Danny Chrastil - What I know about your Company Hacking LinkedIn

how can oh what is

this thought this that works are we good all right guys well this is the uh what I know about your company hacking LinkedIn business processes so if you're looking for the other talk it's over there or if I'm not pretty enough you guys can go ahead and leave without hurting my feelings but we'll go ahead um I wanted to um actually get a a volunteer here to um throw out like a company name uh we're g to I may kick off a scan so we could look at it later and and do they have more than like 10 employees they have a few few all right what is it Florida Angel Nexus Angel Nexus these guys

I think so yep that's that all right all right we're going to do a little little preview here all right so that was Florida Angel what was the last part Nexus Nexus cor and uh how bigger let's see do they have a sales team uh one result uh let's do a little bigger I mean I could do that but let's get huh okay host D host dime okay let's do that okay okay so we'll do host dime and let's see if they have a significant sales team here nine that's that's doable I mean we could do that uh would they have a bigger like they won't have a security staff would they some like people we'll

we'll start with this okay we'll run this and if we want to do some more um so let's see here

here and that was host dime okay host and you don't need to see this I'll zoom in when I'm actually like demoing these things so I just want to get this started see still on Wi-Fi all right we're good okay nine people and then profiler

all right we'll let that run that actually won't take that long but that's cool um okay so we're going to go so yeah this is hacking LinkedIn one you want oh I guess I I could delay are you guys cool with a delay okay you oh okay who who gave host time was that you okay we're thrown out alcohol so there you go all right okay good deal I have a little bit more alcohol left

so give it three minutes and I'll okay we can do that what I'm fine yeah yeah I will they're not going to miss much in the beginning so we'll keep on all right we will continue so all right so I'll give a little bit about myself I'm Danny CLE and I like to hack stuff which hopefully most of you guys do too my uh past life I was in webdev so I was doing a lot of webdev you know uh Linux admin and and um database Administration so that was kind of my background but I've always liked to hack stuff and so even as like a kid uh let's see who remembers like net bus

you guys play netb okay good not dating myself too much but netb was fun because I would say junior high and i' would go to my friend's house and we' be hanging out while we're there I'd like crack open his garage door just like a couple feet this is really bad but um later I would come to his house when nobody was there and ID like roll under and go up to his computer with my floppy disc and install my net bus client and you know go home and and later like a few days later when we're on AOL together I would fire up like my net I know really my net busz client and I'd like start opening

and closing his like CD ROM drive and like popping up messages like the Matrix has found you you know stuff like that and just poking around and having fun but you know that's just like the fun stuff we like to do when you're younger and it wasn't till later when I was like you know what I could actually like turn my career and like start hacking things for my job that sounds awesome and that's when I drop webd like a bad habit and I was like okay yeah let's go start hacking and so now I do uh pen testing uh with the emphasis on web teex so I do a lot of web pen and Recon and R&D type

stuff uh I work for HP uh fortify on demand and uh I don't even have that on here but that's all right so we're going to be talking about Recon so a lot of stuff I've been doing has been at at HP is kind of web pen by also doing this R&D which is scripting a lot of stuff which is based on reconnaissance so that's kind of been my focus for a long time so it's been a fun thing to focus on and if you were in at Jonathan's talk just last he really plugged me well when he was saying like reconnaissance is awesome and you have to do it right were you guys in who was here for Jonathan's

talk last okay yes I support his statement there because it is awesome but a lot of us we think it's boring and uh tedious and check marked of just what we need to do for our pen test so who here does pen testing of some sort web N Net pen okay cool now uh who does Recon for your pen testing okay so good deal so Recon is like such an awesome part because it's really uh that step you need to be able to to perform an even better test and if you're not doing it then uh tisk on your company and on yourself no I won't be too hard on you but it is boring and sometimes we get in

this like I don't want to do it I just want to skip to like popping shells and like doing some you know social engineering with my cross-site scripting you know findings all that kind of stuff and we don't pay attention to this um so what we got to do we need to make it sexy right like Angelina Jolie doing it on the on the awesome movie hackers so how do we do that uh and before I kind of dive into this this isn't going to be like this full Recon workshop on on what you need to do for your pen tests or for your physical assessments I'm not going to get into like everything you need to

do but I want to take some topics of of reconnaissance and and turn them into the from this boring thing into like an awesome fun thing so uh what are some things that we do in Recon uh there's different types we have like business intelligence so let's say you know this is my target competitor and I want to find out who they uh selling to because that's who I'm going to Target and I'm going to try to steal business from them you know there's one perspective of business Intel um but really figuring out what this company does you know what's sensitive to them what information am I going to try to hack and what am I going

to try to steal from them um so then other things like okay well do these guys have like uniform email formats like it's always first name. last name at said company.com you know this is all the business Intel you're going to gather then we have uh Network mapping so if you don't know nmap go learn nmap that's you know basic for our n our Network mapping um but really you can't do that unless you've already gotten what IP addresses belong to the Target right so if you don't know that I mean you need to do some Recon to figure out what IP spaces do these guys own um now DNS Recon all right let's see you know

what domain names do these guys own uh what kind of uh name servers do they own their own name servers do they have uh a or MX records that are pointed like exchange servers so now they're using exchange email uh that's some DNS Recon uh and then fingerprinting so now we have like a huge list of IP addresses we have um you know domains all this kind of stuff let's fingerprint them let's see what kind of applications are running on those are they cms's do they have e-commerce what kind of like libraries are they using is it jQuery Etc um you know with our IP addresses what what uh IP addresses are responding in those ranges what's on those ports

what uh you know what software and what versions running on those ports and so forth so that's our our Recon so I'm going to jump in here to a few tools that I like um get my video going uh a few tools that I like and I'm going to show like how this tedious stuff could really be cool um so Ain if you haven't seen this before this is your American registry for internet numbers basically fancy way of just uh loging IP addresses for a public record of IP addresses for companies so if I Target h you know we get a whole bunch of stuff you could click on one and you know they have

network resources and if we go into that Network resource you'll see oh here's an IP range that they own cool let's add that to our file uh for doing recon well let's do like Sony you know we like to pick on Sony uh so here's some IP addresses for Sony let's open up this customer record a network resource right okay well we got some more but the thing is there's usually tons of these right so we don't want to have to go through each one and be like okay I got to copy that and paste it to our notepad or whatever you're using so how about we automate it how about I grab hp's Ain

handle here so I'm going to grab HP 30 in this case uh there's more than just one but I may take this I may load up a little script that I wrote here so I like python um so this is G IP ranges which has a few arguments here we have org ID and like a pattern to check it right so we're going to go ahead and run this I'll put in my HP I think you do 33 but it doesn't matter uh and then a h it for my pattern to match so it's going to run do its magic wait for it wait for it yeah all right so now we just got a

huge list of all these IP addresses that are on the a-in record and a lot of these are actually owned by uh HP so with some large blocks as well so like now we have a whole bunch of data but we got in a matter of or a minute or two and could throw that into end map you know throw that into your ness's scanner you know now you have some real data to start working with uh here's another one okay so who is this is basic right so we'll we'll start off with a little who is search let's do a who is on hp.com and uh see what comes up all right so here's their who is record and

they own their own name servers believe it or not um so let's take their name servers right and go to this cool service now this is G web tools and there's tons of these all over the place but this is one that I really like and uh specifically they have this thing called name server spy so they have their own database where they record uh all these uh domains that belong to specific name servers so if I do a search here for NS

one.p.net.com a lot in a lot of pages so 13 it just keeps going and I do not want to copy and paste the domains off of this uh this tool so there's 61 pages so that's what I just showed and so how are we going to get it I mean they have an API you could pay to use their API but I mean we're hackers and if we do that for every tool we use we're going to be broke right so let's figure out how to do it without so I have a another tool here and this is written python so we have our G web scraper okay so all we have to pass in is our name server and

how many pages we're in the results so let's do this I may do NS one.p.net.com

domain names that have at one point been under the ns1b name server and yeah you're going to have some few false positives in there because this isn't uh always up to date or they could be old records but this is some great information right all right so I may show one more and this is very similar so what if they don't have a their own name server okay so hp.com I'm going to do this again it does have their own name server but what other kind of information on their who is record that we could use how about we look for uh well the problem is say if they have like a GoDaddy one or you know Rackspace or

something like that we're going to get a whole bunch of crap we don't really want so how about their email address right so this is registered with hp. Dooms hp.com and here's the phone number that was registered well web.com has a sweet lookup where you could look up domains based on the register's contact name the register's contact email or their phone number so if I just plug in my hp. Dooms hp.com we get 2,111 domains now that sounds like some good Recon for me but I uh again do not want to go through all of these pages and have to copy and paste or pay to use their API to get this information from them so uh we have a a script for this

one as well and it's very similar to the other ones but just want to give an idea of this so uh Webb scraper and we have one argument email so let's go ahead and push this through python Webb scraper email and uh hp. Dooms hp.com let that run this isn't edited this is how long it took really actually now it's going to any long oh there we go okay so that's not long for $2,111 domain names and you cross that check that with the previous one but the point is now with a few simple scripts in a matter of minutes we got tons of Ip ranges we got tons of domain names and now we could use that to do some real

stuff to look into you know uh what services they have what kind of web uh websites are on those Etc I want to get all the way out um here we go all right so that brings us to LinkedIn which is like the main part of our talk here so LinkedIn is like the monster of business intelligence they have so much data and it's amazing what you could do um and so you could uh you get a lot but the problem is that they don't want you to scrape their site LinkedIn is very particular they don't they don't want to share that data with you um so they have some layers of protection that they put

in and I wouldn't really call it protection CU please um but uh there were some obstacles so what I did is I was doing some research on figuring out how to get this information off of LinkedIn and uh these were come some of the obstacles that came up one they have a third degree redaction so that means if anybody outside of your network is either a third or plus degre third plus degree um and you just say do Google search looking for Danny at HP and you're not connected to me in any way my profile is going to be redacted and it's going to be very short you're just going to have some basic information

information you're not going to see like a lot of my past experience and my skill set and those kinds of things um so that kind of comes into play when you're using an automated tool to try to scrape data because you most of the time you're not maintaining a session um but that is something you can do uh so the other thing they do is our traffic restrictions so you have to watch it you got a throttle um your they'll terminate your sessions and they'll lock out your account so of course we got to figure out how to get past these uh the third degree redaction it's actually really cool um they do a thing if you do a

search on their site if you do a search like I did earlier for a company and say a sales title or something what you don't see is that behind the scenes they kind of authorize like a one-time off token for you to view that profile and they threw it in the hyperlink okay so that off token is what's going to allow you to view that page otherwise you won't be able to see these third degree connections so if we could capture that off token uh then we can use that in our scraping all right so now traffic restrictions throttle uh session termination they'll randomly there isn't like a said pattern to it but sometimes they'll just terminate your session if

you're doing too much um so uh you'll see later uh I wrote a a function in there that's looking for a a session termination if they terminate it they'll automatically just reauthenticate real quick and give you a new session cookie so it just continues its flow with that without being interrupted and the last one is account lockout now figuring out the threshold for account lockout was interesting because I think I had my test account uh locked maybe about three or four times and uh and I had to send a message in that you it's not like a five minute lockout or something like that I had to send a message in and the first person wrote back and they're like you

are not allowed to use third party tools to scrape data off our site and you need to send in your driver's license and birth certificate you know all this stuff I'm like oh so I sent in another request another person responds and they're like oh did you happen to be using a public computer and I'm like oo I'm going right back to this person I was like yeah you know I was at the library and I think I left my session open and I think somebody like took over my session they're like oh don't worry about it that happens here's a new password we unlocked your account you're good to go I'm like yes and so that

happened like three times so it's not really there's ways to get around that but once you figure out that uh that point where you're not getting an account locked out that's usually a good thing would you use multiple accounts as well you could and what I've done too to avoid some of the traffic restrictions is uh I put a list of different proxies I could use so because they'll block just my IP address and so if I logged into my account from a different IP it'd be able to so I could you could do a list of proxies and I I put that in the script um it's where it'll kind of cycle through them but all the proxies I Ed

were like free proxies and they're really slow and so I was like yeah I'll just throttle my traffic for now um but that was fun um so what I'm gonna do uh you know as debating let's do this I'm not going to do my video I'll just open up LinkedIn because I have uh internet here okay so if we do a search and I showed this at the beginning for those of you who missed it you could do a search let's say uh let's look for uh H well let's do HP fortify on demand and okay and we'll we'll do security people okay there's only two really there's more than that uh if I do a

search here so it's going to give us a list I didn't type it in right uh it's going to give us a list of people and you'll see um that if I click on them up here we have oh Au authentication type out of network and here's your off token so that's the off toen to that we want to steal to be able to view these full profiles now what kind of data do we want to get off LinkedIn there's there's tons of data and what I targeted specifically for this tool was trying to extrapolate what somebody's network is because LinkedIn won't tell you oh these are all the people that Jane is connected to they

may say you have some people in common oh right here um that's me um you may have some people in common but uh they're not going to tell tell you who their whole network is so how can we get that because what if we were doing that scenario we're like let's let's pick our competitor and we're going to Target their salespeople and see who they're all connected to and if they have a a theme of common people they're connected to maybe that's one of their clients you know so you could extrapolate data like that well how can we do it well there's a little feature that LinkedIn added in a while ago which is awesome skills

endorsements right so you could list skills and people can endorse you and say yeah that person has that skill well now only people within your network can endorse you so right here is data that is scrapable of people that are within their Network and Jane has a pretty poor profile I know Jr has probably a better one hopefully okay yeah Jr Jr has more okay so now I could extract I could go scrape all these people and extrapolate you know here's a a network that belongs to Jr and if I do this for 100 sales reps I'm going to have some good data to compare so we went ahead and ran this tool I'm going to actually I'll do a

demo first so let's do um does anybody else have oh wait let's do something fun like like locked Martin or something um so let's do an advanced search locked Martin as the company current and uh let's say uh security okay so we'll grab this do a search all right so here's our results now I'm going to show you the tool and I may try to zoom in here so we could see it better and I hate doing this window Zoom but we'll test it out okay can you guys see thaty okay so let's do our LinkedIn the first part is called gatherer so it's basically going to gather all the profiles we're going to try to oops I

just type it in right oh python should get that right come on LinkedIn gather all right so enter your search URL I'll just paste that the company name that was locked Martin and an out file I'll just do locked people. CSV and it's going to go ahead and do this search for us it got a new session it authenticated uh page one 11 people oh I might have le reached my limit um they do this fun thing Yeah Austin you've reached the commercial use uh on this account all right let me do one thing uh what's Austin last oh I can't tell you no that's myth all right let me do something real quick oh this is this makes it more secure

okay I'm going to see if I could switch accounts

here fig curiosity how many linked counts uh they locked in both of mine okay we're going to work with the data we do have Okay so let's work with the data we do have so we ran this um that was our search but I still should still be able to do our profile so let me Zoom in again and let's see how much data we have in the locky people okay we have six people let's go ahead and do it uh so let's go ahead and run our gatherer uh or that was gather this is our profiler okay so the input file is going to be my loed people. CSV and an output we'll do

locked profiles CSV all right so what this is doing is it's getting the token for each person hopefully LinkedIn isn't blocking me okay so for we're Gathering firewalls found five people networking found 15 people Internet Security three people this is for Donnie um and and it's going on and on it has a little bit of a timeout so I may let this run while I demo some other information I have um so it does a 60-second timeout between each person so I don't get locked out um but this is what it does so for for Donnie it went ahead and grabbed first it logged in and then it grabbed the oth token to be able to view her profile so

we don't see this redacted profile and now it's extracting all of the endorsements from her page so now we're getting some good information so what do we do with this data well how about we open up Malo which is awesome oh wait real quick what are some other Recon Suites anybody know any other Recon tools do you guys use any Recon tools ah you're not allowed to answer anybody else okay you get a who gets the alcohol raise your hand if you want alcohol okay first over here all right there we go I tried to get rid of those um okay so maligo I love it's awesome because it has especially the pro version the free version kind of sucks

um you have awesome transforms which are their modules to do Recon but just the mapping is invaluable so I'm going to go ahead and import the data from this LinkedIn so I have a couple files and I may pull some other ones off my VM too um do I do HP profiles yeah I'll do I'll stick with HP all right so let's do HP profiles and so these are all our columns I'm going ahead and assign this as a person so if you've used Malo this probably all make sense if you haven't uh it you can map data to different kind of nodes and it does different tasks based on what kind of node it is um so

this was their uh skill so I'll just go ahead and say this is like uh there's different things we could do person URL uh I'll just do an affiliation I guess and then so this is another person uh I'll do them as a person as well uh I like doing the affiliations and then this is their title and their company actually yeah what I'll do is not I'll unmap this column I may do their company because I want to see who these people are connected to as far as companies um application security expert okay here's the companies so here we go I will import this

data and it works ITS m magic we get to switch to Bubble view organic all right so it makes these really cool graphs which even if you don't get anything out of them they look cool and you like make them as your wallpaper and you're set um but if we look at the data here so we have let me zoom in so the orange are our original people so the orange people are our fod and all the green things are the things that they're associated with so the bigger the circle the more people are associated to it and this is probably a blank item so I usually delete that okay so now we could look at things

and say okay HP fortify on demand we know that they're going to be connected to that uh troubleshooting these are like different skills but I could go ahead and see who's all selected um for networking so now I can see under troubleshooting all these people are connected um but what I'll do I wanted to do it actually without the skill data so I'll import this again HP profiles I may

do a person and their affiliation as their skill okay you could do endless combinations I'm just showing a few here but I just want to get an idea of what kind of stuff we have out there all right so now this is skill sets Okay so now we have people who work at fortify on demand and their skill sets they have in common so if I look at this one testing so we know those people of testing these people have project management well what if one of these said like uh burp site which one of them may well now we could see you know okay well HP fortify on demand uses burp site for their testing which

isn't really that unheard of but let's say we did the the tech company for uh locking Martin and they have like Barracuda firewalls okay well maybe all these security it people are working with firewalls at Loy Martin there from Barracuda you know we could get that kind of data well let's do this I'm going to import one more file this is going to be um these are salespeople and let's see let's do a person oh I did the wrong wrong file did I do profiles oh s people okay let's actually grab our LinkedIn one because it's probably done okay yeah so we have our locking Martin let me pull that file down locking Martin profiles make sure it's there yes it is

okay so we'll go ahead and import our locking Martin profiles so here's all of our we did it is that right um sales we did sales um security sorry okay but we'll still do affiliation these

people finish Okay so different graphs here okay so get rid of our blank record here all right so let's look at this data here we have there's not a lot of overlap between these people surprisingly we have one that's not very exciting so Joyce is connected to to these other people which unfortunately that wasn't as exciting as I really wanted it to be but um let's see here okay then we will do this rocking Martin we have a person oops all right we'll grab

their this and then yeah we'll do this

one new graph

okay so now we see a little bit more Trends here so this is um our sale these are our tech people from locked Martin and the different uh skills that they have in common so another way we could look at this is we could sort by weight to see which ones have the most can you guys still see this or I need to zoom in wouldn't hurt to zoom in all right let's zoom in a little or income in what I

wanted okay so here we go here's all the skills that they have the most like most uh common together so they have network security information security n Etc and so we basically got their skill set from their profile and that's what I was getting here um so this is where we'd see like okay well if they have something in common look they all have VMware uh experience again that's not a big given or that's not a big surprise but let's say you know we could say that a lot of security people at locking Mar using VMware now you could use their imagination to see how that could lead to more and more information that you

could get and we only got to do like six people from locking Martin but if we have a Salesforce team of a 100 people we download all of their data all of their connections and we could see who's connected to who this person is like uh we have you know 10 different salespeople that are all connected to um you know uh excelenergy.com well okay I guess that company is most likely doing business with excelenergy.com um so that's where uh a lot of this data kind of comes into play and becomes useful and now we've bypassed a lot of linkedin's protection uh in order to gain data from their sites and what we take from their site is really unlimited

it it's just basically what can we find and how do we want to use it and in this case it was their extended Network and their skills but it really could be anything else so I went ahead and took the code and put it up on GitHub here so if anybody is interested in it uh you could go ahead and get it it's just called LinkedIn gatherer if you do a search that'll come up and and don't look at this and be like oh my gosh this code is so sloppy because it probably is um but it is a a work in progress and uh I'm going to be expanding on it but if you have any things you want to do feel

free to pull or do any uh contri uh you know contributes to it or ISS requests and stuff so that's it that's the presentation uh any questions yeah um you said you GNA do some first this is awesome and kudos for doing it live like seriously um I don't know that I have that in you but the uh the question I have is been moving forward um have you thought about you have but have you thought about doing a automated footprint so the kind of the what you were talking about tur report like here's the Target and here's the heat map of known technology these are all asso with firewalls and these are Brands I see that that's using the endorsements

but what about the people's profiles where it's like I have experience in Cisco fire checkpoint and it's and it's just a matter of what you're pulling off of the LinkedIn profile right so if you get that data then yeah you could throw that into your map and get that heat map and unfortunately the data I had uh wasn't as big as I wanted it to be because LinkedIn throttled my account right there at the end but yes you can and it's what I do um a little bit more for the for my job is doing like Fingerprints of companies like the steps we're talking about getting IP addresses getting uh domain names through DNS fingerprinting those and getting all

that together throwing it into melego get this huge heat map and build this report for a client be like hey here's all the stuff we found you know that's a very powerful you know way you could use it and on top of it you could say uh here's your Salesforce and we found all this kind of information or here's your it team and we found this kind of information and you could use now you could use the LinkedIn scraper to pull all this data off uh where before it wasn't so easy they've made a lot of changes to make it hard and I'm sure they'll continue to change it but yeah you you really could get uh any

information you want from those profiles yeah scrap the whole profile you you've decided the subset yeah so to answer your question I mean yeah you could you could pull because I'm getting an HTML response right and it has a full profile and Linkedin is very nice to where they actually you don't have to do a lot of scraping because they take the whole profile and they load it into Json dump and it's like commented out so if you view Source there's this like commented out Json dump and you're just like oh all regx match that and now just consume the Json object and it's all sorted in a pretty object you know you don't have to do a lot of scraping so

it's really neat how they they ended up doing that for us um but yeah you could grab anything you could grab that whole Json dump save it and then later access whatever data you want yeah have you when the receives this information do you know what they do with it after um a lot of times well let's say I work for Fortify on demand so we do pen testing so uh a lot of times it may be like here we're giving you a huge uh or they're saying we're saying here's all the assets we found that maybe you didn't know about or maybe you did um here's the Technologies we found here's you know some profiles some information

that we found and put it all in this report and it's like okay uh how much business you want to do you know it it's could be a sales pitch or it could be uh you know just to help somebody security posture you know an established client to be like he you're already a client of ours but let's go ahead and like check your security SP poster do you know about these applications do you know this data is on LinkedIn are your are your employees aware that this information is on LinkedIn so that they're protected from you know social engineering kind of attacks so job applications do you go to sites other than LinkedIn and look at

the last five jobs this is what he's done in all these locations yeah this is this this is the hardware they've been using he's not even employee anymore yeah but every place he's been you see what Hardware but you know so you could be like okay we know this technology belongs to this client okay that that helps us a little bit more or we're looking to hire somebody who manages yeah XYZ software uhhuh and it's all right there yeah that's great anybody else

yeah like without violating terms of service uh how to be a Savvy user of LinkedIn in other words poison your resume perhaps oh oh okay okay kind of beneficial you might get a better job yeah I mean exactly uh it depends I mean you need to be aware of what information you're you have on your profile and how that could be used against you uh I think that would be fair to say you could poison it that'd be interesting yeah does that answer it or you asking something different were you asking how to get data off of LinkedIn or how as a user to protect yourself

from yeah oh yeah so if you're actually wanting to get a job like using LinkedIn for what it's made for right okay but on the other you leave your like yeah I mean I have a full profile I'm aware of the information that's out there um because it is a great Tool uh for for being recruited if you're looking for a job um and having it up to dat and having more information is going to make you more likely found by the recruiter and by the way those recruiter accounts are amazing if uh if you're willing to push out the money for those the data like exceeds what you can do with this you know 100 times fold plus

if you start scraping the recruiter account then that's awesome so yeah uhhuh have you recruit account no uh no I have not I haven't uh I haven't dished out the money yet or asked my employer to but I'd like to if anybody has one they want to donate I'll I'll test it out what's that yeah I do actually I think I do yeah we'll talk after um yeah so anything else okay well thanks guys that's a talk thank you bside volunteers and everything

so

andn all your scripts on help um I need need to put those other the other three on there for Aon G web and web yeah our friend Bubba remember he's a recruiter my friend Bubba you'll remember him exactly bring by he looks a lot buba has a recruiter account yeah theing ceremon here so if you want to S around find out I know I like how you it's the little things PR for internet videoing just so smooth and I look at your hands I'm like you cheeky bastard you totally and and then you jumped into the line no solid Ro I can't think of a single way around that like what do you do like I can't not have a resume online

I got to be gainfully employed