Introducing Crosslinked: An Offensive-Minded LinkedIn Enumeration Tool

March 30, 2021
gps_not_fixed gps_not_fixed gps_not_fixed

LinkedIn is the world’s largest professional networking platform and used every day for recruiting, marketing, and connecting. However, it’s because of this that LinkedIn is also a great source for information gathering during penetration testing.

Through a company’s profile, it’s possible to collect a list of current employees and their position. This information can lead to spear phishing, password spraying, or other attacks against the organization. While there are various opensource tools to help collect and weaponize this information, I have always found one reason or anther to perform this process manually.

Until now…

Introducing CrossLinked

CrossLinked was created to simplify the process of finding current users of an organization through LinkedIn. It does this without API keys, credentials, or ever actually interacting with the site directly.

Instead, CrossLinked uses specially crafted search engine queries to scrape valid employees names from the resulting LinkedIn data. Once extracted, it will format these names according to the command-line arguments specified. Usernames can then be used in further attacks targeting the organization.


CrossLinked assumes the organization’s user account naming convention has already been identified through open source intelligence gathering, or other means. If you’re having trouble with this step, I recently release an article discussing techniques to find this information through metadata that may be useful.

Once the account naming convention is found, it can be applied through the following notation. This allows names to be turned into email addresses, domain accounts, or written plainly to file:

> python3 -f '{first}.{last}' 'Company'
> python3 -f 'domain\{f}{last}' 'Test Company'
> python3 -f '{first}{l}' 'Org XYZ'


The screenshot below demonstrates CrossLinked executed against an example organization. By default, search queries will be displayed on screen with the number of results discovered in each request. Once execution is complete, names will be checked for duplicates and written to a names.txt file in the current directory.

Pro Tip: For best results, put the company name in quotes and use the name as it appears on LinkedIn. Do not use the organization’s domain name.

Defensive Measures

CrossLinked takes advantage of the information collected by search engines about employees mapped to an organization on LinkedIn. As shown, it’s possible to derive this information without scraping the site directly.

LinkedIn enumeration in general, whether by search engine scraping or other means, is a difficult problem to solve. Stopping exposure of this information requires users to subscribe to the threat model and manually modify the privacy settings in their own account. This means their profiles are less discoverable to future opportunities on the platform and, therefore, remediation is less likely to occur.

Taking a different approach, there will always be another vector for gathering this type of information. If not LinkedIn, potential usernames could be attained through breach data, alternate social media sources, or any number of techniques. It is recommended organizations be aware of this and employ the proper security solutions to detect and respond to threat activity on their networks.

gps_not_fixed gps_not_fixed gps_not_fixed
CrossLinked -

Thanks for reading! Feel free to reach out on Twitter @m8r0wn with any comments, questions, or feedback.