How To Cyberstalk Potential Employers

        This article is less diabolical than its title might imply. Essentially, I want to give the reader some tips for finding more information about a potential employer than the job listing may reveal. Sometimes the job description gives all of the information you could want, but often it may not say much about the organization's network or development environment. Sometimes job descriptions are written by people who don't even know what the terms they are using mean (10+ years of C# experience anyone?). You could scan their whole network with Nmap, but triggering a few thousand IDS alerts is probably not a good way to ingratiate yourself with an employer. So this article will cover more passive ways you can obtain information about their company infrastructure.  This is going to be a mile high overview just to get your mind working in the creative ways it takes to investigate companies passively. Now, on with how to cyberstalk.

Other job postings

        This is a big "duh!" so I won't spend much time on it.  Sometimes the best way to find out more information about a company's environment is to look at job posting other than the one you are applying for. Just because your job posting lacks detail does not mean all of them do.

Mail Headers

         Assuming you have had some correspondence with them,  one of the first and most overlooked ways to find out more information about an employer is their e-mail's Internet headers. This will be the most technical part of the article so bear with me. What information you can gather from these headers is varied, and sometimes you won't find any useful information at all. Reading mail headers is sort of a black art, but I'll show you two header examples that will give you an idea of what to look for (I've tried to sanitize these headers as much as I can; when an IP is a valid one it may not be the IP shown in the original header). Not all mail systems will return all of the information shown, so your results may vary greatly. To view these headers in Gmail click on an individual message's dropdown menu and choose "Show original", in Outlook, go to View->Options and look at the Internet headers; in all other e-mail reader, figure it out.

E-mail 1

E-mail 2

Delivered-To: ig@gmail.com Received: by 10.2.2.2 with SMTP id 2cs208916wxz; Fri, 15 Jun 2007 09:31:08 -0700 (PDT) Received: by 10.115.94.1 with SMTP id w1mr3175428wal.1181925067563; Fri, 15 Jun 2007 09:31:07 -0700 (PDT) Return-Path: <jsmith@company.com> Received: from spunkymail-mx4.g.dreamhost.com (balanced.mail.policyd.dreamhost.com [208.97.132.119]) by mx.google.com with ESMTP id n20si5908494pof.2007.06.15.09.31.07; Fri, 15 Jun 2007 09:31:07 -0700 (PDT) Received-SPF: neutral (google.com: 208.97.132.119 is neither permitted nor denied by best guess record for domain of jsmith@company.com) Received: from smtpout10.prod.mesa1.secureserver.net (smtpout10-04.prod.mesa1.secureserver.net [64.202.65.23]) by spunkymail-mx4.g.dreamhost.com (Postfix) with SMTP id 5A2B719AA6F for <ig@ig.com>; Fri, 15 Jun 2007 09:31:04 -0700 (PDT) Received: (qmail 14131 invoked from network); 15 Jun 2007 16:31:05 -0000 Received: from unknown (71.154.217.231) by smtpout10-04.prod.mesa1.secureserver.net (64.202.65.23) with ESMTP; 15 Jun 2007 16:31:05 -0000 Message-ID: <4672BF51.90608@company.com> Date: Fri, 15 Jun 2007 12:33:21 -0400 From: John Smith <jsmith@company.com> User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: ig@ig.com Subject: Job Opportunity Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit

Mon, 30 Apr 2007 10:42:09 -0700 (PDT) Received: by 10.35.32.9 with SMTP id k9mr11599396pyj.1177954929370; Mon, 30 Apr 2007 10:42:09 -0700 (PDT) Return-Path: <jjones@papermill.edu> Received: from vern.ig.com (vern.ig.com [71.154.1.7]) by mx.google.com with ESMTP id f24si6685580pyh.2007.04.30.10.42.09; Mon, 30 Apr 2007 10:42:09 -0700 (PDT) Received-SPF: neutral (google.com: 71.15.1.7 is neither permitted nor denied by best guess record for domain of jjones@papermill.edu) Received: from mssg-smtp.ig.com (mssg.ig.com [10.1.1.1]) by vern.ig.com (8.13.6/8.12.10/PMPO) with ESMTP id l3UHfuOs017638 for <ig@gmail.com>; Mon, 30 Apr 2007 13:42:04 -0400 (EDT) Received: from mssg.ig.com ([10.1.1.13]) by mssg-smtp.ig.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 30 Apr 2007 13:42:00 -0400 Received: from mssg-smtp102.ig.com ([10.79.1.5]) by mssg.ig.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 30 Apr 2007 13:42:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Received: from pewee.ig.com ([71.15.1.13]) by mssg-smtp102.ig.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 30 Apr 2007 13:41:59 -0400 Received: from postal.papermill.edu (postal.papermill.edu [168.1.1.2]) by pewee.ig.com (8.13.8/8.13.8/IG Messaging) with ESMTP id l3UHfuot019772 for <adrian@ig.com>; Mon, 30 Apr 2007 13:41:58 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by postal.papermill.edu (Postfix) with ESMTP id 7A4F786593 for <adrian@ig.com>; Mon, 30 Apr 2007 13:41:56 -0400 (EDT) Received: from postal.papermill.edu ([127.0.0.1]) by localhost (postal.papermill.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30898-05 for <adrian@ig.com>; Mon, 30 Apr 2007 13:41:55 -0400 (EDT) Received: from b2jjones (b2-jjones.ddns.papermill.edu [172.16.168.115]) by postal.papermill.edu (Postfix) with ESMTP id 773CD86279 for <adrian@ig.com>; Mon, 30 Apr 2007 13:41:55 -0400 (EDT) X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft Exchange V6.5 X-OriginalArrivalTime: 30 Apr 2007 17:41:59.0579 (UTC) FILETIME=[DAAC66B0:01C78B4E] X-Virus-Scanned: amavisd-new at postal.papermill.edu Content-class: urn:content-classes:message Subject: RE: Open positions Date: Mon, 30 Apr 2007 13:42:00 -0400 Message-ID: <DFBF3049C4AE534AA73D793FE318E55001B3856C@mssg.ig.com> In-Reply-To: <DFBF3049C4AE534AA73D793FE318E55001CC389F@mssg.ig.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Open positions status Thread-Index: AceGjvbv5vTw6CZrSCagiFVAzs6I1wEwmbLQ From: "Jill Jones" <jjones@papermill.edu> To: <ig@gmail.com>

        So, what information can I gather from these e-mail headers? Well, assuming this is the first e-mail contact you have had with the company, you now at least have the name of someone working there (I've highlighted the name in orange). This will come in handy as a starting point for the Google searches I'll talk about later. Next, notice the text I highlighted in red. These are the IP addresses/hostnames of the people who sent the message originally. The one in E-mail 1 is a routable IP which I can put into a WhoIs query to pull up more information about the company that owns it (I like to use the site DNSStuff for this, but the *nix command line whois or Nirsoft's Windows tools IPNetInfo and WhoIsThisDomain are also very good). The IP may not belong directly to the company, but at least you will find out more about what ISP they are using. If the IP is owned by the company, you will hopefully find useful names and phone numbers in the contact information that will allow for further Google scrounging. Check out my article "What can you find out from an IP?" for more information on what you can do once you know an IP.  Once you have their IP, you can use it to search your own website's logs to see if they have visited your site, and depending on your logging software you can find out what web browsers, operating systems and maybe even the screen resolution they are using. The IP in E-mail 2 starts with "172.16" which is a non-routable reserved IP.  This tells me that E-mail 2's LAN is most likely behind a NAT box of some kind. From the host name in E-mail 2 I can tell what sort of naming conventions they use for their workstations. Another useful thing to try is a basic Google search for the IP or hostname listed. If you are lucky this may return public logs of sites that the workstation has visited. The text highlighted in blue tells me about what mail client they are using, including the OS and exact version. The green text gives me what type of mail server they have. Even if there's not much information in the headers, it should still give you a starting point for some Google scrounging.

Google scrounging web sites/forums/Usenet posts

        Many companies leave information about themselves all over the public Internet. Johnny Long wrote a great primer on using Google to recover obscure information called "The Google Hacker's Guide" which is available at the following URL:

http://johnny.ihackstuff.com/downloads/task,doc_download/gid,19/

Johnny's book "Google Hacking for Penetration Testers" is also very good, but the primer above should be enough to get you started. One of the most useful Google operands is "site:" which lets you specify the domain you want to search. For example, if I wanted to find mentions of a company on a certain site I could use the search:

CompanyXYZ site:example.com

and it would return all of the pages Google knows about ending with the domain name "example.com" and containing "ComanyXYZ" in the content/title/meta tags. I've also had great luck doing a Google search with my soon-to-be-interviewer's name and their city of residence. Using this method I've found the interviewer's blog or social network profile before, and using the information from those resources I've found more pages with useful information about the company. For example, searching for a person's name may take you to a site where they have used a certain screen name or email address, and searching for that screen name or email address may lead you to a forum, blog or usenet post that the person has made that reveals more information about them or their company. Another useful search to perform is:

"companyxyz.com" -site:companyxyz.com

Notice the minus symbol before the "site:" parameter. This query will return pages that contain the text companyxyz.com, but do not reside on a server with the companyxyz.com domain, thus filtering out a lot of noise. I've used this technique before to look for company e-mail addresses, found a post on a car forum by a former employee, did a search for the former employee's screen name and then found his current email address so I could ask him about his old company. It's all about taking one piece of info and building on it till you have gobs of information.

        I wish I could give better examples of Google hacking without dropping someone's docs (geek slang for revealing personal information). I've thought of doing a video on it, but I can't think of a good way of doing it without opening myself up to liability. Suffice it to say, reading Johnny Long's  "The Google Hacker's Guide" should get you thinking in the right direction.

Surfing the company's site

        Just surfing a company's website will give you tons of information. By looking at the URLs of their pages you can quickly tell if they use PHP, Active Server Pages, J2EE, ColdFusion or some other dynamic web sites language. If you want more passive information about a company's web environment, looking at the headers their site returns will give you a wealth of information. Most of you should know how to do a banner grab with telnet, but a better and more passive way is to use the LiveHTTPHeaders Firefox plug-in from:

http://livehttpheaders.mozdev.org/

With LiveHTTPHeaders you can quickly looks at the headers HTTP requests return, like the following example I pulled from Irongeek.com:

HTTP/1.x 200 OK Date: Mon, 02 Jul 2007 13:18:13 GMT Server: Apache/1.3.37 (Unix) mod_throttle/3.1.2 DAV/1.0.3 mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a PHP/4.4.7 mod_ssl/2.8.22 OpenSSL/0.9.7e X-Powered-By: PHP/4.4.7 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Encoding: gzip Content-Length: 10696

From this example you can see my hosting server is running Apache 1.3.37, what version of PHP I use and what versions of various Apache mods are being used. It should be noted that many folks use NetCraft to find out this sort of information.

Social Networking Sites

        I have to admit to being a MySpace hater (I much prefer FaceBook) but both social network sites can be useful to job searchers because their search functions will let you find other folks that already work at your target company. Reading someone's profile or blog entry may tell you about some of the tech in the company, but more than anything it's useful for finding more useful terms to use for Google scrounging. If nothing else it gives you a chance to ask a company insider about the work environment so you can decide if you want to work there are not. Just be careful how you talk to people so you don't come off as a creepy stalker (as oppose to a sweet and lovable stalker). If you have found your interviewer's personal site or profile it might have helpful information that lets you setup a good rapport with them during the interview, but try not to come off as creepy. Another social network site that's especially made for career advancement and networking is LinkedIn:

http://www.linkedin.com

Feel free to add me if you can find me :). Since people often post their resume and job experience on LinkedIn it's a great source of information about a company's IT environment. If you want to know about a company's "corporate culture" it's best to ask a former employee that no longer has a vested interest in the company.

    While I'm on the topic of Social Networking Sites, there are other "Web 2.0" sites that may yield useful information. Going to each one individually takes a lot of time, but there is a way to get many them in one swipe: Rapleaf.com. Rapleaf bills itself as an "email-based reputation lookup" service. After submitting a person's email address Rapleaf will return what information it has about the person. If the email address has never been queried before Rapleaf will ask you to login (registration is free) and will then scour the Internet looking for accounts linked to that email address. You will get an email when the report is ready. I did a search for one of my old email addresses and Rapleaf returned links to my Facebook, Friendster and MySpace profiles, along with links to my Flickr and Amazon Wishlist. Creepy. Also, by signing up with Rapleaf you can filter what people see when they search for your email address, but keep in mind this only protects you from people using Rapleaf, not folks Google stalking you by hand.  (Note: Since I first published this Rapleaf has become far less useful, check out some of the other links I recommend at the end of this article.)

Conclusion

        I hope this article has helped you think in new ways about researching prospective employers. As Tehbizz points out in the BinRev thread, you may want to be careful how much knowledge you reveal you have about a company's internal workings to an interviewer; it may make them paranoid about your intentions. Also, while I've focused on how to cyberstalk potential employers,  potential employers can cyberstalk you in much the same way using these techniques. Those drunken pics of you on MySpace no longer seem like such a good idea, do they? I plan to expand this article over time, so if you have any good ideas email me or post them in the BinRev thread:

http://www.binrev.com/forums/index.php?showtopic=31087

I'm especially interested in stories about how you have researched employers. Good luck with your job search.

Useful links

Since Rapleaf is no longer as useful as it once was, check out these alternatives:
http://www.pipl.com
http://www.peekyou.com 
http://yoname.com 

Also, TinEye might be useful to you. You can feed it an image and it will try to find others like it on the Internet: This can be useful for finding duplicate images of a person. For example, you may find a picture from the company picnic and searching TinEye for it may lead you to the person's profile on some social network site.
http://tineye.com 

Tools

Maltego: Great GUI for connecting the dots or how people and organizations are related.
http://www.paterva.com/maltego/community-edition/

Metagoofil: Useful for searching a company's website and extracting metadata from the files there that can lead you to more information about who works there and how they set up their internal LAN.
http://www.edge-security.com/metagoofil.php 

Further Research

These links should be useful to you for further research on the subject of how to cyberstalk employers.

First there's a video of Mubix's presentation from Dojo Sec on finding a job in information security:
http://vimeo.com/4108726

Second there's a video of a class Brian and I did on Footprinting, Scoping and Recon where we go into depth on how to find out more information about people and organizations:
http://www.irongeek.com/i.php?page=videos/footprinting-scoping-and-recon-with-dns-google-hacking-and-metadata

Change Log:
10/12/2009: I added some sections at the end with useful links, tools and further research. I also fixed some minor typos.
05/26/2008: I updated the "Social Networking Sites" section with information about RapLeaf. I also updated the "Mail Headers" section with information on the *nix command line whois and Nirsoft's Windows tools IPNetInfo and WhoIsThisDomain.
07/04/2007: First version posted.