  public LinkedIn profile URL (seed)

[recon-ng][default][linkedin_crawl] > set URL https://www.linkedin.com/pub...
URL => https://www.linkedin.com/pub/john-doe/82/2bb/7a3?trk=pub-pbmap
[recon-ng][default][linkedin_crawl] > show options

  Name     Current Value                   Req  Description
  -------  -------------                   ---  -----------
  COMPANY                                  no   override the company...;
  URL      https://www.linkedin.com/pub...  yes  public linkedin profile...

[recon-ng][default][linkedin_crawl] > run

---------------
EXAMPLE COMPANY
---------------
[*] Parsing ‘https://www.linkedin.com/pub/john-doe...
[*] Added: John Doe, Software Developer at Example Company(Washington...
[*] Parsing ‘https://www.linkedin.com/pub/ali-price...
[*] Added: Ali Price, Director at Example Company
[*] Parsing ‘https://www.linkedin.com/pub/mary-kibble...
[*] Parsing ‘https://www.linkedin.com/pub/matt-james...
[*] Added: Matt James, Director of Software Services at Example Company...

Expected Results

The module will begin crawling contacts from the “Viewers of this profile also viewed…” section and scrape their information if they are part of the company found on the seed page. If the company is small, it will not find many contacts and the module will only take about 30 seconds to run. If it is a large company, it could find thousands of contacts and the module could take hours to run. Regardless, it should be working and collecting contacts from the targeted company.  When the module finally finishes view the contacts in the database.

[recon-ng][default] > show contacts

  +---------------------..--------------------------------------------------------------+
  | rowid | first_name |  | last_name | email |                    title                |
  +---------------------..--------------------------------------------------------------+
  | 1     | Ali        |  | Price     |       | Director at Example Company             |
  | 2     | John       |  | Doe       |       | Software Developer at Example Company   |
  | 3     | Marc       |  | Smith     |       | Computer Tech at Example Company        |
  | 4     | Matt       |  | James     |       | Director at Example Company             |
  | 6     | Robert     |  | Fiker     |       | Floor Manager at Example Company        |
  | 5     | Tina       |  | Beard     |       | Marketing Consultant at Example Company |
  +---------------------..--------------------------------------------------------------+

[*] 6 rows returned

This shows a nice list of names, titles, and regions which could be helpful for a social engineering type campaign or for generating different possible username dictionaries. The recon-ng framework also has plenty of other modules to mangle the contacts or export them to another format, which I find useful.

Conclusion

Hopefully this short intro was helpful getting you started using this tool for all of your contact gathering needs. This being part of a community framework please feel free to contribute fixes or features, and thanks to those who already have!

[post_title] => Collecting Contacts from LinkedIn Using linkedin_crawl [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => collecting-contacts-linkedin-using-linkedin_crawl [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:46:36 [post_modified_gmt] => 2021-06-08 21:46:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=4293 [menu_order] => 675 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 1 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 4293 [post_author] => 25 [post_date] => 2015-06-01 07:00:44 [post_date_gmt] => 2015-06-01 07:00:44 [post_content] =>

Linkedin_crawl is a module for the recon-ng framework that can be used for collecting employee names and titles from a specified company on LinkedIn. It operates by spidering through the "People also Viewed” pane that's available on most LinkedIn user public pages, and scraping user data. That information can be used  to generate a list of emails for phishing campaigns, or usernames for online dictionary attacks executed during internal/external penetration tests.

Install

Since Linkedin_crawl is part of the Recon-ng framework a simple

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

should do the trick. For more information follow the usage guide here.

Usage

*examples are edited for anonymity*
1. A seed employee for the targeted company must be identified. This is pretty easy with Google, search “company name Linkedin.” Or use this Google dork by Tim Tomes:

site:linkedin.com inurl:pub -inurl:dir "at " "Current"

Img E Fa D
2. This seed employee should have the name of the targeted company spelled correctly and the “Viewers of this profile also viewed…” section should exist. Copy this employee's URL.  In the example below, we will be using a seed page for John Doe from the “Example Company”.
Img E C Be

3. Load up the Recon-ng framework and navigate to the linkedin_crawl module, set the options and run.

root@kali:~/recon-ng# ./recon-ng
                                                                                        
[recon-ng][default] > use recon/companies-contacts/linkedin_crawl
[recon-ng][default][linkedin_crawl] > show options

  Name     Current Value  Req  Description
  -------  -------------  ---  -----------
  COMPANY                 no   override the company name harvested...
  URL                     yes  public LinkedIn profile URL (seed)

[recon-ng][default][linkedin_crawl] > set URL https://www.linkedin.com/pub...
URL => https://www.linkedin.com/pub/john-doe/82/2bb/7a3?trk=pub-pbmap
[recon-ng][default][linkedin_crawl] > show options

  Name     Current Value                   Req  Description
  -------  -------------                   ---  -----------
  COMPANY                                  no   override the company...;
  URL      https://www.linkedin.com/pub...  yes  public linkedin profile...

[recon-ng][default][linkedin_crawl] > run

---------------
EXAMPLE COMPANY
---------------
[*] Parsing ‘https://www.linkedin.com/pub/john-doe...
[*] Added: John Doe, Software Developer at Example Company(Washington...
[*] Parsing ‘https://www.linkedin.com/pub/ali-price...
[*] Added: Ali Price, Director at Example Company
[*] Parsing ‘https://www.linkedin.com/pub/mary-kibble...
[*] Parsing ‘https://www.linkedin.com/pub/matt-james...
[*] Added: Matt James, Director of Software Services at Example Company...

Expected Results

The module will begin crawling contacts from the “Viewers of this profile also viewed…” section and scrape their information if they are part of the company found on the seed page. If the company is small, it will not find many contacts and the module will only take about 30 seconds to run. If it is a large company, it could find thousands of contacts and the module could take hours to run. Regardless, it should be working and collecting contacts from the targeted company.  When the module finally finishes view the contacts in the database.

[recon-ng][default] > show contacts

  +---------------------..--------------------------------------------------------------+
  | rowid | first_name |  | last_name | email |                    title                |
  +---------------------..--------------------------------------------------------------+
  | 1     | Ali        |  | Price     |       | Director at Example Company             |
  | 2     | John       |  | Doe       |       | Software Developer at Example Company   |
  | 3     | Marc       |  | Smith     |       | Computer Tech at Example Company        |
  | 4     | Matt       |  | James     |       | Director at Example Company             |
  | 6     | Robert     |  | Fiker     |       | Floor Manager at Example Company        |
  | 5     | Tina       |  | Beard     |       | Marketing Consultant at Example Company |
  +---------------------..--------------------------------------------------------------+

[*] 6 rows returned

This shows a nice list of names, titles, and regions which could be helpful for a social engineering type campaign or for generating different possible username dictionaries. The recon-ng framework also has plenty of other modules to mangle the contacts or export them to another format, which I find useful.

Conclusion

Hopefully this short intro was helpful getting you started using this tool for all of your contact gathering needs. This being part of a community framework please feel free to contribute fixes or features, and thanks to those who already have!

[post_title] => Collecting Contacts from LinkedIn Using linkedin_crawl [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => collecting-contacts-linkedin-using-linkedin_crawl [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:46:36 [post_modified_gmt] => 2021-06-08 21:46:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=4293 [menu_order] => 675 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 1 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 956558cc5f65572278d80b47d6416dd8 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X