Identifying Users

MITRE ATT&CK, Reconnaissance, Technique T1589

Creating Username Lists

Once we have identified a list of employee names, we can place them into a list to use throughout the engagement in multiple phases.

Below are my personal recommendations:

Identify the username schema that the organization uses.
Collect emails from Hunter.io, Data breaches, Phonebook, etc
Run tooling against LinkedIn, Google, etc
Run BridgeKeeper against any names identified to place them into the correct format.
Place all of the identified usernames into a file and run sort -u to clean up the file.
Verify these against the domain controller if possible, alternatively utilize all of these emails in external phishing campaigns.

Helpful Commands to Create a List

# Grep a list of emails from a .JSON (or any other) file:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt

# Quick awk magic to add "@client.com" after every username:
awk '{print $0 "@client.com"}' usernames.txt

# Quick sed magic to remove "@client.com" after every email:
sed 's/@.*//' emails.txt

Email Lookup Services

Hunter.io
Phonebook.cz
ZoomInfo
Snov
RocketReach
Data breaches (self promotion, use my tool breach-rip to parse these fast)

Using Tools Available on GitHub

Locating Breached Credentials

DeHashed — #FreeThePassword

GitHub - FreeZeroDays/breach-rip: Modified version of breach-parse that parses through breached databases to output emails, usernames, and passwords to be imported into common tooling.GitHub

Parsing data breaches to obtain previously compromised credentials can assist an attacker in obtaining initial access to a company by performing credential stuffing attacks.

References

DeHashed — #FreeThePassword

GitHub - FreeZeroDays/breach-rip: Modified version of breach-parse that parses through breached databases to output emails, usernames, and passwords to be imported into common tooling.GitHub

PreviousOSINT NextNetwork Information

Last updated 2 years ago