RE: dictionary of forum style usernames

["Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>]

I'm sure such a list could be derived from an existing member list from
any forum out there, wget and some Perl or something, not sure what the
ethical stance is on that.

I'm not even sure on the ethics of going straight to the member table
and picking up the single username field.  You would need a forum admin
who trusts you to use the stuff appropriately and possibly members who
are willing to participate?  I'm not sure - it is of course sufficiently
anonymised in every other respect.

If you want to brute force this data as it stands though you would also
need the set of password hashes as well?  Unlikely anyone will give this
up too easily!

I would also be interested to see that if you were able to get two
member lists of maybe ten thousand members exactly how much overlap
there is between the two lists - my suspicion would be not much.
Therefore you might want to consider compounding a few lists so you get
maybe 100k names or more.

Ironically, most teenage **honey_girl_69x** usernames would actually
make fantastic passwords, I don't think that was the intention :-)

Ian

-----Original Message-----
From: Robin Wood [mailto:dninja () gmail com] 
Sent: 04 May 2006 12:32
To: Griffiths, Ian
Cc: webappsec () securityfocus com
Subject: Re: dictionary of forum style usernames


As I said, the system I'm going to be testing has users whose usernames
are going to be forum style (e.g. Luca89, mackerel, Maedhros, Magic
Banana, mark_alec) rather than normal "human" name style (e.g. robin,
peter, fred).

> From previous experience with the site I know that a lot of users use
their username as their password so if I can get a reasonable list,
preferably a few hundred at least, I'll try a brute force attack with a
selection of common passwords and the username. I'm going to leave this
going in the background while doing the rest of the tests so the more
names the better.

I know that the human style name lists exist as my ssh server regularly
gets attacked by scripts trying long lists of usernames, does the same
exist for forum style names?

On 5/4/06, Griffiths, Ian <Ian.Griffiths () liv-coll ac uk> wrote:
> How many records are you thinking?
>
> Also what are you aiming to achieve?  I currently can't see any place 
> where username actually matters?
>
> Ian
>
> -----Original Message-----
> From: Robin Wood [mailto:dninja () gmail com]
> Sent: 04 May 2006 08:53
> To: webappsec () securityfocus com
> Subject: dictionary of forum style usernames
>
>
> Hi
> I'm going to be doing a test against a forum type system and want to 
> have a go at bruteforcing a few logins. As it is a forum the login 
> names aren't likely to be usual "human" names so I'm looking for a 
> dictionary of names to try. Can anyone recommend one?
>
> Robin
>
> ----------------------------------------------------------------------
> --
> -
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing business online 
> despite security executives' efforts to prevent malicious attacks. 
> This whitepaper identifies the most common methods of attacks that we 
> have seen, and outlines a guideline for developing secure web 
> applications. Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t
> 9r
------------------------------------------------------------------------
> --

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------