InSpy
Overview
Sezione intitolata “Overview”InSpy is a Python-based reconnaissance tool designed for OSINT (Open Source Intelligence) gathering through LinkedIn. It helps security testers and researchers identify organizational structure, employee information, and email patterns without requiring direct API access. Useful for authorized security assessments and threat intelligence gathering.
Installation
Sezione intitolata “Installation”Linux (Debian/Ubuntu)
Sezione intitolata “Linux (Debian/Ubuntu)”git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
sudo apt-get install python3 python3-pip
pip3 install -r requirements.txtbrew install python3
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
pip3 install -r requirements.txtWindows
Sezione intitolata “Windows”# Using Python 3.8+
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
python -m pip install -r requirements.txtDocker Installation
Sezione intitolata “Docker Installation”docker build -t inspy .
docker run -it inspy python3 inspy.py --helpRequirements
Sezione intitolata “Requirements”Python 3.6+
requests
beautifulsoup4
selenium (optional, for browser automation)
googlesearch-python (optional)Basic Usage
Sezione intitolata “Basic Usage”| Command | Description |
|---|---|
python3 inspy.py -c "Company Name" | Enumerate by company name |
python3 inspy.py -d example.com | Enumerate by domain |
python3 inspy.py -c "Company" -e | Extract email addresses |
python3 inspy.py -c "Company" -j | Export results as JSON |
python3 inspy.py --help | Display all options |
Command-Line Options
Sezione intitolata “Command-Line Options”Basic Options
Sezione intitolata “Basic Options”-c, --company TEXT Target company name
-d, --domain TEXT Target domain/website
-e, --emails Extract email addresses
-j, --json Output results as JSON
-h, --help Show help messageAdvanced Options
Sezione intitolata “Advanced Options”-p, --people Extract people list
-t, --titles TEXT Filter by job title
-l, --limit INTEGER Maximum results (default: 100)
-o, --output FILE Save results to file
-v, --verbose Verbose output
-s, --silent Silent mode (no progress)LinkedIn-Specific Options
Sezione intitolata “LinkedIn-Specific Options”--linkedin-url TEXT Direct LinkedIn company URL
--cookie-file PATH LinkedIn session cookies
--proxy PROXY Use HTTP proxy
--timeout INT Request timeout (seconds)LinkedIn Enumeration
Sezione intitolata “LinkedIn Enumeration”Company-Based Enumeration
Sezione intitolata “Company-Based Enumeration”Find Company Information
Sezione intitolata “Find Company Information”# Basic company search
python3 inspy.py -c "Google"
# With email extraction
python3 inspy.py -c "Google" -e
# Save to file
python3 inspy.py -c "Microsoft" -o results.txtDomain-Based Enumeration
Sezione intitolata “Domain-Based Enumeration”# Enumerate using domain
python3 inspy.py -d "example.com"
# Multiple domains
for domain in company1.com company2.com company3.com; do
python3 inspy.py -d "$domain"
doneEmployee Discovery
Sezione intitolata “Employee Discovery”Filter by Job Title
Sezione intitolata “Filter by Job Title”# Find all engineers
python3 inspy.py -c "Company" -t "engineer"
# Find security professionals
python3 inspy.py -c "Company" -t "security"
# Find IT staff
python3 inspy.py -c "Company" -t "IT"Extract Employee Names
Sezione intitolata “Extract Employee Names”# Get full employee list
python3 inspy.py -c "Company" -p
# Filter and display
python3 inspy.py -c "Company" -p | grep -i "john"
# Count employees
python3 inspy.py -c "Company" -p | wc -lEmail Format Detection
Sezione intitolata “Email Format Detection”Discover Email Patterns
Sezione intitolata “Discover Email Patterns”# Extract email addresses
python3 inspy.py -c "Company" -e
# Output format: firstname.lastname@company.com
# Or: f.lastname@company.com
# Or: firstname_lastname@company.comEmail Pattern Analysis
Sezione intitolata “Email Pattern Analysis”# Save emails to file
python3 inspy.py -c "Company" -e -o emails.txt
# Analyze patterns
cat emails.txt | awk -F'@' '{print $1}' | sort | uniq | head -20
# Find common patterns
grep -oE "^[^@]+" emails.txt | sed 's/[0-9]*$//' | sort | uniq -c | sort -rnAdvanced Reconnaissance Workflows
Sezione intitolata “Advanced Reconnaissance Workflows”Complete Company Profile
Sezione intitolata “Complete Company Profile”Gather Full Organization Intelligence
Sezione intitolata “Gather Full Organization Intelligence”#!/bin/bash
# Configuration
COMPANY="Target Company"
OUTPUT_DIR="reconnaissance_output"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# 1. Get general company info
echo "[*] Gathering company information..."
python3 inspy.py -c "$COMPANY" -o "$OUTPUT_DIR/company_info.txt"
# 2. Extract employees
echo "[*] Extracting employee list..."
python3 inspy.py -c "$COMPANY" -p -o "$OUTPUT_DIR/employees.txt"
# 3. Get email addresses
echo "[*] Finding email addresses..."
python3 inspy.py -c "$COMPANY" -e -o "$OUTPUT_DIR/emails.txt"
# 4. Filter by departments
echo "[*] Finding IT staff..."
python3 inspy.py -c "$COMPANY" -t "IT" -o "$OUTPUT_DIR/it_staff.txt"
echo "[*] Finding security professionals..."
python3 inspy.py -c "$COMPANY" -t "security" -o "$OUTPUT_DIR/security_staff.txt"
echo "[*] Reconnaissance complete. Results in $OUTPUT_DIR/"Email Enumeration for Phishing Assessment
Sezione intitolata “Email Enumeration for Phishing Assessment”Prepare Email List
Sezione intitolata “Prepare Email List”#!/bin/bash
# Extract emails from InSpy results
python3 inspy.py -c "Target" -e -o target_emails.txt
# Format for testing
cat target_emails.txt | sort | uniq > verified_emails.txt
# Count unique emails
wc -l verified_emails.txt
# Export for other tools
cat verified_emails.txt | awk '{print $1}' > email_list.csvEmail Verification
Sezione intitolata “Email Verification”# Verify emails exist (ethical testing only)
# Using tools like hunter.io API or internal verification
# Create target list
grep "@company.com" target_emails.txt > valid_targets.txt
# Test email format validity
python3 << 'EOF'
import re
with open('valid_targets.txt', 'r') as f:
for email in f:
email = email.strip()
# Simple regex validation
if re.match(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$', email):
print(email)
EOFData Processing and Analysis
Sezione intitolata “Data Processing and Analysis”Parse InSpy Output
Sezione intitolata “Parse InSpy Output”JSON Processing
Sezione intitolata “JSON Processing”# Export as JSON
python3 inspy.py -c "Company" -j -o company.json
# Parse JSON with jq
jq '.employees[] | {name, title, location}' company.json
# Extract specific field
jq -r '.employees[] | .email' company.json
# Count results
jq '.employees | length' company.jsonText Processing
Sezione intitolata “Text Processing”# Remove duplicates
sort -u results.txt > unique_results.txt
# Filter by domain
grep "@company.com" results.txt
# Count occurrences
sort | uniq -c | sort -rn
# Extract unique titles
cat results.txt | awk '{print $NF}' | sort | uniqCreate Targeting Lists
Sezione intitolata “Create Targeting Lists”Department-Based Lists
Sezione intitolata “Department-Based Lists”#!/bin/bash
# Extract by department keyword
echo "[*] Creating department targeting lists..."
# Engineering
python3 inspy.py -c "Company" -p -o all_employees.txt
grep -i "engineer\|developer\|architect" all_employees.txt > engineering.txt
# Finance
grep -i "finance\|accountant\|treasurer" all_employees.txt > finance.txt
# HR
grep -i "human resource\|recruiter\|hr" all_employees.txt > hr.txt
# Sales
grep -i "sales\|business development" all_employees.txt > sales.txt
echo "[*] Department lists created"Seniority-Based Lists
Sezione intitolata “Seniority-Based Lists”#!/bin/bash
# Extract by seniority indicators
python3 inspy.py -c "Company" -p -o employees.txt
# Senior management
grep -iE "(director|vp|vice president|cfo|cto|ceo)" employees.txt > senior_management.txt
# Middle management
grep -iE "(manager|lead|supervisor)" employees.txt > management.txt
# Individual contributors
grep -v -iE "(director|vp|manager|lead)" employees.txt > individual_contributors.txt
echo "[*] Seniority analysis complete"Integration with Other Tools
Sezione intitolata “Integration with Other Tools”Combine with Hunter.io
Sezione intitolata “Combine with Hunter.io”#!/bin/bash
# Get emails from InSpy
python3 inspy.py -c "Company" -e -o inspy_emails.txt
# Cross-reference with Hunter.io (if API access available)
HUNTER_API_KEY="your_api_key"
while read email; do
domain=$(echo "$email" | awk -F'@' '{print $2}')
curl -s "https://api.hunter.io/v2/domain-search?domain=$domain&domain=api_key=$HUNTER_API_KEY" \
| jq '.employees[]'
done < inspy_emails.txtExport for LinkedIn Analysis
Sezione intitolata “Export for LinkedIn Analysis”# Prepare data for manual LinkedIn verification
python3 inspy.py -c "Company" -e -o emails.txt
python3 inspy.py -c "Company" -p -o people.txt
# Create CSV for spreadsheet import
paste people.txt emails.txt > linkedin_analysis.csvFeed into Network Mapping Tools
Sezione intitolata “Feed into Network Mapping Tools”#!/bin/bash
# Export for Shodan/Censys verification
python3 inspy.py -c "Company" -d "company.com" -o company_info.txt
# Extract and validate domains
grep -oE "[a-z0-9.-]+\.com" company_info.txt | sort -u > domains.txt
# Use with Shodan CLI
while read domain; do
shodan host "$domain"
done < domains.txtConfiguration and Customization
Sezione intitolata “Configuration and Customization”Configuration File Setup
Sezione intitolata “Configuration File Setup”Create config.ini
Sezione intitolata “Create config.ini”[linkedin]
email_format = firstname.lastname@domain.com
search_limit = 100
timeout = 30
[output]
format = json
directory = ./results
[filters]
job_titles = engineer,architect,developer
locations = United States
[proxy]
enabled = false
# proxy_url = http://proxy:portUse Configuration
Sezione intitolata “Use Configuration”python3 inspy.py -c "Company" --config config.iniCustom Email Pattern Detection
Sezione intitolata “Custom Email Pattern Detection”Script to Analyze Email Formats
Sezione intitolata “Script to Analyze Email Formats”#!/usr/bin/env python3
import re
from collections import defaultdict
def analyze_email_patterns(email_list):
"""Analyze email patterns in list"""
patterns = defaultdict(int)
with open(email_list, 'r') as f:
for line in f:
email = line.strip()
if '@' not in email:
continue
local, domain = email.split('@')
# Detect pattern
if re.match(r'^[a-z]+\.[a-z]+$', local):
patterns['firstname.lastname'] += 1
elif re.match(r'^[a-z]+_[a-z]+$', local):
patterns['firstname_lastname'] += 1
elif re.match(r'^[a-z]\.[a-z]+$', local):
patterns['f.lastname'] += 1
elif re.match(r'^[a-z]{2,}$', local):
patterns['firstname'] += 1
else:
patterns['custom'] += 1
# Print results
for pattern, count in sorted(patterns.items(), key=lambda x: x[1], reverse=True):
print(f"{pattern}: {count}")
if __name__ == '__main__':
analyze_email_patterns('emails.txt')Limitations and Considerations
Sezione intitolata “Limitations and Considerations”LinkedIn Detection Avoidance
Sezione intitolata “LinkedIn Detection Avoidance”- Avoid rapid repeated requests
- Use reasonable delays between queries
- Rotate user agents
- Consider proxy rotation for large operations
- Respect LinkedIn's Terms of Service
LinkedIn may:
- Rate limit excessive requests
- Block IP addresses
- Require additional verification
- Terminate account for violationsData Accuracy
Sezione intitolata “Data Accuracy”Not all employees maintain LinkedIn profiles
Job titles may be outdated
Email formats may have changed
Some information may be incomplete
Verify findings independentlyEthical Usage Guidelines
Sezione intitolata “Ethical Usage Guidelines”Authorized Security Testing
Sezione intitolata “Authorized Security Testing”Ensure you have written authorization
Scope engagement clearly
Document all findings
Handle sensitive data securely
Maintain confidentiality
OSINT is legal, but always:
- Respect privacy regulations (GDPR, CCPA)
- Follow organization's policies
- Use findings for authorized purposes only
- Never attempt unauthorized accessResponsible Disclosure
Sezione intitolata “Responsible Disclosure”If discovering vulnerabilities:
- Document findings thoroughly
- Report through proper channels
- Allow reasonable remediation time
- Follow responsible disclosure timeline
- Maintain confidentiality of findingsTroubleshooting
Sezione intitolata “Troubleshooting”Connection Issues
Sezione intitolata “Connection Issues”LinkedIn Access Blocked
Sezione intitolata “LinkedIn Access Blocked”# Check network connectivity
ping linkedin.com
# Verify no proxy interference
python3 inspy.py -c "Company" --test-connection
# Try with explicit timeout
python3 inspy.py -c "Company" --timeout 60Rate Limiting
Sezione intitolata “Rate Limiting”# Add delay between requests
python3 << 'EOF'
import subprocess
import time
companies = ["Company1", "Company2", "Company3"]
for company in companies:
print(f"[*] Searching {company}...")
subprocess.run(["python3", "inspy.py", "-c", company])
time.sleep(10) # 10 second delay
EOFOutput Issues
Sezione intitolata “Output Issues”No Results Found
Sezione intitolata “No Results Found”# Verify company name spelling
python3 inspy.py -c "Goggle" # Incorrect
python3 inspy.py -c "Google" # Correct
# Try alternative names
python3 inspy.py -c "Google Inc"
python3 inspy.py -c "Alphabet"
# Use domain-based search
python3 inspy.py -d "google.com"Incomplete Email Results
Sezione intitolata “Incomplete Email Results”# Some profiles may not have public emails
# Try increasing result limit
python3 inspy.py -c "Company" -l 500 -e
# Filter by job title to target specific roles
python3 inspy.py -c "Company" -t "Engineer" -eBest Practices
Sezione intitolata “Best Practices”Reconnaissance Workflow
Sezione intitolata “Reconnaissance Workflow”- Gather general company information
- Identify key departments/teams
- Locate specific individuals by role
- Extract email addresses
- Verify and validate findings
- Document all sources
- Create targeting lists as needed
Data Management
Sezione intitolata “Data Management”- Organize results by company
- Maintain separate files for different data types
- Use consistent naming conventions
- Store securely with appropriate access controls
- Archive old assessments
- Document collection date and methodology
Verification
Sezione intitolata “Verification”- Cross-reference multiple sources
- Validate email formats independently
- Confirm current employment status
- Check for role changes
- Document verification sources
Resources
Sezione intitolata “Resources”- GitHub Repository: https://github.com/leapsecurity/InSpy
- LinkedIn: https://www.linkedin.com/
- OSINT Guide: https://github.com/jivoi/awesome-osint
- Email Finder Tools: hunter.io, clearbit.com
- Community: OSINT Twitter/Security Forums
Version Information
Sezione intitolata “Version Information”Current stable: InSpy 1.0+ Language: Python 3 Cross-platform: Linux, macOS, Windows Dependencies: Python 3.6+, requests, beautifulsoup4 License: MIT Maintenance: Community-maintained