WhatsMyName Project

What Is It?

I’ve created the WhatsMyName project on Github (https://github.com/WebBreacher/WhatsMyName) to help with #OSINT searches by using target user names. Here’s how it works:

  1. We understand that people use the same username across multiple web sites. For example, I am “WebBreacher” on both the Github and BitBucket web sites.
  2. Some web sites make it easy to discover if there is a certain user account being used on the site. Sticking with Github, visiting https://github.com/{ACCOUNT}/ (where {ACCOUNT} is replaced by the username or account you want to see on the web site) shows a specific user’s profile if the user account is valid. Mine is https://github.com/WebBreacher/.
  3. If we visit the same site and request a username that is not there, we get an error or page that tells us the user account is not valid. Here is an example: https://github.com/WebBreacher111111/. See the error page?
  4. Now if we have a true case that pulls up a user’s profile if we submit a good user account and a different result if we use a bad user name, we can easily script this to do it FAST!

How Do I Use It?

And that is what the WhatsMyName project is about. I’ve found over 160 web sites across the public internet that allow this type of user name enumeration. I’ve put all this information in a JSON (Javascript Object Notation) formatted file and you can use it to find user accounts rapidly. The data in the file is structured and easily-readable.

There are 3 main methods of using the data:

  1. Some projects like recon-ng and Spiderfoot pull this data when you run certain plugins (recon-ng -> “profiler” module and Spiderfoot -> “sfp_accounts.py”). Use those excellent tools and you can leverage this data. With recon-ng, I’ve searched 3 user accounts across all these sites in about 30 seconds total.
  2. I’ve built a simple script into the Github repository that can look up a single user name across all the valid sites. Check out the main page (section “Standalone Checker”) on https://github.com/WebBreacher/WhatsMyName for details.
  3. Come up with your own crazy method of using it and let me know!

Open Source Project Plea for Help

This is an open source project meaning I do not get paid for compiling and maintaining the data. I’d love to expand it to include other sites too but I have many other things that are taking my time. My plea is simple:

  • If you have a little time, a thirst to learn more about web applications and a desire to use ZAP or BurpSuite, consider helping me out by adding to the data.

I can help you get started by:

  1. teaching you how to use Github. It may be scary but it can be simplified.
  2. teaching you how to find and evaluate these user name enumeration issues in other web sites.

Interested? Leave a comment and/or hit me up on Twitter @WebBreacher or @OsintNinja.

4 thoughts on “WhatsMyName Project

    1. Yes I am familiar with those sites. I used those sites in my project when I started it. Here’s the thing though: I looked and manually verified many of the findings from those sites and found that many times there were false negatives in the results. Many of the sites being checked were giving 404 or even domain not found errors. So, I manually verify all the content in my project to be sure they actually are not false pos or neg.

      Thanks for the comment!

      — MIcah

      Like

Comments are closed.

WordPress.com.

Up ↑

%d bloggers like this: