Facebook OSINT Module for Recon-ng


Posted on April 25th in Uncategorized. No Comments

If you haven’t yet heard of Recon-ng I suggest you check it out. It walks you through the process of collecting recon in various forms and provides a nice framework to store, sort, and report on everything you collect. You should definitely get this set up if you plan to follow along.

I have been working on a Recon-ng module to do some Facebook OSINT by using the Facebook Graph API to search for phone numbers. It allows you to search for a specific phone number, or brute force through a range of numbers and grab all of the publicly available information on each associated Facebook account that matches.

This is not currently a built-in module so you will need to grab the code at the end of the post.

Unfortunately Facebook does not have the concept of an API access key that I am aware of. The only way to use the Graph API to my knowledge is with a user access token. If you know of a better way to manage this please send me a message on Twitter!

Getting the access token

In order to get an access token you will need to sign up for a Facebook developer account and get a token from the Graph API.

When you click the get access token button Facebook will pop up a box asking what permissions you would like. You do not need to click on anything here, the default permissions will work. Just click on get access token again and your access token will show up in the text box.

warning Access token are short lived and usually last about an hour. Keep this in mind while using the module! It’s not a perfect solution, but it gets the job done for now.

Graph API Explorer

Running a phone search

Now that we have our token, we are ready to go! Lets take a look at the options required by this module.

Module Info

As you can see all that is required in the token and a phone number. This module supports searching for single numbers and brute force searches.

Lets try a quick search for a single phone number. Fire up the script and issue the set token command inserting the token we got from Facebook. Now all thats left is to do is set our phone number and issue the run command.

Of course this search will not return anything so you will need to swap out the number for one of your own. I have ran a search of my own against a random number and you can see the results below. I have tried to scrub out some information to protect privacy here.

single phone search

Running a brute force search

You can enter in a single phone number or you can enter in a range to be brute forced. The range works by replacing the digits you want to brute force with asterisks.

For example, to brute force the last 4 digits of a phone number your would use the following search.

Why in the world would anyone ever want this functionality?

Because Facebook gives away free information on their password reset pages!

If you have an email address for someone and their cell phone is associated with their account, you may be able to get the last 4 digits from the reset page.

reset page

If you have an idea of what the area code might be, all you need to do is a brute force search for something like the following.

The search above would then return all profiles that have a matching phone number and are publicly searchable. Let’s see this in action and try a search for some random numbers in the Malibu, CA area code of 424.

brute force search

So there you have it! A list of all the publicly searchable numbers in the 424-235-**** space and the corresponding Facebook ID’s. The module is not perfect, but it gets the job done. If your searches fail due to your access token expiring before the search is complete, try breaking up the search. Please use responsibly!

The module code

Below is the code for the module. You will need to drop it into your recon folder under recon/contacts/gather/http/facebook_phone.py

Update The source code is now also available on my Bitbucket





Comments are closed.