Enumerating UNIX usernames

Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built lists to find very common users, but what about usernames which are not so common such as, `johsmi` or `s-john`.

We can find usernames like this by creating a list of possible permutations of the first and last name of the person. before we construct our list we first have to understand a few rules dealing with how usernames (in unix) can be formated.

Unix username rules

Usernames in most unix distributions are limited to the following:

unix usernames can only contain the characters: [a-zA-Z][0-9][._-] 
unix usernames are case-sensitive. 
unix usernames cannot start with a number. 
unix usernames cannot start with any of the special chars allowed `.`, `_` or `-`. 

that is fundamentally it as far as what is allowed when creating a username. Now we can get into creating different combo's to get a list of realistic and probable usernames to fuzz with.

Creating username variations

Our example name will be: John Smith

First and Last Name

we can start out simple and just concat the first and last name like so:

johnsmith

we can add in special characters

john.smith
john_smith
john-smith

we can do the same except in reverse

smithjohn

furthermore, some usernames start with just the first letter of the persons first name followed by the full last name like so:

jsmith or smithj

adding the special characters we get:

j.smith
j_smith
j-smith
~
smith.j
smith_j
smith-j

we are still do the same as above but increasing the character by one, so instead of the first character of the name it would be the first two characters.

josmith
~
jo.smith
jo_smith
jo-smith

or reverse

smithjo
~
smith.jo
smith_jo
smith-jo

continuing still with the theme of adding single characters, we can add the first three characters of the name followed by the last name:

johsmith
~
joh.smith
joh_smith
joh-smith

the reverse

smithjoh
~
smith.joh
smith_joh
smith-joh

We can also do first character of last name and first name:

sjohn
~
s-john
s.john
s_john

Here are some random permutations for good measure; first name and first character of last name

johns

first name and first two characters of last name

johnsm

first two characters of last name and first name

smjohn

first three characters of last name and first name

smijohn

first three characters of first and last name

johsmi

if we apply all the rules to our name the list should look something like this:

john
johns
johnsm
john-smith
john.smith
john_smith
johsmi
joh-smith
joh.smith
joh_smith
johsmith
josmith
j-smith
j.smith
j_smith
jsmith
s-john
s.john
s_john
sjohn
smijohn
smith
smith-j
smith.j
smith_j
smithj
smith-jo
smith.jo
smith_jo
smithjo
smith-joh
smith.joh
smith_joh
smithjoh
smjohn

Once we have a list like this all we have to do is fuzz one user to find out what the username format is and apply that format to the other names in our list. now we can move forward a bit more confident that we will indeed uncover a valid username to exploit remote services like FTP, SSH, SMTP, etc.