When profiling an organisation you should at least check for their email domain within that data set. If any staff have used their work email address when they signed up to LinkedIn pre-2012, then you may have a quick win.
On several tests this year we have used this to authenticate to external corporate services such as: VPNs, or Outlook Web Access. Showing a) that password reuse is alive and well in 2017, and b) that our target users have not updated their work credentials in years!
You must obtain the raw data from the dump to do this. Google it, torrent it, beg or borrow it. It is widely obtainable, but I am not about to host the file myself.
I downloaded the most recent Kali VM:
Which had a version of John the Ripper installed that supported the correct hashing format.
Your first challenge is to find targets at your clients domain. A simple grep:
grep domain.org linkedin.txt >> targets.txt
Converting to Crackable File Format
The version of “linkedin.txt” that I have access to is formatted using colons to separate columns. The format seems to be:
For JTR to work for us here we need to match this format:
We can use the email address as the username so basically we need to get rid of the “id” portion. Which we can do simply using “cut”:
cat targets.txt | cut -d ":" -f 2-3 >> hashes.txt
Syntax for Wordlist based attack
To use a wordlist attack I used the command shown below:
john --wordlist=/path/to/wordfile --format=Raw-SHA1 hashes.txt
The key reason I am writing this down is I keep forgetting the “–format” part and it seems a little harder to Google for it than I hope each time!
Here is a picture of how effective even the rockyou.txt file can be. For one of the domains in the LinkedIn leak we cracked a whole load of passwords in seconds:
For people with slightly better passwords we have had success profiling that individual and making custom wordlists.
Hope that is of use to someone. It certainly will help me remember