How to dig through an entire country’s numbering plan searching for a mobile contact [on Facebook]
Let’s say that the scope of your investigation is finding the mobile number of a key subject. Let’s make the example of a UK company Director.
You have a lot of data about him (included his Facebook profile) but you soon get frustrated as the mobile contact hasn’t been archived on any of the most used databases, such as Pipl, which is the first place I go to in order
to find and correlate personal contact information.
In such a situation, you need to figure out a different approach.
I assume that you have the subject’s email address (which sometimes can be easily and successfully guessed from the Facebook’s password recovery page). The portion of email address shown by Facebook is, hypothetically, k********@provider.com
Trying it to find the related account on Facebook gives you the last two digits of the subject’s mobile phone number: 15.
But since you’re lucky, trying the email address on the Paypal recovery page gives you the last 4 digits of his mobile (4715), which is probably the same used on Facebook, since it ends with the same two digits (15).
Paypal, however, also gives you the first two digits (07), and tells you that between 07 and 4715 there are 5 unknown digits:
Consequently, you have to sift trough 07-00000-4715 and 07-99999-4715 to find the phone number and solve your investigation.
While this is not something you can do manually, since you have got 99.999 potential numbers to investigate, there is an approach that can really be successful.
In fact, our case history is based on a UK persona. So, being the mobile number almost certainly a UK number, there are plenty of websites providing information about the country’s mobile numbering plan, such as this page, where each operator is listed with all of its managed prefixes:
By filtering the table on Excel, you suddenly discover that the first three operators in UK are “O2” (managing 206 prefixes), “EE” (managing 157 prefixes) and Vodafone (managing 120 prefixes).
Since these operators are the most likely to be used by a commercial user, this leaves you with 483 prefixes to exploit in your research.
This is a first important step because, given that each prefix is made up of 4 digits (example: 7494), it helps you further reducing the amount of numbers to investigate.
For example, given the “7494” prefix, you know that the subject’s mobile number has to be composed such as: “(0)7” (thank you Facebook) + 494 + XXX (unknown numbers) + 4715 (thank you Paypal): 07–494-XXX-4715
For each prefix derived from UK’s phone numbering plan, you have, therefore, 999 numbers to search for, ending up with a potential, total amount of 48.300 target numbers (50% of the initial amount, 99.999 numbers). Still a disheartening figure for a manual search though!
However, it is possible to use the Facebook password recovery module to find, for each of the enumerated 48.300 numbers, only those which are matched, by the Facebook recovery module, with a Facebook account whose related email starts with “k**” (remember? You correctly guessed the subject’s email address from the partial information provided by Facebook at the beginning of the investigation).
This can be done with a Python script that I found online and customized for this specific scope:
- import the necessary modules
import requests
import re
from contacts import * (create a file named contacts.py containing the enumerated phone numbers, one per row, and store it in the same folder as your script)
import time
from playsound import playsound
contacts = [] #this list will be needed later on
done = [] #this list will be needed later on
2. the core of the script is reported below:
I have set up a 15 seconds sleep time between each request. Note that we are doing this without being logged in. However, if Facebook finds out that you are executing too many requests (ex: 1 per second), it will block your IP very soon. On the contrary, if you set up a 10/15 seconds pause you can very probably keep going almost endlessly. The longer the pause, the better.
You can also set up a set of proxies (recommended) or pause each 400/500 requests to change IP manually with a VPN (easier). While the above script is just the core, you can improve it by automating a “check” function aimed at verifying, lets say every 50 requests, that you have not been blocked.
This can be achieved by setting up a function which will be triggered after an additional 50 requests have been made. The function will check for a known email address/phone number (for instance, your phone number or email, if tied to a Facebook profile) and will expect that the response by Facebook contains either the phone number or the email address used for the recovery process. Something such as this:
While the above function can surely be optimized, it should work. Just create a list at the beginning of the script (contacts = []) and store each number at the end of the for loop (image 1) with done.append(contact).
Now you will call the function at the beginning of the for loop with check() and your’e done! The script will start crawling the phone numbers and will output something like:
> 07123456798 not found
> 07123456798 not found
> 07123456798 not found
> 07123456798 not found
> [!] Possible match: 07123456798
When a possible match will be found, a sound will be played if you have configured the script correctly specifying the path to a wav file.
Each 111 requests, you will be shown a message stating that you have not been blocked. But if you have been blocked indeed, you will be warned as well. However, you will not need to restart everything from scratch, since only the requests between the blocking-alert and the previous “not blocked” statement will need to be run again. You will be probably able to find a better approach to detect possible blocking.
Note that it will be, probably, not a matter of hours, but of days, before you find the number you’re looking for. For instance, in the case of the UK persona, trying this approach over 48.300 target numbers can be as “fast” as 5/6 days. But you might find your number before the entire cycle ends. This is due to the fact that our UK persona has, in this specific case, an easily guessed email address which is also tied to Paypal. But if no Paypal account is used and you can’t reduce the number of potential target-numbers it may still require weeks or months, unless you can’t set up multiple instances with multiple proxies, thus significantly reducing the lenght of the job. In the end, everything depends on the amount of data you have at the beginning to reduce the lenght of your list of numbers and also on the structure of the numbering plan of the country your mobile target belongs to.
In the end, you will probably come out with a few dozens of mobile numbers that match the conditions set within the script, and you will need to make further research on those numbers to find which one belongs to your target. But this is a different story!
