Last week I’ve stumble upon an exceptional device named ‘Inspy’ that became written through gojhonny in early 2016. Unfortunately I haven’t heard approximately this device in advance despite it being almost 2 years old, fortuitously it become referenced with the aid of Offensive Security within the Kali 2017.Three release put up as being part of the repo. Inspy is a LinkedIn enumeration device written in Python that may be used for passive records amassing the usage of facts that is publicly to be had on LinkedIn. Inspy makes use of process titles and branch names on LinkedIn profiles to discover who’s hired by means of a particular employer and in what position. Additionally this device also can find out technology which might be being utilized by this company via crawling process list for specific key phrases. Let’s have a examine the two one of a kind operation modes for this device: EmSpy and TechSpy.

In EmSpy mode this tool searches for LinkedIn customers which might be hired with the aid of the agency the usage of a wordlist. The wordlist this is covered with this device includes little over three hundred job titles and branch names which can be getting used to in shape the job name and/or department together with the corporation call on the LinkedIn profile. The 2nd mode is called TechSpy. In TechSpy mode it crawls LinkedIn for technologies that are stated in a businesses job listings, in particular in the process description. This will give us an illustration of what technology are in use with the aid of the business enterprise which includes Windows technology, packages, firewall manufacturers and network gadget. At the time of scripting this academic the TechSpy characteristic sadly doesn’t paintings (anymore). This is probably resulting from LinkedIn changing their schemes or, maybe even more likely, LinkedIn is blocking the queries which can be generated from our network after a pair take a look at runs. For this cause we will just consciousness on the EmSpy functionality for now and update this hacking tutorial while the TechSpy function is running properly once more.

LinkedIn Enumeration with InSpy

We need to install InSpy, you can install it by simply running the following command:

apt update && apt -y install inspy

To successfully run this tool there’s a few required parameters that we need to populate which are: –techspy[file]or –emspy[file]mode and the company name that we want to locate employees for. Since techspy is currently not working we will only look at emspy. The EmSpy mode takes only one argument which is the wordlist that contains the titles. The default wordlists are located in the following directory:


The wordlist directory contains 4 different wordlists from which 2 contain the titles and are meant to be used in EmSpy mode. The other 2 lists are meant to be used in the TechSpy mode.

Now that we know where the wordlists are located we can use them in the following command to search for Google employees with a LinkedIn profile:

inspy –empspy /usr/share/inspy/wordlists/title-list-large.txt google

InSpy found a total of 737 LinkedIn profiles that have Google mentioned in the job title. This is roughly 1% of the total staff (70k+ in 2017) employed by Google if all results were valid results. Personally I am amazed by the time it took to find these employees, only 63.7 seconds, which is incredibly fast. Expanding the number of entries might yield even better results though I must say that the included list is pretty effective already. Finally Inspy also has options to export the results in different formats; HTML, CSV & JSON. While these formats may come in handy in some cases I haven’t tested them.

Email format

Another possibly interesting feature is the ’emailformat’ option. This options allows you to specify a format for an e-mail address and export the search results as e-mail addresses. Let’s say you know that Google uses the firstname.lastname format we can specify this format and Inspy will generate a list of e-mail addresses according to this format. The following command searches for Google employees and generates a list of e-mail address in the firstname.lastname format:

inspy –empspy /usr/share/inspy/wordlists/title-list-large.txt –emailformat google

Note: Even though the information found by InSpy is publicly available we’ve decided to blur the names in the search results.

Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.