A common part of pen tests – both network and web app – is password spraying. In order to do that, you need usernames. But how do you find out what your target’s usernames are? This is the first in a series of posts to discuss user enumeration and building custom lists to help with this effort.
The first step in identifying usernames is OSINT. Through OSINT, we can determine if usernames are based on a pattern such as firstinitial+last (psmith), first_lastinitial (pauls), email address, or some other format entirely.
Your OSINT probably turned up a few email addresses, or maybe a username or two through document metadata analysis. Using this info and sources like LinkedIn and Hunter.io, you probably identified some additional employee names and have the start of a good wordlist. There’s a pretty good chance you’re missing a lot of employees, however, so how do you go about getting a bigger name list? If usernames are based on the employee’s name, such as firstinitial+last (psmith), firstname.lastname (paul.smith), etc., and our target is a company in the US, we have access to a free source of potential names – U.S. Census data.
You can download a list of the 1000 most common lastnames (surnames) from the 2010 census here: https://www2.census.gov/topics/genealogy/2010surnames/Names_2010Census_Top1000.xlsx. This info has also been added as part of the SecLists project. If the username format is firstinitial+lastname (psmith), then you could easily generate a list using A-Z + lastname. You now have a list of 26,000 potential usernames. I’ve used this technique several times with good success.
If the username format uses the first name, it requires a little more work, but that data is also available to us. The SecLists project has lists for both the top male and top female names. The Social Security Administration also has data we can use, such as the top 100 baby names for the last century based on Social Security card applications. You can further refine our lists based on your target, such as top names by decade or top names by state and year.
At this point, you likely have a pretty good set of wordlists you can use in user enumeration testing. In upcoming posts, we’ll put those lists to use and discuss various user enumeration techniques. If you haven’t already, use the signup field on the right side of this page to sign up for our mailing list and get notified when new posts are published and follow us on Twitter!
Related StoriesView More
Better Living Through OpenSSH Config Files
By Red Siege | February 15, 2024
By: Justin Palk, Senior Security Consultant SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]Learn More
GraphStrike: Anatomy of Offensive Tool Development
By Red Siege | January 22, 2024
By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]Learn More
GraphStrike: Using Microsoft Graph API to Make Beacon Traffic Disappear
By Red Siege | January 22, 2024
By: Alex Reid, Current Red Siege Intern We at Red Siege are proud to introduce GraphStrike: a tool suite for use with Cobalt Strike that enables Beacons to use Microsoft […]Learn More