User Enumeration Part 1 – Building Name Lists

By Mike Saunders | January 30, 2020

A common part of pen tests – both network and web app – is password spraying. In order to do that, you need usernames. But how do you find out what your target’s usernames are? This is the first in a series of posts to discuss user enumeration and building custom lists to help with this effort.

The first step in identifying usernames is OSINT. Through OSINT, we can determine if usernames are based on a pattern such as firstinitial+last (psmith), first_lastinitial (pauls), email address, or some other format entirely.

Your OSINT probably turned up a few email addresses, or maybe a username or two through document metadata analysis.  Using this info and sources like LinkedIn and Hunter.io, you probably identified some additional employee names and have the start of a good wordlist. There’s a pretty good chance you’re missing a lot of employees, however, so how do you go about getting a bigger name list? If usernames are based on the employee’s name, such as firstinitial+last (psmith), firstname.lastname (paul.smith), etc., and our target is a company in the US, we have access to a free source of potential names – U.S. Census data.

You can download a list of the 1000 most common lastnames (surnames) from the 2010 census here: https://www2.census.gov/topics/genealogy/2010surnames/Names_2010Census_Top1000.xlsx. This info has also been added as part of the SecLists project. If the username format is firstinitial+lastname (psmith), then you could easily generate a list using A-Z + lastname. You now have a list of 26,000 potential usernames. I’ve used this technique several times with good success.

If the username format uses the first name, it requires a little more work, but that data is also available to us. The SecLists project has lists for both the top male and top female names. The Social Security Administration also has data we can use, such as the top 100 baby names for the last century based on Social Security card applications. You can further refine our lists based on your target, such as top names by decade or top names by state and year.

At this point, you likely have a pretty good set of wordlists you can use in user enumeration testing. In upcoming posts, we’ll put those lists to use and discuss various user enumeration techniques. If you haven’t already, use the signup field on the right side of this page to sign up for our mailing list and get notified when new posts are published and follow us on Twitter!

Introduction to Sliver

By Red Siege | November 7, 2022

By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]

Learn More
Introduction to Sliver

Moving beyond T4 – Deconstructing Nmap Tuning

By Red Siege | July 6, 2022

by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]

Learn More
Moving beyond T4 – Deconstructing Nmap Tuning

Creating a Simple Windows Domain for Offensive Testing: Part 4

By Red Siege | June 23, 2022

By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4

Find Out What’s Next

Stay in the loop with our upcoming events.