Mapping Social Media with Facial Recognition: A New Tool for Penetration Testers and Red Teamers
Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person's online presence on a variety of social media sites. While this is a easy task for a few, it can become incredibly tedious when done at scale. What if it could be automated and done on a mass scale with hundreds or thousands of individuals?
Introducing Social Mapper an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale. Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients. It takes an automated approach to searching popular social media sites for names and pictures of individuals to accurately detect and group a person's presence, outputting the results into a report that a human operator can quickly review.
Social Mapper supports the following social media platforms:
- Google+
- VKontakte
- Douban
It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios. Its primary benefit comes from the automation of matching profiles and the report generation capabilities. As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester's time is utilized in the most efficient means possible.
Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination, but here are a few ideas:
- Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
- Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
- Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
- View target photos looking for employee access card badges and familiarise yourself with building interiors.
So, without further ado, let's get into how it works:
At a low level, Social Mapper works by running through 3 main stages. The first is target parsing, it creates a list of targets based on the input you give it. A social mapper target consists of a name and a picture of that person. These can be provided via links in a csv file, images in a folder or via people registered to a company on LinkedIn.
Example of the CSV input type with Names and Links
Example of the image folder input type with named images
Example of the company name input type gathering targets from a LinkedIn company
Once the targets are processed, stage 2 of social mapper kicks in and it starts searching for these people online. It does this by instrumenting the Firefox browser, logging into the afore mentioned supported social media sites and begins searching for targets by name. It pulls out the top results from this search (usually between 10 and 20) and starts downloading the profile pictures and performing facial recognition checks to try and find a match. It's possible to tweak the way it performs via various parameters when the tool starts with options such as: if the program should keep searching after an initial match is found for a better one, and to change the thresholds of the facial recognition to remove more false positives at the risk of missing legitimate profiles.
Social Mapper running on a single target, matching a Facebook & Instagram account
Social Mapper running on a large batch of users, finishing searching LinkedIn and moving to search Google Plus
This stage of the program can take a long time to run. For target lists of 1000 people it can take more than 15 hours and use a large amount of bandwidth, depending on which options are selected. I would recommend running the tool overnight on a machine with a good internet connection for these reasons.
Once all the social media sites have been checked, stage 3 of the tool kicks in and it starts generating your reports and data. Social Mapper has a variety of output; it generates a csv file with links to the profile pages of the target list and a more visual HTML report that can be handy for quickly checking and verifying the results.
Example of Social Mappers HTML report
Example of a Social Mapper CSV report
It also has the option to generate lists for each site checked with a person's name, potential work email based on a provided format and the link to their profile. This aim of this is to be useful for taking forwards into phishing campaigns, knowing that this person has a social media profile on a specific site and can then be targeted with pretexts that include their profile picture for added realism.
Example of Facebook CSV Output
Unfortunately, due to company privacy concerns I was unable to show you Social Mapper running on a large set of targets in this post. I encourage you to give it a try on a LinkedIn Company and see it run on 100s of targets. For an albeit fuzzy look at what that looks like here is a heavily blurred image, just to give you a sense of the scale that Social Mapper runs at.
Example of a Social Mapper CSV report when run on a large company, this is 50 results of the found 759.
I hope you will find tool useful and use it in new and innovative ways. You can find more information on running the tool on the Trustwave SpiderLabs GitHub page. Please report any bugs you find and feel free to drop in some feature requests if you have any ideas for improvement. And of course, tweet me @Jacob_Wilkin with any success stories you have using Social Mapper!