User Enumeration Part 1 – Building Name Lists

By Mike Saunders | January 30, 2020

A common part of pen tests – both network and web app – is password spraying. In order to do that, you need usernames. But how do you find out what your target’s usernames are? This is the first in a series of posts to discuss user enumeration and building custom lists to help with this effort.

The first step in identifying usernames is OSINT. Through OSINT, we can determine if usernames are based on a pattern such as firstinitial+last (psmith), first_lastinitial (pauls), email address, or some other format entirely.

Your OSINT probably turned up a few email addresses, or maybe a username or two through document metadata analysis.  Using this info and sources like LinkedIn and Hunter.io, you probably identified some additional employee names and have the start of a good wordlist. There’s a pretty good chance you’re missing a lot of employees, however, so how do you go about getting a bigger name list? If usernames are based on the employee’s name, such as firstinitial+last (psmith), firstname.lastname (paul.smith), etc., and our target is a company in the US, we have access to a free source of potential names – U.S. Census data.

You can download a list of the 1000 most common lastnames (surnames) from the 2010 census here: https://www2.census.gov/topics/genealogy/2010surnames/Names_2010Census_Top1000.xlsx. This info has also been added as part of the SecLists project. If the username format is firstinitial+lastname (psmith), then you could easily generate a list using A-Z + lastname. You now have a list of 26,000 potential usernames. I’ve used this technique several times with good success.

If the username format uses the first name, it requires a little more work, but that data is also available to us. The SecLists project has lists for both the top male and top female names. The Social Security Administration also has data we can use, such as the top 100 baby names for the last century based on Social Security card applications. You can further refine our lists based on your target, such as top names by decade or top names by state and year.

At this point, you likely have a pretty good set of wordlists you can use in user enumeration testing. In upcoming posts, we’ll put those lists to use and discuss various user enumeration techniques. If you haven’t already, use the signup field on the right side of this page to sign up for our mailing list and get notified when new posts are published and follow us on Twitter!

Attacking SAML implementations

By Red Siege | November 2, 2021

SAML and SAML Attacks Recently a client mentioned that they wanted me to pay particular attention to the SAML authentication on an app I was going to be testing. It’s […]

Learn More
Attacking SAML implementations

Bypassing Signature-Based AV

By Red Siege | August 25, 2021

If you want to execute arbitrary code on an endpoint during a penetration test, red team, or assumed breach, chances are you’ll have to evade some kind of antivirus solution. […]

Learn More
Bypassing Signature-Based AV

Sans Core Netwars Tournament of Champions Europe

By Red Siege | August 9, 2021

From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]

Learn More
Sans Core Netwars Tournament of Champions Europe

Find Out What’s Next

Stay in the loop with our upcoming events.