Social networks are wonderful sources of information when you need to collect data about a potential target. That’s the way humans work, just like you and me: we like to share, we like to show what we do, where we travel. In short… we exist!
During some projects, it’s very useful to build a tree or chart with people inside the organization (some kind of who’s who). They are tools to extract a huge amount of information automatically (like Maltego). This tool is helpful to process lot of data but sometimes you need to really build a more detailed organization chart with the functions, who’s the boss of who etc. In those cases, your best friend is LinkedIn! Working mainly with customers in Belgium, I’m lucky: Belgian citizens like LinkedIn! Our country is in the top-15 of countries using this business social network. This makes LinkedIn a perfect reconnaissance tool. Search for somebody (a name found on the target’s website or from an email), click on “Similar profiles“, filter by region, company names, etc. Easy!
LinkedIn is free for everybody but need to make some profit and proposes different plans (Business, Business Plus, Executive). For most of us, the Basic plan is enough. People interested in business plans are mainly HR and recruiters because they are quite expensive. The basic plan has some restrictions that usually are not very annoying but it may change when you are doing some reconnaissance. One of them is truncated names and restricted profile for connection with a 3+ degree . When you click on a similar profile, you get this result:
LinkedIn kindly proposes you to upgrade your account. Sorry but I’m not ready to pay 15€ / month for this feature. How to find and access Jurgen’s full profile? Google to the rescue!
Google crawls everything… LinkedIn content too! Just copy & paste “Jurgen xxxx Manager at xxx” to Google and, with 99% chance, it will return you a direct link to the page with the full name. Sometimes, LinkedIn will still hide the full profile but search again the full name from the top search feature and you’ll have the complete profile. It seems to be a question of HTTP referer (depending on where you are coming from) but I didn’t experimented further.
From a social engineering point of view, having the full name + profile is enough to build a dictionary of email addresses (once you know how they are formatted) and the full profiles help you to learn relations between people. Sending a rogue email to an employee pretending to be his boss is easy.