# Identifying Users

## Creating Username Lists

Once we have identified a list of employee names, we can place them into a list to use throughout the engagement in multiple phases.

Below are my personal recommendations:

1. Identify the username schema that the organization uses.
2. Collect emails from Hunter.io, Data breaches, Phonebook, etc
3. Run tooling against LinkedIn, Google, etc
4. Run BridgeKeeper against any names identified to place them into the correct format.
5. Place all of the identified usernames into a file and run `sort -u` to clean up the file.
6. Verify these against the domain controller if possible, alternatively utilize all of these emails in external phishing campaigns.

### Helpful Commands to Create a List

```bash
# Grep a list of emails from a .JSON (or any other) file:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt

# Quick awk magic to add "@client.com" after every username:
awk '{print $0 "@client.com"}' usernames.txt

# Quick sed magic to remove "@client.com" after every email:
sed 's/@.*//' emails.txt
```

### Email Lookup Services

* [Hunter.io](https://hunter.io)
* [Phonebook.cz](https://phonebook.cz)
* [ZoomInfo](https://www.zoominfo.com)
* [Snov](https://snov.io/email-finder)
* [RocketReach](https://info.rocketreach.co/find-accurate-emails-faster?utm_source=500\&utm_campaign=MT_-_NB_-_Email_Finder_-_US_-_Desktop\&keyword=email%20address%20search%20engine\&tags=!\(\(incexc:include,keyword:%27Mark%20Cuban%27,type:keywords\)\)\&start=1\&mode=default\&page_size=10\&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhHGT5DtJ0G0TUZLqZCAyox18wOUHXuAGdK5aY-6XpSmAjtYQ6zSINhoCCsQQAvD_BwE)
* Data breaches (self promotion, use my tool breach-rip to parse these fast)

### Using Tools Available on GitHub

* [Linkedin2Username](https://github.com/initstring/linkedin2username)
* [BridgeKeeper](https://github.com/0xZDH/BridgeKeeper)
* [Peasant](https://github.com/arch4ngel/peasant)
* [LinkedInt](https://github.com/vysecurity/LinkedInt)

## Locating Breached Credentials

{% embed url="<https://dehashed.com>" %}

{% embed url="<https://github.com/FreeZeroDays/breach-rip>" %}

Parsing data breaches to obtain previously compromised credentials can assist an attacker in obtaining initial access to a company by performing credential stuffing attacks.

### References

{% embed url="<https://dehashed.com>" %}

{% embed url="<https://github.com/FreeZeroDays/breach-rip>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/osint/gather-victim-identity-information.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.