Linkedin_crawl is a module for the recon-ng framework that can be used for collecting employee names and titles from a specified company on LinkedIn. It operates by spidering through the “People also Viewed” pane that’s available on most LinkedIn user public pages, and scraping user data. That information can be used to generate a list of emails for phishing campaigns, or usernames for online dictionary attacks executed during internal/external penetration tests.
Install
Since Linkedin_crawl is part of the Recon-ng framework a simple
should do the trick. For more information follow the usage guide here.
Usage
*examples are edited for anonymity* 1. A seed employee for the targeted company must be identified. This is pretty easy with Google, search “company name Linkedin.” Or use this Google dork by Tim Tomes:
2. This seed employee should have the name of the targeted company spelled correctly and the “Viewers of this profile also viewed…” section should exist. Copy this employee’s URL. In the example below, we will be using a seed page for John Doe from the “Example Company”.
3. Load up the Recon-ng framework and navigate to the linkedin_crawl module, set the options and run.
root@kali:~/recon-ng# ./recon-ng
[recon-ng][default] > use recon/companies-contacts/linkedin_crawl
[recon-ng][default][linkedin_crawl] > show options
Name Current Value Req Description
------- ------------- --- -----------
COMPANY no override the company name harvested...
URL yes public LinkedIn profile URL (seed)
[recon-ng][default][linkedin_crawl] > set URL https://www.linkedin.com/pub...
URL => https://www.linkedin.com/pub/john-doe/82/2bb/7a3?trk=pub-pbmap
[recon-ng][default][linkedin_crawl] > show options
Name Current Value Req Description
------- ------------- --- -----------
COMPANY no override the company...;
URL https://www.linkedin.com/pub... yes public linkedin profile...
[recon-ng][default][linkedin_crawl] > run
---------------
EXAMPLE COMPANY
---------------
[*] Parsing ‘https://www.linkedin.com/pub/john-doe...
[*] Added: John Doe, Software Developer at Example Company(Washington...
[*] Parsing ‘https://www.linkedin.com/pub/ali-price...
[*] Added: Ali Price, Director at Example Company
[*] Parsing ‘https://www.linkedin.com/pub/mary-kibble...
[*] Parsing ‘https://www.linkedin.com/pub/matt-james...
[*] Added: Matt James, Director of Software Services at Example Company...
Expected Results
The module will begin crawling contacts from the “Viewers of this profile also viewed…” section and scrape their information if they are part of the company found on the seed page. If the company is small, it will not find many contacts and the module will only take about 30 seconds to run. If it is a large company, it could find thousands of contacts and the module could take hours to run. Regardless, it should be working and collecting contacts from the targeted company. When the module finally finishes view the contacts in the database.
[recon-ng][default] > show contacts
+---------------------..--------------------------------------------------------------+
| rowid | first_name | | last_name | email | title |
+---------------------..--------------------------------------------------------------+
| 1 | Ali | | Price | | Director at Example Company |
| 2 | John | | Doe | | Software Developer at Example Company |
| 3 | Marc | | Smith | | Computer Tech at Example Company |
| 4 | Matt | | James | | Director at Example Company |
| 6 | Robert | | Fiker | | Floor Manager at Example Company |
| 5 | Tina | | Beard | | Marketing Consultant at Example Company |
+---------------------..--------------------------------------------------------------+
[*] 6 rows returned
This shows a nice list of names, titles, and regions which could be helpful for a social engineering type campaign or for generating different possible username dictionaries. The recon-ng framework also has plenty of other modules to mangle the contacts or export them to another format, which I find useful.
Conclusion
Hopefully this short intro was helpful getting you started using this tool for all of your contact gathering needs. This being part of a community framework please feel free to contribute fixes or features, and thanks to those who already have!
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.