Having mapped the digital infrastructure through DNS and search engines, we now pivot to the most vulnerable attack surface: people. Social Media Intelligence (SOCMINT) is the passive collection of employee data from professional and personal social networks. This data fuels pretexting for social engineering, enriches password lists, and identifies key personnel with high-value access rights.
People often maintain strict privacy settings on Facebook but overshare on LinkedIn. LinkedIn provides the organizational chart, X (Twitter) provides the real-time sentiment, and Instagram provides the geolocation context. The correlation of these data points reveals behavioral patterns invisible on a single platform.
LinkedIn is the primary source for mapping an org chart. Using boolean search filters, you can extract not just names, but specific technologies employees list in their profiles. A System Administrator who lists 'Fortinet Firewall Configuration' reveals the edge device stack. A developer listing 'Docker/Kubernetes' confirms the container orchestration tool.
// Boolean Search on LinkedIn for Target Corp:
// "Target Corp" AND ("System Administrator" OR "DevOps" OR "Security")
// This yields employees to profile further.Beyond the title, analyze the 'Skills & Endorsements' and 'Projects' sections. Employees often write detailed descriptions of internal infrastructure projects: 'Migrated 500 VMs from on-prem to AWS using Terraform.' This single sentence passively confirms the cloud provider, the IaC tool, and the scale of the migration.
Manual searching is slow. Tools like theHarvester automate the collection of emails, names, and subdomains from search engines and social networks. It queries multiple public sources including Google, Bing, LinkedIn, and Shodan to build a unified profile of the domain. Another powerful tool, Twint (discontinued but concepts apply via alternatives), allowed scraping Twitter without the API, bypassing rate limits.
⚠️ Privacy Boundaries: Scraping social media at scale via automated tools often violates the platform's Terms of Service, which can lead to legal action or API bans even if the data is public. For professional engagements, prefer manual review or official API keys. SOCMINT under GDPR requires a legitimate interest assessment.
A seemingly harmless photo posted by an employee can leak secrets. EXIF data embedded in images contains GPS coordinates, timestamps, and device model. An employee posting a screenshot of a new code release might expose an internal path in the IDE's title bar. Passively downloading these public images and examining them with ExifTool is a standard OSINT technique.
Cross-referencing these coordinates with Google Maps often pinpoints the exact office building or home address. This is critical for physical penetration tests or understanding the geo-distribution of a remote workforce. A remote employee working from a coffee shop chain suggests a lack of enterprise VPN enforcement.
💡 Profile Badges: Look for 'Certified' badges on LinkedIn. A 'AWS Certified Solutions Architect' badge tells you the target likely uses AWS deeply. 'CEH' or 'OSCP' badges reveal the security team's mindset.
Verify exercises to earn ★ 200 XP and unlock next lab level.