I wanted to do some testing on access controls to a SQL server recently, but I needed to a decent password list and username list. Password lists are fairly straight forward to find and I used an excellent how to from the Pauldotcom Podcast to create my password list. Next I needed a list of usernames. To be effective, it would be better to have a list targeted to the environment I was working in. I wanted to do this with fairly public information so that no one could accuse me of using insider knowledge. So I decided to see what LinkedIn had.

Now Linkedin generally lets people decide how much information they want displayed to people they don’t know. If you aren’t connected to them, all you may see is their description if you find them by company. No names. In my case, I’m connected with a lot of people, so this pollutes the process. So, I logged out of Linkedin to see how an outside might do this.

For this scenario, I’m an attacker who wants to find out about Company XYZ. I’m not employed by them, but they have something I want. I’m not connected to anyone on Linkedin at the target. In fact, I may not even have a Linkedin account. How do I get this information? Kevin Johnson at InGuardians has already done some awesome work on how people are willing to accept invitations on social networking sites from almost anyone. But lets say that I don’t want to get connected to my target. Who would have this information?

Google of course! Everyone wants Google to be able to find things on their website. Linkedin is no different. So I do a query on the company name like this “site:linkedin.com Company XYZ”. Sure enough, I get pages of people who work at or did work at Company XYZ. With a bit of Python scripting I download the results, mix the names into common username variations and I have my username list.

Here’s the script I hacked up to make this work. usernameGen.txt PDP at gnucitizen.org wrote the original script. I just polished up the regular expression and pointed the starting URL to Google’s mobile search to simplify the HTML. Then I added the username generation. Was a fun little puzzle for the evening.