EmploLeaks - An OSINT Tool That Helps Detect Members Of A Company With Leaked Credentials

 

This is a tool designed for Open Source Intelligence (OSINT) purposes, which helps to gather information about employees of a company.

How it Works

The tool starts by searching through LinkedIn to obtain a list of employees of the company. Then, it looks for their social network profiles to find their personal email addresses. Finally, it uses those email addresses to search through a custom COMB database to retrieve leaked passwords. You an easily add yours and connect to through the tool.


Installation

To use this tool, you'll need to have Python 3.10 installed on your machine. Clone this repository to your local machine and install the required dependencies using pip in the cli folder:

cd clipip install -r requirements.txt

OSX

We know that there is a problem when installing the tool due to the psycopg2 binary. If you run into this problem, you can solve it running:

cd clipython3 -m pip install psycopg2-binary`

Basic Usage

To use the tool, simply run the following command:

python3 cli/emploleaks.py

If everything went well during the installation, you will be able to start using EmploLeaks:

___________              .__         .__                 __\_   _____/ _____ ______ |  |   ____ |  |   ____ _____  |  | __  ______ |    __)_ /     \____  \|  |  /  _ \|  | _/ __ \__   \ |  |/ / /  ___/ |        \  Y Y  \  |_> >  |_(  <_> )  |_\  ___/ / __ \|    <  \___ \/_______  /__|_|  /   __/|____/\____/|____/\___  >____  /__|_ \/____  >        \/      \/|__|                         \/     \/     \/     \/OSINT tool 🕵  to chain multiple apisemploleaks>

Right now, the tool supports two functionalities:

  • Linkedin, for searching all employees from a company and get their personal emails.
    • A GitLab extension, which is capable of finding personal code repositories from the employees.
  • If defined and connected, when the tool is gathering employees profiles, a search to a COMB database will be made in order to retrieve leaked passwords.

Retrieving Linkedin Profiles

First, you must set the plugin to use, which in this case is linkedin. After, you should set your authentication tokens and the run the impersonate process:

emploleaks> use --plugin linkedinemploleaks(linkedin)> setopt JSESSIONIDJSESSIONID: [+] Updating value successfullemploleaks(linkedin)> setopt li-atli-at: [+] Updating value successfullemploleaks(linkedin)> show optionsModule options:Name        Current Setting                      Required    Description----------  -----------------------------------  ----------  -----------------------------------hide        yes                                  no          hide the JSESSIONID fieldJSESSIONID  **************************           no          active cookie session in browser #1li-at       AQEDAQ74B0YEUS-_AAABilIFFBsAAAGKdhG  no          active cookie session in browser #1            YG00AxGP34jz1bRrgAcxkXm9RPNeYIAXz3M            cycrQm5FB6lJ-Tezn8GGAsnl_GRpEANRdPI            lWTRJJGF9vbv5yZHKOeze_WCHoOpe4ylvET            kyCyfN58SNNHemploleaks(linkedin)> run i   mpersonate[+] Using cookies from the browserSetting for first time JSESSIONIDSetting for first time li_at

li_at and JSESSIONID are the authentication cookies of your LinkedIn session on the browser. You can use the Web Developer Tools to get it, just sign-in normally at LinkedIn and press right click and Inspect, those cookies will be in the Storage tab.

Now that the module is configured, you can run it and start gathering information from the company:

Get Linkedin accounts + Leaked Passwords

We created a custom workflow, where with the information retrieved by Linkedin, we try to match employees' personal emails to potential leaked passwords. In this case, you can connect to a database (in our case we have a custom indexed COMB database) using the connect command, as it is shown below:

emploleaks(linkedin)> connect --user myuser --passwd mypass123 --dbname mydbname --host 1.2.3.4[+] Connecting to the Leak Database...[*] version: PostgreSQL 12.15

Once it's connected, you can run the workflow. With all the users gathered, the tool will try to search in the database if a leaked credential is affecting someone:

As a conclusion, the tool will generate a console output with the following information:
  • A list of employees of the company (obtained from LinkedIn)
  • The social network profiles associated with each employee (obtained from email address)
  • A list of leaked passwords associated with each email address.

How to build the indexed COMB database

An imortant aspect of this project is the use of the indexed COMB database, to build your version you need to download the torrent first. Be careful, because the files and the indexed version downloaded requires, at least, 400 GB of disk space available.

Once the torrent has been completelly downloaded you will get a file folder as following:

├── count_total.sh├── data│   ├── 0│   ├── 1│   │   ├── 0│   │   ├── 1│   │   ├── 2│   │   ├── 3│   │   ├── 4│   │   ├─â&€ 5│   │   ├── 6│   │   ├── 7│   │   ├── 8│   │   ├── 9│   │   ├── a│   │   ├── b│   │   ├── c│   │   ├── d│   │   ├── e│   │   ├── f│   │   ├── g│   │   ├── h│   │   ├── i│   │   ├── j│   │   ├── k│   │   ├── l│   │   ├── m│   │   ├⠀─ n│   │   ├── o│   │   ├── p│   │   ├── q│   │   ├── r│   │   ├── s│   │   ├── symbols│   │   ├── t

At this point, you could import all those files with the command create_db:

The importer takes a lot of time for that reason we recommend to run it with patience.

Next Steps

We are integrating other public sites and applications that may offer about a leaked credential. We may not be able to see the plaintext password, but it will give an insight if the user has any compromised credential:

  • Integration with Have I Been Pwned?
  • Integration with Firefox Monitor
  • Integration with Leak Check
  • Integration with BreachAlarm

Also, we will be focusing on gathering even more information from public sources of every employee. Do you have any idea in mind? Don't hesitate to reach us:

Or you con DM at @pastacls or @gaaabifranco on Twitter.




Source: www.kitploit.com
EmploLeaks - An OSINT Tool That Helps Detect Members Of A Company With Leaked Credentials EmploLeaks - An OSINT Tool That Helps Detect Members Of A Company With Leaked Credentials Reviewed by Zion3R on 4:46 AM Rating: 5