Top Related Projects
A Tool for Domain Flyovers
E-mails, subdomains and names Harvester - OSINT
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Quick Overview
linkedin2username is a Python tool designed to generate potential usernames from LinkedIn data. It scrapes public LinkedIn profiles and creates lists of possible usernames based on common username formats, which can be useful for security professionals during penetration testing or red team engagements.
Pros
- Automates the process of generating potential usernames from LinkedIn data
- Supports various username formats and customization options
- Can be integrated into existing security workflows and tools
- Helps identify potential user accounts in target organizations
Cons
- May violate LinkedIn's terms of service if used improperly
- Requires valid LinkedIn credentials to function
- Limited by the availability and accuracy of public LinkedIn data
- Could be detected and blocked by LinkedIn's anti-scraping measures
Code Examples
- Basic usage:
from linkedin2username import run
company = "example"
domain = "example.com"
run(company, domain)
- Custom username format:
from linkedin2username import run
company = "example"
domain = "example.com"
format_type = "flast"
run(company, domain, format_type=format_type)
- Saving results to a file:
from linkedin2username import run
company = "example"
domain = "example.com"
outfile = "usernames.txt"
run(company, domain, outfile=outfile)
Getting Started
- Install the tool:
pip install linkedin2username
- Set up LinkedIn credentials:
export LINKEDIN_USERNAME=your_username
export LINKEDIN_PASSWORD=your_password
- Run the tool:
from linkedin2username import run
run("target_company", "target_domain.com")
Note: Use this tool responsibly and ensure you have proper authorization before conducting any security assessments.
Competitor Comparisons
A Tool for Domain Flyovers
Pros of Aquatone
- Broader functionality: Performs domain flyovers, screenshots, and technology fingerprinting
- More comprehensive tool for web-based reconnaissance
- Actively maintained with regular updates
Cons of Aquatone
- Requires more setup and dependencies
- Not specifically focused on LinkedIn username generation
- May be overkill for simple username enumeration tasks
Code Comparison
Aquatone (Go):
func takeScreenshot(url string, timeout time.Duration) (*[]byte, error) {
ctx, cancel := chromedp.NewContext(context.Background())
defer cancel()
ctx, cancel = context.WithTimeout(ctx, timeout)
defer cancel()
LinkedIn2Username (Python):
def get_login_page():
session = requests.session()
login_page = session.get(login_url)
return login_page, session
Summary
Aquatone is a more comprehensive web reconnaissance tool, offering domain flyovers, screenshots, and technology fingerprinting. It's actively maintained but requires more setup and may be excessive for simple tasks. LinkedIn2Username is specifically designed for generating usernames from LinkedIn profiles, making it more focused and easier to use for that particular task. The choice between the two depends on the specific requirements of the project and the depth of reconnaissance needed.
E-mails, subdomains and names Harvester - OSINT
Pros of theHarvester
- Broader scope: Gathers information from multiple sources beyond LinkedIn
- More versatile: Supports various search engines and APIs
- Active development: Regularly updated with new features and improvements
Cons of theHarvester
- Less focused: May provide less specific LinkedIn-related data
- More complex setup: Requires additional dependencies and API keys
- Potentially slower: Gathering data from multiple sources can take longer
Code Comparison
theHarvester:
from theHarvester.discovery import *
from theHarvester.discovery.constants import *
search = googlesearch.search_google(word, limit, start)
search.process()
emails = search.get_emails()
linkedin2username:
from linkedin2username import scrape
company_id = scrape.get_company_info(company)
employees = scrape.get_employees(company_id, cookie)
usernames = scrape.process_employees(employees, domain, verbose)
Summary
theHarvester is a more comprehensive tool for gathering information from various sources, while linkedin2username focuses specifically on extracting usernames from LinkedIn profiles. theHarvester offers broader functionality but may require more setup and potentially longer execution times. linkedin2username provides a more targeted approach for LinkedIn-specific data extraction, with a simpler setup and potentially faster results for this specific use case.
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
Pros of recon-ng
- Comprehensive reconnaissance framework with multiple modules
- Extensible architecture allowing for custom module development
- Integrated reporting and data management capabilities
Cons of recon-ng
- Steeper learning curve due to its complex structure
- Requires more setup and configuration compared to simpler tools
- May be overkill for focused LinkedIn username harvesting
Code Comparison
linkedin2username:
def get_company_employees(self, company_id):
employees = []
for page in range(100):
results = self.search_people(company=company_id, page=page)
if not results:
break
employees.extend(results)
return employees
recon-ng:
def module_run(self):
self.output('Harvesting profiles...')
for domain in self.options['domain']:
self.heading(domain, level=0)
base_url = 'http://www.google.com/search'
for page in range(0, 101):
query = 'site:linkedin.com inurl:pub -inurl:dir "at %s"' % (domain)
results = self.search_google_web(base_url, query, start=page)
if not results:
break
linkedin2username is focused specifically on LinkedIn username harvesting, making it simpler and more targeted. recon-ng, on the other hand, offers a broader range of reconnaissance capabilities but requires more setup and understanding to use effectively for specific tasks like LinkedIn harvesting.
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Pros of SpiderFoot
- Comprehensive OSINT tool with a wide range of modules and data sources
- User-friendly web interface for easy operation and result visualization
- Supports automation and integration with other tools via API
Cons of SpiderFoot
- More complex setup and configuration compared to linkedin2username
- Requires more system resources due to its extensive functionality
- Steeper learning curve for users new to OSINT tools
Code Comparison
SpiderFoot (Python):
class sfp_example(SpiderFootPlugin):
def handleEvent(self, event):
eventName = event.eventType
srcModuleName = event.module
eventData = event.data
# Plugin logic here
linkedin2username (Python):
def get_company_employees(company):
employees = []
# Scraping logic here
return employees
def generate_usernames(employees):
usernames = []
# Username generation logic here
return usernames
Summary
SpiderFoot is a more comprehensive OSINT tool with a broader scope, while linkedin2username is focused specifically on generating usernames from LinkedIn data. SpiderFoot offers a wider range of features and data sources but requires more setup and resources. linkedin2username is simpler and more targeted, making it easier to use for its specific purpose but lacking the versatility of SpiderFoot.
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Pros of SprayingToolkit
- Supports multiple protocols and services (OWA, Lync, O365, etc.)
- Includes password spraying and user enumeration capabilities
- Offers more advanced features like custom wordlists and CAPTCHA bypassing
Cons of SprayingToolkit
- More complex setup and usage
- Requires additional dependencies
- May trigger more security alerts due to its broader functionality
Code Comparison
linkedin2username:
def parse_employees(self):
for employee in self.employees:
self.parse_name(employee)
SprayingToolkit:
def spray(self, username, password):
for target in self.targets:
self.attempt_login(target, username, password)
linkedin2username focuses on parsing LinkedIn data to generate usernames, while SprayingToolkit is designed for actual password spraying attacks across various services. The code snippets reflect their different purposes, with linkedin2username processing employee data and SprayingToolkit attempting logins on multiple targets.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
linkedin2username
OSINT Tool: Generate username lists from companies on LinkedIn.
This is a pure web-scraper, no API key required. You use your valid LinkedIn username and password to login, it will create several lists of possible username formats for all employees of a company you point it at.
Here's what you get:
- first.last.txt: Usernames like Joe.Schmoe
- f.last.txt: Usernames like J.Schmoe
- flast.txt: Usernames like JSchmoe
- firstl.txt: Usernames like JoeS
- first.txt Usernames like Joe
- lastf.txt Usernames like SchmoeJ
- rawnames.txt: Full name like Joe Schmoe
- metadata.txt CSV file which is full_name,occupation
Optionally, the tool will append @domain.xxx to the usernames.
Warnings
Do not blame me if your LinkedIn account gets rate limited, or even banned. This is a security research tool - use it only after reading the code and fully understanding what it is doing.
I have not heard of any account bans since the tool was written, but rate limiting does occasionally kick in when the "commercial search limit" is hit. That has been temporary so far (measured monthly).
Using the tool
Pre-requisites
Install the Python dependencies with pip3 install -r ./requirements.txt.
You'll also need Chrome, Chromium, or Firefox installed in typical paths that can be discovered by Selenium. A web browser will be spawned temporarily to handle the login.
Full usage
usage: linkedin2username.py [-h] -c COMPANY [-n DOMAIN] [-d DEPTH]
[-s SLEEP] [-x PROXY] [-k KEYWORDS] [-g] [-o OUTPUT]
OSINT tool to generate lists of probable usernames from a given company's LinkedIn page.
This tool may break when LinkedIn changes their site.
Please open issues on GitHub to report any inconsistencies.
optional arguments:
-h, --help show this help message and exit
-c COMPANY, --company COMPANY
Company name exactly as typed in the company linkedin profile page URL.
-n DOMAIN, --domain DOMAIN
Append a domain name to username output.
[example: "-n targetco.com" would output jschmoe@targetco.com]
-d DEPTH, --depth DEPTH
Search depth (how many loops of 25). If unset, will try to grab them
all.
-s SLEEP, --sleep SLEEP
Seconds to sleep between search loops. Defaults to 0.
-x PROXY, --proxy PROXY
Proxy server to use. WARNING: WILL DISABLE SSL VERIFICATION.
[example: "-p https://localhost:8080"]
-k KEYWORDS, --keywords KEYWORDS
Filter results by a a list of command separated keywords.
Will do a separate loop for each keyword,
potentially bypassing the 1,000 record limit.
[example: "-k 'sales,human resources,information technology']
-g, --geoblast Attempts to bypass the 1,000 record search limit by running
multiple searches split across geographic regions.
-o OUTPUT, --output OUTPUT
Output Directory, defaults to li2u-output
Examples
You'll need to provide the tool with LinkedIn's company name. You can find that by looking at the URL for the company's page. It should look something like https://linkedin.com/company/targetco. It may or may not be as simple as the exact name of the company.
Here's an example to pull all employees of targetco:
$ python linkedin2username.py -c targetco
Here's an example to pull a shorter list and append the domain name @targetco.com to them:
$ python linkedin2username.py -c targetco -d 5 -n 'targetco.com'
Tips
Use an account with a lot of connections, otherwise you'll get crappy results. Adding a couple connections at the target company should help - this tool will work up to third degree connections. Note that LinkedIn will cap search results to 1000 employees max. You can use the features '--geoblast' or '--keywords' to bypass this limit. Look at help below for more details.
Toubleshooting
When LinkedIn changes things, the tool may break. The API used here is not documented, and it may take some fiddling around to get it working again. Please open issues if you notice something weird.
You can verify Selenium works on your machine like this:
$ python3
from selenium import webdriver
driver = webdriver.Firefox() # or webdriver.Chrome()
driver.get("https://linkedin.com/login")
You can try the --proxy flag to inspect traffic with Burp. Right now, it is not inspecting the logins from the Selenium browser as you can see pretty clearly what is happening there.
This is a security research tool. Use only where granted explicit permission from the network owner.
Top Related Projects
A Tool for Domain Flyovers
E-mails, subdomains and names Harvester - OSINT
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot