loading
loading
Recon
LinkedIn enumeration that extracts employee names through search engine scraping.
overview
CrossLinked builds a list of an organization's employees without ever logging into LinkedIn. It queries search engines for the company's LinkedIn profiles and parses the results for names, so it gathers people-intelligence passively and avoids the rate limits and authentication that scraping LinkedIn directly would hit.
The names are only half the value. CrossLinked applies a format string to each one, so it can emit usernames or email addresses in the exact pattern an organization uses. That output drops straight into password spraying, phishing simulations, and account-takeover testing where a valid username list is the starting point.
On Trickest, CrossLinked is a Recon node that takes a company name and writes a folder of results. Run it early in an OSINT or social-engineering workflow, then feed the formatted identities into the tools that consume them.
use cases
Give CrossLinked a company name and it scrapes search engines for LinkedIn profiles, returning the people associated with that organization.
Apply a format string so each name becomes a username or email in the organization's exact convention, ready for spraying or phishing tests.
Collect identities through public search results instead of authenticated LinkedIn scraping, so the recon leaves no trace on the target's account systems.
Load a proxy file so a wide enumeration spreads across addresses and avoids tripping search-engine rate limits.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| company-name | STRING | · | Target company name to enumerate employees for (positional argument). |
| format | STRING | -f | Name format, for example {first}.{last}@domain.com or domain\{f}{last}. |
| search-engine | STRING | --search | Search engines to scrape (default google,bing). |
| timeout | STRING | -t | Max timeout per search in seconds (default 20, 0 for none). |
| proxy-file | FILE | --proxy-file | Load proxies from a file for rotation across a large run. |
| proxy | STRING | --proxy | Route requests through a single proxy as IP:Port. |
Showing key inputs. crosslinked exposes 6 inputs in total.
example
# scrape Google and Bing for names, format as corporate emailscrosslinked -f '{first}.{last}@example.com' --search google,bing -t 20 example[*] Starting CrossLinked search engine enumeration[*] Scraping google, bing for example LinkedIn profiles[+] 28 employee names collected, formatting as {first}.{last}@example.com[+] Writing results to names.txtlaura.nguyen@example.comamara.okafor@example.comsofia.delgado@example.comrami.haddad@example.commarco.bianchi@example.comguidance
Use CrossLinked to turn a company name into a formatted list of likely usernames or emails for password spraying and phishing simulations. For broader OSINT across many sources, theHarvester casts a wider net. CrossLinked is the focused LinkedIn-name play.
Broad OSINT that gathers emails, names, and hosts from many sources. Wider than CrossLinked's LinkedIn focus.
Email-focused OSINT collection. Complements CrossLinked's name-to-username output.
Harvests usernames from document metadata. A different source for the same identity goal.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A company name feeds CrossLinked, which scrapes search engines for LinkedIn profiles and writes formatted usernames as a queryable output.
Facts on this page come from the live Trickest tool library.