laitimes
return

EmploLeaks: An OSINT tool for collecting employee information for enterprise security

author:FreeBuf

About EmploLeaks:

EmploLeaks is an OSINT tool for collecting employee information for enterprise security, with the help of the tool, internal security personnel and administrators can effectively collect various information about employees in the organization, and use it to determine the network security posture within the organization.

EmploLeaks: An OSINT tool for collecting employee information for enterprise security

How it works

First, the tool does a data search on Linkedin and gets a list of employees of the target organization or business. Next, the tool looks up their social network profiles to find their personal email address. Finally, it will use these email addresses to search in a custom COMB database to retrieve the leaked passwords.

It's worth mentioning that researchers can easily integrate the tool into their own workflows or customize it.

Supported features

1. LinkedIn, which is used to search all employees of the company and get their personal emails;

2. GitLab extension, able to find personal code repositories from employees;

3. If defined and connected, when the tool collects employee files, it will search the COMB database to retrieve the leaked passwords;

Tool Requirements:

Python 3.10

Tool download

Since the tool is based on Python 3.10, we first need to install and configure the Python 3.10 environment on the local device.

Next, researchers can directly run the following command to clone the source code of the project to the local computer:

git clone https://github.com/infobyte/emploleaks.git

Then switch to the project directory and use the pip command and the other dependencies provided by the project requirements.txt install the tool:

cd emploleaks
cd cli
pip install -r requirements.txt

macOS installation

Since you may encounter problems installing psycopg2, if you do, you can run the following command to resolve it:

cd cli
python3 -m pip install psycopg2-binary`

Tool use

Execute the following command to run EmploLeaks:

python3 cli/emploleaks.py

If all goes well, you'll see the following:

___________              .__         .__                 __
\_   _____/ _____ ______ |  |   ____ |  |   ____ _____  |  | __  ______
 |    __)_ /     \____  \|  |  /  _ \|  | _/ __ \__   \ |  |/ / /  ___/
 |        \  Y Y  \  |_> >  |_(  <_> )  |_\  ___/ / __ \|    <  \___ \
/_______  /__|_|  /   __/|____/\____/|____/\___  >____  /__|_ \/____  >
        \/      \/|__|                         \/     \/     \/     \/
 
OSINT tool to chain multiple apis
emploleaks>

Retrieve Linkedin profiles

First of all, we need to set up the plugin extension we want to use, here we choose to use LinkedIn. Next, we need to set up the authentication token and run the identity forgery process:

emploleaks> use --plugin linkedin
emploleaks(linkedin)> setopt JSESSIONID
JSESSIONID: 
[+] Updating value successfull
emploleaks(linkedin)> setopt li-at
li-at: 
[+] Updating value successfull
emploleaks(linkedin)> show options
Module options:
 
Name        Current Setting                      Required    Description
----------  -----------------------------------  ----------  -----------------------------------
hide        yes                                  no          hide the JSESSIONID field
JSESSIONID  **************************           no          active cookie session in browser #1
li-at       AQEDAQ74B0YEUS-_AAABilIFFBsAAAGKdhG  no          active cookie session in browser #1
            YG00AxGP34jz1bRrgAcxkXm9RPNeYIAXz3M
            cycrQm5FB6lJ-Tezn8GGAsnl_GRpEANRdPI
            lWTRJJGF9vbv5yZHKOeze_WCHoOpe4ylvET
            kyCyfN58SNNH
emploleaks(linkedin)> run impersonate
[+] Using cookies from the browser
Setting for first time JSESSIONID
Setting for first time li_at

The li_at and JSESSIONID are the authentication cookies of our LinkedIn browser session, which we can obtain using the web developer tools.

Once the module is configured, we can run it and start the data collection task:

emploleaks(linkedin)> run find EvilCorp
⠙ Gathering Information[+] Added 1 new names.
Listing profiles:
 0: 
full name: Joaquin Rodriguez Viruliento
profile name: joaquinrodriguezviruliento
occupation: Security Researcher at EvilCorp
public identifier: joaquinrodriguezviruliento
urn: urn:li:member:15736913
Getting and processing contact info of "Joaquin Rodriguez Viruliento"
Contact info:
website 0. http://www.evilcorp.com
twitter 0. limpiamicerca
 
 Done

Get a LinkedIn account + leaked password

We created a custom workflow through the information retrieved through Linkedin, and we tried to match the employee's personal email with a potentially compromised password. In this case, you can connect to the database using the connect command (in our case, we have a COMB database with a custom index) as follows:

emploleaks(linkedin)> connect --user myuser --passwd mypass123 --dbname mydbname --host 1.2.3.4
[+] Connecting to the Leak Database...
[*] version: PostgreSQL 12.15

Once the connection is successful, you can run the workflow. Once all users have been collected, if the compromised credentials affect someone, the tool will attempt to search the database:

emploleaks(linkedin)> run_pyscript workflows/check_leaked_passwords.py EvilCorp
[-] Failing login... trying again!
[-] Failing login... trying again!
[+] Connected to the LinkedIn api successfull
The following command could take a couple of minutes, be patient
 Listing profiles:
 Getting and processing contact info of "señor girafales"
 Getting and processing contact info of "kiko"
 Getting and processing contact info of "el chavo del 8"
[...]
[+] Password for "señor girafales" exists
[*] Email: [email protected]
+------------------+
| passwords leaked |
+------------------+
| laFQqAOSL69      |
+------------------+

Build an indexed COMB database

An important part of the project is the indexed COMB database, which we can download by clicking [here], and the whole file needs to be at least 400GB...

Once configured, you'll see a file directory with the following structure:

├── count_total.sh
├── data
│   ├── 0
│   ├── 1
│   │   ├── 0
│   │   ├── 1
│   │   ├── 2
│   │   ├── 3
│   │   ├── 4
│   │   ├── 5
│   │   ├── 6
│   │   ├── 7
│   │   ├── 8
│   │   ├── 9
│   │   ├── a
│   │   ├── b
│   │   ├── c
│   │   ├── d
│   │   ├── e
│   │   ├── f
│   │   ├── g
│   │   ├── h
│   │   ├── i
│   │   ├── j
│   │   ├── k
│   │   ├── l
│   │   ├── m
│   │   ├── n
│   │   ├── o
│   │   ├── p
│   │   ├── q
│   │   ├── r
│   │   ├── s
│   │   ├── symbols
│   │   ├── t

We can import all the files using the create_db command:

emploleaks> create_db --dbname leakdb --user leakdb_user --passwd leakdb_pass --comb /home/pasta/Downloads/comb
[*] The full database occups more than 200 GB, take this in account
[*] Creating the database
ERROR:  database "leakdb" already exists
ERROR:  role "leakdb_user" already exists 
ALTER ROLE
ALTER DATABASE
GRANT
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
ALTER SYSTEM
[+] Connecting to the Leak Database...
[+] Importing from /home/pasta/Downloads/comb/data/1/m
[+] Importing from /home/pasta/Downloads/comb/data/1/d
[+] Importing from /home/pasta/Downloads/comb/data/1/v
[+] Importing from /home/pasta/Downloads/comb/data/1/0
[+] Importing from /home/pasta/Downloads/comb/data/1/8
[+] Importing from /home/pasta/Downloads/comb/data/1/u
[+] Importing from /home/pasta/Downloads/comb/data/1/k
[+] Importing from /home/pasta/Downloads/comb/data/1/r
[+] Importing from /home/pasta/Downloads/comb/data/1/7
[+] Importing from /home/pasta/Downloads/comb/data/1/h
[+] Importing from /home/pasta/Downloads/comb/data/1/o
[+] Importing from /home/pasta/Downloads/comb/data/1/t
[+] Importing from /home/pasta/Downloads/comb/data/1/f
[+] Importing from /home/pasta/Downloads/comb/data/1/n
[+] Importing from /home/pasta/Downloads/comb/data/1/symbols
[+] Importing from /home/pasta/Downloads/comb/data/1/g
[+] Importing from /home/pasta/Downloads/comb/data/1/q
[+] Importing from /home/pasta/Downloads/comb/data/1/a
[+] Importing from /home/pasta/Downloads/comb/data/1/e
[+] Importing from /home/pasta/Downloads/comb/data/1/l                            
[+] Importing from /home/pasta/Downloads/comb/data/1/y                            
[+] Importing from /home/pasta/Downloads/comb/data/1/s                            
[+] Importing from /home/pasta/Downloads/comb/data/1/3                            
[+] Importing from /home/pasta/Downloads/comb/data/1/6                            
[*] Creating index...

License Agreement

This project is developed and released under the MIT Open Source License.

Project address

EmploLeaks:https://github.com/infobyte/emploleaks

Resources

https://fardadaysec.com/
safety tool
Previous: The ledger of life, the life in the ledger
Next: Don't listen to the sweeping monk's bragging, the eighteen palms of the dragon descending are not the first in the world, and the powerful one is Qiao Feng

Read on