Thursday, April 18, 2019

Enumerating UNIX usernames

Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built lists to find very common users, but what about usernames which are not so common such as, `johsmi` or `s-john`.

We can find usernames like this by creating a list of possible permutations of the first and last name of the person. before we construct our list we first have to understand a few rules dealing with how usernames (in unix) can be formated.

Unix username rules

Usernames in most unix distributions are limited to the following: 

unix usernames can only contain the characters: [a-zA-Z][0-9][._-] 
unix usernames are case-sensitive. 
unix usernames cannot start with a number. 
unix usernames cannot start with any of the special chars allowed `.`, `_` or `-`.

that is fundamentally it as far as what is allowed when creating a username. Now we can get into creating different combo's to get a list of realistic and probable usernames to fuzz with.

Creating username variations

Our example name will be: John Smith

First and Last Name

we can start out simple and just concat the first and last name like so:

johnsmith

we can add in special characters 

john.smith
john_smith
john-smith

we can do the same except in reverse 

smithjohn

furthermore, some usernames start with just the first letter of the persons first name followed by the full last name like so: 

jsmith or smithj

adding the special characters we get: 

j.smith
j_smith
j-smith
~
smith.j
smith_j
smith-j

we are still do the same as above but increasing the character by one, so instead of the first character of the name it would be the first two characters. 

josmith
~
jo.smith
jo_smith
jo-smith

or reverse 

smithjo
~
smith.jo
smith_jo
smith-jo

continuing still with the theme of adding single characters, we can add the first three characters of the name followed by the last name: 

johsmith
~
joh.smith
joh_smith
joh-smith

the reverse 

smithjoh
~
smith.joh
smith_joh
smith-joh

We can also do first character of last name and first name: 

sjohn
~
s-john
s.john
s_john

Here are some random permutations for good measure; first name and first character of last name 

johns

first name and first two characters of last name 

johnsm

first two characters of last name and first name 

smjohn

first three characters of last name and first name 

smijohn

first three characters of first and last name 

johsmi

if we apply all the rules to our name the list should look something like this: 

john
johns
johnsm
john-smith
john.smith
john_smith
johsmi
joh-smith
joh.smith
joh_smith
johsmith
josmith
j-smith
j.smith
j_smith
jsmith
s-john
s.john
s_john
sjohn
smijohn
smith
smith-j
smith.j
smith_j
smithj
smith-jo
smith.jo
smith_jo
smithjo
smith-joh
smith.joh
smith_joh
smithjoh
smjohn

Once we have a list like this all we have to do is fuzz one user to find out what the username format is and apply that format to the other names in our list. now we can move forward a bit more confident that we will indeed uncover a valid username to exploit remote services like FTP, SSH, SMTP, etc.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • Socat Encrypted Bind and Reverse shells
    Encrypted Bind Shell First we need to generate a new openssl key to use with our bind shell. Victim Box: user@debian:~$ openssl req -ne...
  • DVWA: SQL Injection (Blind) with sqlmap
    We start off by getting the database names hosted on the remote server. sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192...
  • Exploring NTP servers
    The ntpupdate command is used for updating your system time from a remote NTP server root@asus:~/unix% ntpdate -d 48.21.33.124 24 Sep 11:...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...