User Enumeration Part 1 – Building Name Lists

By Mike Saunders | January 30, 2020

A common part of pen tests – both network and web app – is password spraying. In order to do that, you need usernames. But how do you find out what your target’s usernames are? This is the first in a series of posts to discuss user enumeration and building custom lists to help with this effort.

The first step in identifying usernames is OSINT. Through OSINT, we can determine if usernames are based on a pattern such as firstinitial+last (psmith), first_lastinitial (pauls), email address, or some other format entirely.

Your OSINT probably turned up a few email addresses, or maybe a username or two through document metadata analysis.  Using this info and sources like LinkedIn and Hunter.io, you probably identified some additional employee names and have the start of a good wordlist. There’s a pretty good chance you’re missing a lot of employees, however, so how do you go about getting a bigger name list? If usernames are based on the employee’s name, such as firstinitial+last (psmith), firstname.lastname (paul.smith), etc., and our target is a company in the US, we have access to a free source of potential names – U.S. Census data.

You can download a list of the 1000 most common lastnames (surnames) from the 2010 census here: https://www2.census.gov/topics/genealogy/2010surnames/Names_2010Census_Top1000.xlsx. This info has also been added as part of the SecLists project. If the username format is firstinitial+lastname (psmith), then you could easily generate a list using A-Z + lastname. You now have a list of 26,000 potential usernames. I’ve used this technique several times with good success.

If the username format uses the first name, it requires a little more work, but that data is also available to us. The SecLists project has lists for both the top male and top female names. The Social Security Administration also has data we can use, such as the top 100 baby names for the last century based on Social Security card applications. You can further refine our lists based on your target, such as top names by decade or top names by state and year.

At this point, you likely have a pretty good set of wordlists you can use in user enumeration testing. In upcoming posts, we’ll put those lists to use and discuss various user enumeration techniques. If you haven’t already, use the signup field on the right side of this page to sign up for our mailing list and get notified when new posts are published and follow us on Twitter!

Creating a Simple Windows Domain for Offensive Testing: Part 4

By Red Siege | June 23, 2022

By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4

Creating a Simple Windows Domain for Offensive Testing: Part 3

By Red Siege | June 15, 2022

by Security Consultant Justin Palk Welcome back to my series on setting up a Windows domain for offensive testing. In the first two installments (Part 1, Part 2), I stood […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 3

Creating a Simple Windows Domain for Offensive Testing: Part 2

By Red Siege | June 7, 2022

By: Justin Palk, Security Consultant Welcome back to my series on setting up a Windows domain for offensive testing. In the first installment, I did my basic network setup, created […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 2

Find Out What’s Next

Stay in the loop with our upcoming events.