InSpy

Overview

InSpy is a Python-based reconnaissance tool designed for OSINT (Open Source Intelligence) gathering through LinkedIn. It helps security testers and researchers identify organizational structure, employee information, and email patterns without requiring direct API access. Useful for authorized security assessments and threat intelligence gathering.

Installation

Linux (Debian/Ubuntu)

git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
sudo apt-get install python3 python3-pip
pip3 install -r requirements.txt

macOS

brew install python3
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
pip3 install -r requirements.txt

Windows

# Using Python 3.8+
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
python -m pip install -r requirements.txt

Docker Installation

docker build -t inspy .
docker run -it inspy python3 inspy.py --help

Requirements

Python 3.6+
requests
beautifulsoup4
selenium (optional, for browser automation)
googlesearch-python (optional)

Basic Usage

Command	Description
`python3 inspy.py -c "Company Name"`	Enumerate by company name
`python3 inspy.py -d example.com`	Enumerate by domain
`python3 inspy.py -c "Company" -e`	Extract email addresses
`python3 inspy.py -c "Company" -j`	Export results as JSON
`python3 inspy.py --help`	Display all options

Command-Line Options

Basic Options

-c, --company TEXT        Target company name
-d, --domain TEXT         Target domain/website
-e, --emails              Extract email addresses
-j, --json               Output results as JSON
-h, --help               Show help message

Advanced Options

-p, --people             Extract people list
-t, --titles TEXT        Filter by job title
-l, --limit INTEGER      Maximum results (default: 100)
-o, --output FILE        Save results to file
-v, --verbose            Verbose output
-s, --silent             Silent mode (no progress)

LinkedIn-Specific Options

--linkedin-url TEXT      Direct LinkedIn company URL
--cookie-file PATH       LinkedIn session cookies
--proxy PROXY           Use HTTP proxy
--timeout INT           Request timeout (seconds)

LinkedIn Enumeration

Company-Based Enumeration

Find Company Information

# Basic company search
python3 inspy.py -c "Google"

# With email extraction
python3 inspy.py -c "Google" -e

# Save to file
python3 inspy.py -c "Microsoft" -o results.txt

Domain-Based Enumeration

# Enumerate using domain
python3 inspy.py -d "example.com"

# Multiple domains
for domain in company1.com company2.com company3.com; do
    python3 inspy.py -d "$domain"
done

Employee Discovery

Filter by Job Title

# Find all engineers
python3 inspy.py -c "Company" -t "engineer"

# Find security professionals
python3 inspy.py -c "Company" -t "security"

# Find IT staff
python3 inspy.py -c "Company" -t "IT"

Extract Employee Names

# Get full employee list
python3 inspy.py -c "Company" -p

# Filter and display
python3 inspy.py -c "Company" -p | grep -i "john"

# Count employees
python3 inspy.py -c "Company" -p | wc -l

Email Format Detection

Discover Email Patterns

# Extract email addresses
python3 inspy.py -c "Company" -e

# Output format: firstname.lastname@company.com
# Or: f.lastname@company.com
# Or: firstname_lastname@company.com

Email Pattern Analysis

# Save emails to file
python3 inspy.py -c "Company" -e -o emails.txt

# Analyze patterns
cat emails.txt | awk -F'@' '{print $1}' | sort | uniq | head -20

# Find common patterns
grep -oE "^[^@]+" emails.txt | sed 's/[0-9]*$//' | sort | uniq -c | sort -rn

Advanced Reconnaissance Workflows

Complete Company Profile

Gather Full Organization Intelligence

#!/bin/bash

# Configuration
COMPANY="Target Company"
OUTPUT_DIR="reconnaissance_output"

# Create output directory
mkdir -p "$OUTPUT_DIR"

# 1. Get general company info
echo "[*] Gathering company information..."
python3 inspy.py -c "$COMPANY" -o "$OUTPUT_DIR/company_info.txt"

# 2. Extract employees
echo "[*] Extracting employee list..."
python3 inspy.py -c "$COMPANY" -p -o "$OUTPUT_DIR/employees.txt"

# 3. Get email addresses
echo "[*] Finding email addresses..."
python3 inspy.py -c "$COMPANY" -e -o "$OUTPUT_DIR/emails.txt"

# 4. Filter by departments
echo "[*] Finding IT staff..."
python3 inspy.py -c "$COMPANY" -t "IT" -o "$OUTPUT_DIR/it_staff.txt"

echo "[*] Finding security professionals..."
python3 inspy.py -c "$COMPANY" -t "security" -o "$OUTPUT_DIR/security_staff.txt"

echo "[*] Reconnaissance complete. Results in $OUTPUT_DIR/"

Email Enumeration for Phishing Assessment

Prepare Email List

#!/bin/bash

# Extract emails from InSpy results
python3 inspy.py -c "Target" -e -o target_emails.txt

# Format for testing
cat target_emails.txt | sort | uniq > verified_emails.txt

# Count unique emails
wc -l verified_emails.txt

# Export for other tools
cat verified_emails.txt | awk '{print $1}' > email_list.csv

Email Verification

# Verify emails exist (ethical testing only)
# Using tools like hunter.io API or internal verification

# Create target list
grep "@company.com" target_emails.txt > valid_targets.txt

# Test email format validity
python3 << 'EOF'
import re

with open('valid_targets.txt', 'r') as f:
    for email in f:
        email = email.strip()
        # Simple regex validation
        if re.match(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$', email):
            print(email)
EOF

Data Processing and Analysis

Parse InSpy Output

JSON Processing

# Export as JSON
python3 inspy.py -c "Company" -j -o company.json

# Parse JSON with jq
jq '.employees[] | {name, title, location}' company.json

# Extract specific field
jq -r '.employees[] | .email' company.json

# Count results
jq '.employees | length' company.json

Text Processing

# Remove duplicates
sort -u results.txt > unique_results.txt

# Filter by domain
grep "@company.com" results.txt

# Count occurrences
sort | uniq -c | sort -rn

# Extract unique titles
cat results.txt | awk '{print $NF}' | sort | uniq

Create Targeting Lists

Department-Based Lists

#!/bin/bash

# Extract by department keyword
echo "[*] Creating department targeting lists..."

# Engineering
python3 inspy.py -c "Company" -p -o all_employees.txt
grep -i "engineer\|developer\|architect" all_employees.txt > engineering.txt

# Finance
grep -i "finance\|accountant\|treasurer" all_employees.txt > finance.txt

# HR
grep -i "human resource\|recruiter\|hr" all_employees.txt > hr.txt

# Sales
grep -i "sales\|business development" all_employees.txt > sales.txt

echo "[*] Department lists created"

Seniority-Based Lists

#!/bin/bash

# Extract by seniority indicators
python3 inspy.py -c "Company" -p -o employees.txt

# Senior management
grep -iE "(director|vp|vice president|cfo|cto|ceo)" employees.txt > senior_management.txt

# Middle management
grep -iE "(manager|lead|supervisor)" employees.txt > management.txt

# Individual contributors
grep -v -iE "(director|vp|manager|lead)" employees.txt > individual_contributors.txt

echo "[*] Seniority analysis complete"

Integration with Other Tools

Combine with Hunter.io

#!/bin/bash

# Get emails from InSpy
python3 inspy.py -c "Company" -e -o inspy_emails.txt

# Cross-reference with Hunter.io (if API access available)
HUNTER_API_KEY="your_api_key"

while read email; do
    domain=$(echo "$email" | awk -F'@' '{print $2}')
    curl -s "https://api.hunter.io/v2/domain-search?domain=$domain&domain=api_key=$HUNTER_API_KEY" \
        | jq '.employees[]'
done < inspy_emails.txt

Export for LinkedIn Analysis

# Prepare data for manual LinkedIn verification
python3 inspy.py -c "Company" -e -o emails.txt
python3 inspy.py -c "Company" -p -o people.txt

# Create CSV for spreadsheet import
paste people.txt emails.txt > linkedin_analysis.csv

Feed into Network Mapping Tools

#!/bin/bash

# Export for Shodan/Censys verification
python3 inspy.py -c "Company" -d "company.com" -o company_info.txt

# Extract and validate domains
grep -oE "[a-z0-9.-]+\.com" company_info.txt | sort -u > domains.txt

# Use with Shodan CLI
while read domain; do
    shodan host "$domain"
done < domains.txt

Configuration and Customization

Configuration File Setup

Create config.ini

[linkedin]
email_format = firstname.lastname@domain.com
search_limit = 100
timeout = 30

[output]
format = json
directory = ./results

[filters]
job_titles = engineer,architect,developer
locations = United States

[proxy]
enabled = false
# proxy_url = http://proxy:port

Use Configuration

python3 inspy.py -c "Company" --config config.ini

Custom Email Pattern Detection

Script to Analyze Email Formats

#!/usr/bin/env python3

import re
from collections import defaultdict

def analyze_email_patterns(email_list):
    """Analyze email patterns in list"""
    
    patterns = defaultdict(int)
    
    with open(email_list, 'r') as f:
        for line in f:
            email = line.strip()
            if '@' not in email:
                continue
            
            local, domain = email.split('@')
            
            # Detect pattern
            if re.match(r'^[a-z]+\.[a-z]+$', local):
                patterns['firstname.lastname'] += 1
            elif re.match(r'^[a-z]+_[a-z]+$', local):
                patterns['firstname_lastname'] += 1
            elif re.match(r'^[a-z]\.[a-z]+$', local):
                patterns['f.lastname'] += 1
            elif re.match(r'^[a-z]{2,}$', local):
                patterns['firstname'] += 1
            else:
                patterns['custom'] += 1
    
    # Print results
    for pattern, count in sorted(patterns.items(), key=lambda x: x[1], reverse=True):
        print(f"{pattern}: {count}")

if __name__ == '__main__':
    analyze_email_patterns('emails.txt')

Limitations and Considerations

LinkedIn Detection Avoidance

- Avoid rapid repeated requests
- Use reasonable delays between queries
- Rotate user agents
- Consider proxy rotation for large operations
- Respect LinkedIn's Terms of Service

LinkedIn may:
- Rate limit excessive requests
- Block IP addresses
- Require additional verification
- Terminate account for violations

Data Accuracy

Not all employees maintain LinkedIn profiles
Job titles may be outdated
Email formats may have changed
Some information may be incomplete
Verify findings independently

Ethical Usage Guidelines

Authorized Security Testing

Ensure you have written authorization
Scope engagement clearly
Document all findings
Handle sensitive data securely
Maintain confidentiality

OSINT is legal, but always:
- Respect privacy regulations (GDPR, CCPA)
- Follow organization's policies
- Use findings for authorized purposes only
- Never attempt unauthorized access

Responsible Disclosure

If discovering vulnerabilities:
- Document findings thoroughly
- Report through proper channels
- Allow reasonable remediation time
- Follow responsible disclosure timeline
- Maintain confidentiality of findings

Troubleshooting

Connection Issues

LinkedIn Access Blocked

# Check network connectivity
ping linkedin.com

# Verify no proxy interference
python3 inspy.py -c "Company" --test-connection

# Try with explicit timeout
python3 inspy.py -c "Company" --timeout 60

Rate Limiting

# Add delay between requests
python3 << 'EOF'
import subprocess
import time

companies = ["Company1", "Company2", "Company3"]

for company in companies:
    print(f"[*] Searching {company}...")
    subprocess.run(["python3", "inspy.py", "-c", company])
    time.sleep(10)  # 10 second delay
EOF

Output Issues

No Results Found

# Verify company name spelling
python3 inspy.py -c "Goggle"  # Incorrect
python3 inspy.py -c "Google"  # Correct

# Try alternative names
python3 inspy.py -c "Google Inc"
python3 inspy.py -c "Alphabet"

# Use domain-based search
python3 inspy.py -d "google.com"

Incomplete Email Results

# Some profiles may not have public emails
# Try increasing result limit
python3 inspy.py -c "Company" -l 500 -e

# Filter by job title to target specific roles
python3 inspy.py -c "Company" -t "Engineer" -e

Best Practices

Reconnaissance Workflow

Gather general company information
Identify key departments/teams
Locate specific individuals by role
Extract email addresses
Verify and validate findings
Document all sources
Create targeting lists as needed

Data Management

Organize results by company
Maintain separate files for different data types
Use consistent naming conventions
Store securely with appropriate access controls
Archive old assessments
Document collection date and methodology

Verification

Cross-reference multiple sources
Validate email formats independently
Confirm current employment status
Check for role changes
Document verification sources

Resources

GitHub Repository: https://github.com/leapsecurity/InSpy
LinkedIn: https://www.linkedin.com/
OSINT Guide: https://github.com/jivoi/awesome-osint
Email Finder Tools: hunter.io, clearbit.com
Community: OSINT Twitter/Security Forums

Version Information

Current stable: InSpy 1.0+ Language: Python 3 Cross-platform: Linux, macOS, Windows Dependencies: Python 3.6+, requests, beautifulsoup4 License: MIT Maintenance: Community-maintained