RocketReach - The Best OSINT Tool Ever?
When conducting red team engagements (or OSINT assessments for that matter), having access to accurate information about company employees, organisational structures and contact information is incredibly valuable. Many security-oriented tools do a great job, but sometimes even the tools not designed for security can be goldmines.
Enter RocketReach (not sponsored lol) - a platform ostensibly built for sales professionals to generate sales leads, but which has become one of the first tools I reach for in my box. It provides contact information for potential clients, integrates pretty well with LinkedIn and has a free tier that is more than enough for most OSINT purposes. It's obviously a data mining tool, but it's a good one. Some of the data you can find:
- Full names and job titles
- Direct email addresses (both work and personal)
- Phone numbers (including direct lines)
- Social media profiles (LinkedIn, Twitter, Facebook, etc.)
- Employment history and education background
- Organizational charts and reporting structures
Methodology
OSINT is an iterative process. You shouldn't just rely on one tool or source to get the job done - you should have a running commentary of every bit of information you find and with every new artifact you should be feeding it back into your process. Rinse and repeat.
For example, say I'm targeting the CEO of a company. Every piece of information I find about them is another piece of the puzzle - I might search for "John Doe" in a breached database search engine, and happen across an email address. The very first thing I do is add that email to my notes, and search again for that email. Then I might get another hit, and more information, etc.
Typically, when targeting individuals, I try to aim for the below:
- Name
- Work Email
- Personal Email
- Work Phone Number
- Personal Phone Number
- Personal Address
- Social Media Profiles
- TikTok
- YouTube
- GitHub
Rocketreach is really useful, and most of the time can populate 50% of the above list - the other 50% comes from the iterative process I mentioned before.
Most crucially, it's a great way to find personal email addresses and phone numbers. In my professional experience, employees tend to be less security conscious with their personal email addresses, and will obviously sign up to services with them. For this reason, you are much more likely to get hits on personal email addresses than with work email addresses. This is why it is so important to have good information hygiene and not cross-contaminate personal and work data.
Real-World Usage Example
Let's take it for a spin. I searched for a relatively small company's domain (that will remain nameless), and the second result yielded a dev employee.
So here's what we have from just knowing the company's domain name:
- A technical employee that potentially has high privileges
- A work email address
- A personal email address
- A work phone number
- Education and employment history (pulled from LinkedIn)
- A list of skills - we can cross-reference this with other technical employees to determine the company's technology stack.
Ethical Considerations
As with any powerful intelligence tool, RocketReach comes with significant ethical considerations (insert spiderman quote here).
- Only use this tool in the context of authorized security assessments
- Securely store and handle any personal information gathered. Yes, this information is in the public domain, but not everybody has the skillset or knowledge to obtain this information. Doxxing ruins lives - don't be that person.
- Respect privacy laws such as GDPR, CCPA and others relevant to your jurisdiction
Defensive Countermeasures
For security professionals concerned about their organization's exposure on platforms like RocketReach, consider these defensive measures:
- Request removal of sensitive personnel from data brokers like RocketReach
- Implement regular company-wide security awareness training about OSINT risks and targeted phishing attacks
- Practice good information hygiene - don't cross contaminate by using work email addresses for personal services and vice versa
- Regularly search for your organization on these platforms to understand your exposure