# Identifying Users

## Creating Username Lists

Once we have identified a list of employee names, we can place them into a list to use throughout the engagement in multiple phases.

Below are my personal recommendations:

1. Identify the username schema that the organization uses.
2. Collect emails from Hunter.io, Data breaches, Phonebook, etc
3. Run tooling against LinkedIn, Google, etc
4. Run BridgeKeeper against any names identified to place them into the correct format.
5. Place all of the identified usernames into a file and run `sort -u` to clean up the file.
6. Verify these against the domain controller if possible, alternatively utilize all of these emails in external phishing campaigns.

### Helpful Commands to Create a List

```bash
# Grep a list of emails from a .JSON (or any other) file:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt

# Quick awk magic to add "@client.com" after every username:
awk '{print $0 "@client.com"}' usernames.txt

# Quick sed magic to remove "@client.com" after every email:
sed 's/@.*//' emails.txt
```

### Email Lookup Services

* [Hunter.io](https://hunter.io)
* [Phonebook.cz](https://phonebook.cz)
* [ZoomInfo](https://www.zoominfo.com)
* [Snov](https://snov.io/email-finder)
* [RocketReach](https://info.rocketreach.co/find-accurate-emails-faster?utm_source=500\&utm_campaign=MT_-_NB_-_Email_Finder_-_US_-_Desktop\&keyword=email%20address%20search%20engine\&tags=!\(\(incexc:include,keyword:%27Mark%20Cuban%27,type:keywords\)\)\&start=1\&mode=default\&page_size=10\&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhHGT5DtJ0G0TUZLqZCAyox18wOUHXuAGdK5aY-6XpSmAjtYQ6zSINhoCCsQQAvD_BwE)
* Data breaches (self promotion, use my tool breach-rip to parse these fast)

### Using Tools Available on GitHub

* [Linkedin2Username](https://github.com/initstring/linkedin2username)
* [BridgeKeeper](https://github.com/0xZDH/BridgeKeeper)
* [Peasant](https://github.com/arch4ngel/peasant)
* [LinkedInt](https://github.com/vysecurity/LinkedInt)

## Locating Breached Credentials

{% embed url="<https://dehashed.com>" %}

{% embed url="<https://github.com/FreeZeroDays/breach-rip>" %}

Parsing data breaches to obtain previously compromised credentials can assist an attacker in obtaining initial access to a company by performing credential stuffing attacks.

### References

{% embed url="<https://dehashed.com>" %}

{% embed url="<https://github.com/FreeZeroDays/breach-rip>" %}