User searching:

• about me's • linkedin • facebook - social media tools (search company emails online also to look for email use on insecure websites) • www.social-searcher.com (social media search engine) • Harvester • Seclists data dumps that may contain targets user:pass

LIST GENERTION:

• digi.ninja/projects/twofi.php :searches a users twitter and personalizes a wordlist to brute force with. requires twitter api key • github.com/initstring/linkedin2username :Generate username lists from linkedin. requires account and to befriend someone in the target org.

Dont know the AD username format?

This script will take First Last names and combine them in common ways used by system admins.

Sample input of names.txt:

Elizabeth Lopez Tara Baker Becky Casey

Output of unames.txt:

elizabethlopez lopezelizabeth elizabeth.lopez lopez.elizabeth lopeze elopez lelizabeth e.lopez l.elizabeth elizabeth lopez tarabaker ...more

Usage: python script.py namelist.txt

##!/usr/bin/env python
##Created By Prescott Rowe
import sys
import os.path

if __name__ == "__main__": 
    print ("UName Gen takes a list of first and last names and creates common usernames from them.")
    print("Check for the file 'unames.txt' after completion.")
    if len(sys.argv) != 2:
        print("usage: {} names.txt".format((sys.argv[0])))
        sys.exit(0)

    if not os.path.exists(sys.argv[1]): 
        print("{} not found".format(sys.argv[1]))
        sys.exit(0)
    
    print("Generating names...")
    for line in open(sys.argv[1]):
        name = ''.join([c for c in line if  c == " " or  c.isalpha()])

        tokens = name.lower().split()

        # skip empty lines
        if len(tokens) < 1: 
            continue
        f = open("unames.txt", "a")
        fname = tokens[0]
        lname = tokens[-1]

        f.write(fname + lname + '\n')           # johndoe
        f.write(lname + fname + '\n')           # doejohn
        f.write(fname + "." + lname + '\n')     # john.doe
        f.write(lname + "." + fname + '\n')     # doe.john
        f.write(lname + fname[0] + '\n')        # doej
        f.write(fname[0] + lname + '\n')        # jdoe
        f.write(lname[0] + fname + '\n')        # djoe
        f.write(fname[0] + "." + lname+ '\n')  # j.doe
        f.write(lname[0] + "." + fname+ '\n')  # d.john
        f.write(fname + '\n')                   # john
        f.write(lname + '\n')                   # joe
    
    print("Check unames.txt")    
    f.close()

CODE:

• Stackoverflow User Searching: May be able to find post done by the company engineers in both help and solutions.

• You may also know of the vendors and solutions they use and can look into their community forums also.

Whois:

Tcp tool and database to look up name server and registrar. We can also do reverse lookups with whois. This will tell us who is hosting, registered, etc: #whois 138.11.11.11 | less

The Harvester:

Search google, bing, etc for email accounts associated with a domain

#theharvester -d bulb.com -l 500 -b all #theharvester -d cisco.com -l 10 -b bing >bing.txt