dpauli, darren.pauli, darrenp, pauli.darren, paulid
Ruxcon Melbourne security bod Andrew Horton has created a tool to automate the generation of usernames in a bid to round-out brute force account attacks.
The HackLabs penetration tester says he created Username Anarchy to fill a feature gap left by basic username generation tools.
Horton (@urbanadventur3r) says it will help hackers reduce the risk of tripping brute force detection mechanisms and rate limiters by attempting password guessing against more likely usernames.
He says Username Anarchy goes beyond those in popular security applications such as BurpSuite by crafting likely logins from a target’s social media platforms, documents, domains, and forums.
“Usernames are half the password brute force problem,” Horton says.
“By attempting a few weak passwords across a large set of user accounts, user account lockout thresholds can be avoided.”
Usernames can be pulled from social networking sources such as LinkedIn and Facebook, from metadata within documents including PDFs, Word, and Excel, and from aliases used on forums.
Plugin architecture for username formats
Format string style username format definitions
Substitutions. e.g. when only a first initial and lastname is known it will attempt all possible first names
Country databases of common first and last names from Familypedia and
Facebook common first and lastnames lists
common-forum-names.csv – A CSV file with forum names and the frequency they appeared with
common-forum-names-top10k.txt – The top 10,000 forum names
common-forum-names.txt – 1,774,313 forum names
phpbb-scraper.rb – a web scraper for usernames on PHPbb forums