1 / 25

OSINT: Social Media

OSINT: Social Media. Part Two: Google Searches and LinkedIn. Module Type: Basic Method Module Number: 0x08 Last Updated: 2017-05-05 Author: Hermit. Topics. What is OSINT? What is Social Media? What Can We Learn From Social Media? Google Searches OSINT LinkedIn OSINT More To Explore.

chassan
Download Presentation

OSINT: Social Media

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSINT: Social Media Part Two: Google Searches and LinkedIn Module Type: Basic Method Module Number: 0x08 Last Updated: 2017-05-05 Author: Hermit

  2. Topics • What is OSINT? • What is Social Media? • What Can We Learn From Social Media? • Google Searches OSINT • LinkedIn OSINT • More To Explore

  3. What is OSINT? • Open Source Intelligence = OSINT • Information from public sources • Often involves directly connecting to a target • Analysis of publicly available data

  4. What is Social Media? • Easiest definition I can think of:Services which exist to share content between individuals and/or organizations that share some common interest or argument with one another. • The biggest data aggregators of our time, who know more about the average person than their friends or family may know. • A one-stop shop for someone’s schedule, beliefs, interests, and personal information.

  5. Quick Review: What is Dorking? • It’s STILL not whales having sex. :-/ • It’s not something a bunch of dorks do while hanging out together (trust me, I’m an expert there). • It IS, however, using search options and techniques in unusual ways to get information that isn’t easily found otherwise. • The most common form of this is Google dorking. We’ll do that in a later class. • Today we’re going to do some other dorking of our own though. 

  6. What Can We Learn From Social Media? • Legal name • Birth date • Marital/relationship status • Relatives • Home/work address • Frequented establishments • Core interests • Social network • Political leaning • Race • Religion • Gender/Gender Identity • Employer • Professional associations • Device types • Communication styles/norms

  7. Disclaimer • None of the techniques advocated here constitute breaches of terms of service… they’re all things that the service providers created to enable this type of searching. • While we could continue to build OSINT profiles for any number of services, I’ve made the choice to stop after these first four services in the interest of diversity. I have an extensive list of other social media services at the end of this presentation if you’re looking for other sources. • If you do build OSINT profiles and techniques, do the community a solid and share them, or contact me and I’ll share them if you crave anonymity.

  8. Google Searches • Remember… Do not use spaces between an operator (e.g. “-”) and the thing it operates on. For example:bob -dylan # No Bob Dylan resultsbob - dylan # Bob Dylan shows up in results • You may end up triggering Google’s “be you a robot or be you a man” warning page. Take it as a mark of pride and move on. 

  9. Google Searches OSINT • Standard Google search:https://www.google.com/search?q={KEYWORD} • Search with wildcards (e.g. ”the rise of man” and “the fall of man”):”the * of man” • Search for exact phrases:”COMPLETE PHRASE OR WORDS” • Exclude results including a word:-{TERM} • Search using Boolean “OR” (if text, “OR” must be capitalized){TERM_1} OR {TERM_2} OR {TERM_N}{TERM_1} | {TERM_2} | {TERM_N} • Search for file types:filetype:{EXTENSION}ext:{EXTENSION}

  10. Google Searches (Continued) • Require that a word or phrase be present in search results:{TERM} “{REQUIRED_TERM}”{TERM} +{REQUIRED_TERM} • Perform loose matches (synonyms and related terms will be used more aggressively):~{TERM} • Filter results by country (use ISO-3166 2 character codes):location:{COUNTRY_CODE} • Filter results by US state:location:{POSTAL_STATE_CODE} • Filter results by reporting source:source:{NAME}

  11. Google Searches (continued) • Search for a currency:${VALUE}€{VALUE} (etc) • Search for a numeric range:{LOW}…{HIGH} • Search for a currency range:${LOW}…${HIGH} €{LOW}... €{HIGH} • Search on social media:@{TERM} • Search Google Groups:group:{QUALIFIED_GROUP_NAME} • Search for hashtags:#{TERM}

  12. Google Searches (Continued) • Search for results only on a particular site or TLD:site:{qualified_domain}site:{TLD} • Search for results that are like a known site:related:{URL}related:{qualified_domain} • Search for information about a site:info:{URL}info:{qualified_domain}id:{URL}id:{qualified_domain} • Show cached versions:cache:{URL}

  13. Google Searches (Continued) • Search results in the page title:{TERM_A} {TERM_B} intitle: {TERM} • Search results in the page title, restricted to Google Groups:{TERM_A} {TERM_B} insubject:{TERM} • Search for results that have multiple terms in the page title:allintitle: {TERM_1} {TERM_2} {TERM_N} • Search results in the body text:{TERM_A} {TERM_B} intext: {TERM} • Search for results that have multiple terms in the body text:allintext: {TERM_1} {TERM_2} {TERM_N} • Search for results in page anchors:{TERM_A} {TERM_B} inachor:{TERM} • Search for results that have multiple terms in anchors:allinanchor:{TERM_1} {TERM_2} {TERM_N}

  14. Google Searches (Continued) • Search results in the URL path:{TERM_A} {TERM_B} inurl: {TERM} • Search for results that have multiple terms in the URL path:allinurl: {TERM_1} {TERM_2} {TERM_N} • Get a quick definition of a term:define:{TERM} • Get pages that link to a particular page:link:{URL}link:{DOMAIN} • Find only external links to a particular page or domain:link:{URL} -site:{URL_DOMAIN}link:{DOMAIN} -site:{DOMAIN}

  15. Google Searches (Continued) • Constrain searches to content posted in date range:daterange:{START_JULIAN_DATE}-{END_JULIAN_DATE} • Search for phone numbers:phonebook:{NAME} • Force results in map view:map:{SEARCH TERMS} • Find movie information (because why not?):movie:{TERM} • Find weather (again, why not…):weather {LOCATION_DESCRIPTION) • Find stock data (okay, I’m officially just bored):stock:{STOCK_SYMBOL}

  16. LinkedIn OSINT NOTE: You will need a LinkedIn account for all of these techniques. If you don’t have one, register a Gmail account and then register a LinkedIn account. Seeding random data from publicly available resumes is a quick way to generate a fake persona.

  17. Basic LinkedIn Searches • Generic keyword search:https://www.linkedin.com/search/results/index/?keywords={KEYWORD} • Search for people results:https://www.linkedin.com/search/results/people/?keywords={KEYWORD} • Search for job results:https://www.linkedin.com/jobs/search/?keywords={KEYWORD} • Search for user content postings:https://www.linkedin.com/search/results/content/?keywords={KEYWORD} • Search for companies:https://www.linkedin.com/search/results/companies/?keywords={KEYWORD} • Search for groups:https://www.linkedin.com/search/results/groups/?keywords={KEYWORD} • Search for schools:https://www.linkedin.com/search/results/schools/?keywords={KEYWORD}

  18. Enumerate Details • List group members:https://www.linkedin.com/groups/{GROUP_ID}/members • List other users followed by a user:https://www.linkedin.com/in/{USER_ID}/interests/influencers/ • List companies followed by a user:https://www.linkedin.com/in/{USER_ID}/interests/companies/ • List groups a user is part of:https://www.linkedin.com/in/{USER_ID}/interests/groups/ • List schools followed by a user:https://www.linkedin.com/in/{USER_ID}/interests/schools/

  19. LinkedIn Search Modifiers Mix and match for more interesting results (e.g. city within country) • Sort by date:&sortBy=DD • Sort by relevance:&sortBy=R • Search within generic location (by text name of location):&location={LOCATION_NAME} • Search within country (use ISO-3166 2 character codes):&locationID={COUNTRY_CODE}%3A0

  20. LinkedIn Search Modifiers (Continued) • Additional “worldwide” search modifiers: • locationID=OTHERS.worldwide • location=worldwide • Additional relationship searches (for people searches): • &facetNetwork=%5B”F"%5D # First degree contacts • &facetNetwork=%5B”S"%5D # Second degree contacts • &facetNetwork=%5B"O"%5D # All relationships • &facetNetwork=%5B”F”%2C”S”%5D # Both first/second degree contacts (etc)

  21. Advanced Location Searching • First identify the location codes for each location. You can do this by looking at the URL after searching for a location, such as the below (for Dallas, TX):https://www.linkedin.com/jobs/search/?keywords=A&location=Dallas%2C%20Texas&locationId=PLACES.us.10-4-0-57-5 • Do the same for a second location (or more). • Join the locations by using the “f_GC” parameter and separating locationIDs with URL encoded commas (%2C), then place the last location in the locationID parameter:https://www.linkedin.com/jobs/search/?f_GC=us.10-4-0-57-11%2Cus.10-4-0-57-5%2Cus.10-4-0-43-13&keywords=A&locationId=PLACES.us.10-4-0-57-8 • Above example is a search across four locations…

  22. Advanced Job Searching • You can use the same trick as the location combinations for companies. For instance:https://www.linkedin.com/search/results/companies/?keywords=IBM • Now look at the URL for the target and read the number at the end of the URL, in this case:https://www.linkedin.com/company-beta/1009/ • Then get more companies, and use the “f_C” paramenter to join them:https://www.linkedin.com/jobs/search/?f_C=6504%2C10887310%2C2620735%2C1009&keywords={KEYWORD} • Of course, you can always add in the location search elements as well • List employees of a company:https://www.linkedin.com/search/results/people/?facetCurrentCompany=%5B%22{COMPANY_ID}%22%5D

  23. Advanced People Searching • Look for previous employers:&facetPastCompany=%5B”{COMPANY_ID}"%5D • Look for particular industries:&facetIndustry=%5B”{INDUSTRY_ID}"%5D • Look for profile languages (use ISO 639-1 codes):&facetProfileLanguage=%5B”{LANGUAGE_CODE}"%5D • Look for non-profit interests:&facetNonprofitInterest=%5B”{INTEREST_NAME}"%5D • Look for schools attended:&facetSchool=%5B”{SCHOOL_ID}"%5D

  24. More to Explore • Instagram • QQ • WeChat • Qzone • Tumblr • SnapChat • Pinterest • Reddit • Taringa • RenRen • Tagged • Badoo • MySpace • StumbleUpon • SkyRock • Snapfish • CafeMom • NextDoor • Wayn • Vine • Classmates • TogetherWeServed • Viadeo • Xing • Xanga • LiveJournal • ZheZhe • Buzznet • Flickr • Meetup • Mixi • Twoo • MyMFB • VK • Medium

  25. Additional Resources • Google: • http://www.googleguide.com/advanced_operators_reference.html • https://support.google.com/websearch/answer/35890?hl=en • https://support.google.com/websearch/answer/2466433?hl=en • LinkedIn: • Manual reverse-engineering for the win! • Hermit • https://twitter.com/hermit_hacker • https://www.cryptolingus.net/ • https://www.stackattack.net/blog/

More Related