Skip to content

Username Enumeration

  1. Gather potential usernames
  2. Validate usernames

Username Lists

https://github.com/insidetrust/statistically-likely-usernames

Username Scraping Tools

SpiSuite

https://github.com/waffl3ss/SpiSuite

  • LinkedIn username scraper

CrossLinked

https://github.com/m8sec/CrossLinked

  • LinkedIn username scraper
  • Credential-free

Username Validation Tools

GoKnock

https://github.com/waffl3ss/GoKnock

  • OneDrive validation may allow only UPN sign-in or any email alternatives depending on the configuration.
    • This means that if GoKnock validates a user@domain.com then it is not guaranteed to be the user's UPN

Trevorspray

Enumerate valid users
trevorspray --recon <domain> -u <user_list>

Enumeration Methods

OneDrive
  • req/s: thread-limited; no server-side rate limiting (use --threads and optional --ssh/--proxy)
  • Compares 403 vs 404 when a user has initialized OneDrive
  • Credential-free
  • Can miss users who never launched OneDrive.
  • New hires, service accounts, etc.
Azure Seamless SSO
  • req/s: slower; subject to server throttling; only if tenant uses Seamless SSO
  • Credential-free

Teamfiltration

  • IP Rotation uses FireProx
    • Requires AWS API Gateway.

Enumeration Methods / Flags

Teams API
  • Flag: --validate-teams
  • Request rate: ~300/s
  • Requires M365 account (Teams-enabled license, e.g., Business Basic), no MFA
GetCredential Type
  • Flag: --validate-msol
  • Request rate: ~20/s
  • Credential-free
OneDrive
  • Flag: --validate-onedrive
  • Request rate: ~300 req/s
  • Credential-free