Indeed.com Recon-ng Module

February 04, 2016

A while back I was working on some open source intelligence gathering (OSINT) and had a pretty interesting idea. I started to contemplate how people tend to boast on their resumes, myself included. The whole nature of a resume is to hype up the work you’ve done so that you appear valuable to a future employer. Because of this natural tendency, people tend to divulge quite a bit of information about their current and past employers in their resumes. Everything from technology stacks to specific software versions. That’s when I realized that scraping resumes would not only be able to generate loads of contacts given a company, but it could also divulge lots of information about that company as well.

I started poking around the various resume hosting sites floating around the web. I ultimately found Indeed.com. I clicked “Find Resumes” in the top left and then choose “Advanced Search”. I was greeted with this lovely screen:

indeed02

I noticed the “Company of latest job” field, and determined it as perfect field to use to generate contacts for a specific company. I quickly did a search for Oracle and found 4,670 resumes of people who claim to currently work for Oracle.

indeed00

I decided to narrow my search by specifying a keyword, “Linux Admin”. I now found 3 resumes for people whose resume’s contain “Linux Admin” and claim to currently work for Oracle. I noted that this technique maybe useful in identifying admins for spear phishing attacks.

indeed01

This is when I noticed the most interesting thing of all, the URL.

indeed04

All of these search parameters were being set in GET parameters defined in the URL. Sweet, that makes automation easy. Now the only thing I have to worry about is automating around their pagination. I went ahead and started poking around the pagination and once again noticed that the pagination is handled by a variable set in the URL. Double sweet.

I originally wrote a standalone script to automate this search and parse out the resume owner’s name and a link to the resume, then saved the output to a CSV file. I then realized how awesome it would be to integrate it with the de facto OSINT framework, recon-ng. So that’s what I did!

Screenshot from 2016-02-02 18&%54&%42

The script has three options: keyword, past_emps, and source. The source defines the company name for which to search for resumes. In the standard recon-ng fashion, this can be set to a single company, path to a file of company names, or a query result of the recon-ng data model. Past_emps is used to tell the script to only search for current employees, or to include past employees. If set to “true”, it will include past employees. If the module is being used to identify phishing candidates, past employees would not want to be included. However, if the module is being used to identify technologies or the alike, past employee’s resumes would be helpful. Lastly, the keyword option is used to specific a keyword for the module to filter resumes with.

My original module can be found on my BitBucket / GitHub and the maintained version on the Recon-ng BitBucket. The framework and module are also included on Kali Linux.

Here it is in action:

Special shoutout to @LaNMaSteR53 for his support!

Thanks for reading!