Username Enumeration¶
- Gather potential usernames
- Validate usernames
Username Lists¶
https://github.com/insidetrust/statistically-likely-usernames
Username Scraping Tools¶
SpiSuite¶
https://github.com/waffl3ss/SpiSuite
- LinkedIn username scraper
CrossLinked¶
https://github.com/m8sec/CrossLinked
- LinkedIn username scraper
- Credential-free
OSINT / File Scraping¶
Find publicly accessible files via search engines and search through metadata. - See File Scraping
Username Validation Tools¶
GoKnock¶
https://github.com/waffl3ss/GoKnock
- OneDrive validation may allow only UPN sign-in or any email alternatives depending on the configuration.
- This means that if GoKnock validates a user@domain.com then it is not guaranteed to be the user's UPN
Trevorspray¶
Specify tenant name if different from domain
TREVOR_tenantname=<tenant_name> TREVOR_domain=<domain>_com trevorspray --recon example.com -u unvalidated_usernames.lst | tee trevorspray_userenum.out
TREVOR_domain=
_com should end in _com (i.e. example_com, not example.com) Example: TREVOR_tenantname=exampleglobal.com TREVOR_domain=example_com trevorspray --recon example.com -u unvalidated_usernames.lst | tee trevorspray_userenum.out
Enumeration Methods¶
OneDrive¶
- req/s: thread-limited; no server-side rate limiting (use
--threadsand optional--ssh/--proxy) - Compares 403 vs 404 when a user has initialized OneDrive
- Credential-free
- Can miss users who never launched OneDrive.
- New hires, service accounts, etc.
Azure Seamless SSO¶
- req/s: slower; subject to server throttling; only if tenant uses Seamless SSO
- Credential-free
Teamfiltration¶
- IP Rotation uses FireProx
- Requires AWS API Gateway.
Enumeration Methods / Flags¶
Teams API¶
- Flag:
--validate-teams - Request rate: ~300/s
- Requires M365 account (Teams-enabled license, e.g., Business Basic), no MFA
GetCredential Type¶
- Flag:
--validate-msol - Request rate: ~20/s
- Credential-free
OneDrive¶
- Flag:
--validate-onedrive - Request rate: ~300 req/s
- Credential-free