webbreacher / whatsmyname Goto Github PK

View Code? Open in Web Editor NEW

1.5K 38.0 265.0 2.7 MB

This repository has the JSON file required to perform user enumeration on various websites.

Home Page: https://whatsmyname.app/

License: Other

osint username users socmint python

whatsmyname's People

Contributors

Stargazers

Watchers

Forkers

security-geeks adon90 aciwarrior kmanimaran zeroimpact l0r3m1p5um lehuff olivierh59500 ginnz recompiler upgoingstar rpigu-i cyb3rfox silogit hybridious terncgod dutchosintguy jefferyq bearhunt11 privateger seabreg codegrande p3t3rp4rk3r cyian-1756 hazhheadz sector035 bemonolit kehrijksen modulexcite devhops thuglifeproductions mohamedmajid91 thomashillman not-today aancw grayhat12 jonz-secops fractal-mind geoveza qpointconsulting mztripp y0urn3w0wn3r jmtrml50 kpcyrd mccartney 3v1lw1th1n 5l1v3r1 kajojify stinkydan snrtherock morristech wlly23 d3thman alchemycyberblaze henryvgoda bernddasbyte jack51706 jocephus psknv danbrown47 jenisvaghasiya yashvendra litchi125 sp4c3cow zforks cagivajsp ubuntulover09 vgjeyasurya calscruby1 zorroroot tobiadegoke qp53catoei2wwrhhsoco yahyafakhroji ktzgraph szrobert84 osinttechniques jspinel gbinv swedishmike 0skar-alws abigailxyzw actorexpose ith4cker ethical-hacking-tools courgettes975 jakuta-tech shadyproject tomgold182 hartl3y94 oldkingcone arnydo ef1500 maram1912 kravp00l blahberi tatikomiura naveenkumarrayan ptleb linuxnerdbtw bonniewilliams80

whatsmyname's Issues

Handling of '.' in usernames

Some services support usernames containing .. Others do not.

This is problematic for services which make use of a subdomain for profile URLs:

# grep -rn check_uri web_accounts_list.json | grep '//{'
133:         "check_uri" : "http://{account}.blogspot.com",
299:         "check_uri" : "http://{account}.deviantart.com/",
733:         "check_uri" : "http://{account}.insanejournal.com/profile",
866:         "check_uri" : "http://{account}.livejournal.com",
1335:         "check_uri" : "https://{account}.skyrock.com/profil/",
1390:         "check_uri" : "http://{account}.smugmug.com",
1434:         "check_uri" : "http://{account}.soup.io/rss",
1566:         "check_uri" : "http://{account}.tumblr.com",
1766:         "check_uri" : "http://{account}.xanga.com/",

One approach would be to strip all . from usernames only for these services. Other characters such as - and _ may also be problematic.

Alternatively, another approach would be to simply skip these services if the username contains problematic characters.

broken site - repl.it

Looking up https://repl.it/@test
! ERROR: BAD DETECTION STRING. "profile?username=" was not found on resulting page.
Looking up https://repl.it/@admin
! ERROR: BAD DETECTION STRING. "profile?username=" was not found on resulting page.
Looking up https://repl.it/@john
! ERROR: BAD DETECTION STRING. "profile?username=" was not found on resulting page.

Fix broken sites

Just ran the web checker script and found the following issues:

 Engadget --> Bad detection string.
 Lanyrd --> Bad detection code and string. Expected Code: 503; Received Code: 200.
 Mixcrate --> Bad detection string.
 diigo --> Bad detection string.
 eBay --> Bad detection string.
 instructables --> Bad detection string.
 theguardian --> Bad detection string.
 tribe --> Bad detection code and string. Expected Code: 500; Received Code: 200.

broken site - deviantart

Looking up http://test.deviantart.com/
! ERROR: BAD DETECTION STRING. "aboutme-profile-pic-shadow" was not found on resulting page.
Looking up http://john.deviantart.com/
! ERROR: BAD DETECTION STRING. "aboutme-profile-pic-shadow" was not found on resulting page.

more sites

https://www.happycow.net/members/profile/AllisonRallison
https://www.zomato.com/tamehameha
https://www.tripadvisor.com/members-reviews/475carlm
http://www.snooth.com/profiles/joshparent/

Bad site angel.c

Looking up https://angel.co/sacca
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.
Looking up https://angel.co/rudyadler
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.

broken site - imgur

Looking up http://imgur.com/user/test
! ERROR: BAD DETECTION STRING. "Gallery comments" was not found on resulting page.

Add site GPSies

https://www.gpsies.com/mapUser.do?username=woodslover924

broken site - del.icio.us

Looking up http://del.icio.us/av2learner
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.

Incorporate nightly checks of the data

Use https://travis-ci.org/ and https://nightli.es/

Fix issue with slashdot

➜  python web_accounts_list_checker.py -u mnciitbhu
...
 -  Looking up https://slashdot.org/~mnciitbhu
[+] Found user at https://slashdot.org/~mnciitbhu
...

From https://slashdot.org/~mnciitbhu:

The user you requested does not exist, no matter how much you wish this might be the case.

Add archive.org

https://archive.org/details/@jason_scott
https://archive.org/details/@webbreacher

add http://smashrun.com/john.young/

http://smashrun.com/john.young/

web_accounts_list_checker.py follows redirects

Python requests library uses a default value of True for allow_redirects.

web_accounts_list_checker.py does not specifically override the default, rendering the following matches inaccurate:

$ grep -rn 'code" : "302"'  web_accounts_list.json -B 5 | grep name
21-         "name" : "about.me",
43-         "name" : "aNobii",
54-         "name" : "appearoo",
232-         "name" : "cHEEZburger",
320-         "name" : "devRant",
453-         "name" : "fanpop",
464-         "name" : "Fiverr",
532-         "name" : "FriendFinder",
543-         "name" : "FriendFinder-X",
765-         "name" : "ImageShack",
967-         "name" : "meet me",
1011-         "name" : "Mix",
1144-         "name" : "Quora",
1177-         "name" : "Pastebin",
1245-         "name" : "PictureTrail",
1344-         "name" : "ProductHunt",
1356-         "name" : "PSNProfiles",
1499-         "name" : "SmiteGuru",
1642-         "name" : "TF2 Backpack Examiner",
1686-         "name" : "Tripit",
1875-         "name" : "wishlistr",
1897-         "name" : "WordPress",
1919-         "name" : "Xanga",

(Note: the line numbers won't match up with master as I've modified my local web_accounts_list.json file).

Fortunately, each of these matches is for the account_missing_code, and the scanner defaults to presuming the account does not exist, so these matches won't affect web_accounts_list_checker.py; however, they may affect downstream tools utilizing the JSON file, depending on implementation (specifically: are redirects followed).

$ grep -rn '"302"'  web_accounts_list.json
26:         "account_missing_code" : "302",
48:         "account_missing_code" : "302",
59:         "account_missing_code" : "302",
237:         "account_missing_code" : "302",
325:         "account_missing_code" : "302",
458:         "account_missing_code" : "302",
469:         "account_missing_code" : "302",
537:         "account_missing_code" : "302",
548:         "account_missing_code" : "302",
770:         "account_missing_code" : "302",
972:         "account_missing_code" : "302",
1016:         "account_missing_code" : "302",
1149:         "account_missing_code" : "302",
1182:         "account_missing_code" : "302",
1250:         "account_missing_code" : "302",
1349:         "account_missing_code" : "302",
1361:         "account_missing_code" : "302",
1504:         "account_missing_code" : "302",
1647:         "account_missing_code" : "302",
1691:         "account_missing_code" : "302",
1880:         "account_missing_code" : "302",
1902:         "account_missing_code" : "302",
1924:         "account_missing_code" : "302",

Fix sites

Atlassian --> Bad detection string.
Basecamp --> Bad detection code and string. Received Code: 404; Expected Code: 200.
Bugcrowd --> Bad detection string.
Garmin connect --> Bad detection code and string. Received Code: 403; Expected Code: 200.
HaveIBeenPwnd --> Bad detection code and string. Received Code: 429; Expected Code: 200.
LinkedIn --> Bad detection code and string. Received Code: 999; Expected Code: 200.
Periscope --> Bad detection string.
Rate Your Music --> Bad detection code and string. Received Code: 503; Expected Code: 200.
Twitpic --> Bad detection string.
facebook.com --> Bad detection string.
theguardian --> Bad detection code and string. Received Code: 404; Expected Code: 200.
vidme --> Bad detection string.

add runkeeper

https://runkeeper.com/user/stevewerby/

broken site - bitbucket.org

Looking up https://bitbucket.org/api/2.0/users/test
! ERROR: BAD DETECTION STRING. ""username": " was not found on resulting page.
Looking up https://bitbucket.org/api/2.0/users/WebBreacher
! ERROR: BAD DETECTION STRING. ""username": " was not found on resulting page.

Validate and Add sites

Submitted anonymously to me:

{
"name" : "Disqus",
"check_uri" : "https://disqus.com/by/{account}/",
"account_existence_code" : "200",
"account_existence_string" : "<title>Disqus Profile",
"account_missing_string" : "<title> Page",
"account_missing_code" : "404",
"known_accounts" : ["carlosharm"],
"category" : "discussion",
"valid" : true,
"comments" : [""]
},

  { 
     "name" : "Free Republic", 
     "check_uri" : "http://www.freerepublic.com/%7E{account}/", 
     "account_existence_code" : "200", 
     "account_existence_string" : "view home page", 
     "account_missing_string" : "This account has been banned or suspended.", 
     "account_missing_code" : "304", 
     "known_accounts" : ["Lurkinanloomin","TigerClaws"], 
     "category" : "political", 
     "valid" : true, 
     "comments" : [""] 
  },

add sites

http://openstreetcam.org/user/JackPav
https://www.mapillary.com/app/user/jbthemilker
http://www.openstreetmap.org/user/kemkim

New sites about POT!

broken site anobii.com

Looking up http://www.anobii.com/test/profile
! ERROR: BAD DETECTION STRING. "- aNobii" was not found on resulting page.
Looking up http://www.anobii.com/john/profile
! ERROR: BAD DETECTION STRING. "- aNobii" was not found on resulting page.

use all test users

in the python script, if the search string is not found with the first test user, move to the second. could be the first user is no longer good.

mod the script to pick up bad user

broken site - diy

Looking up https://diy.org/test
! ERROR: BAD DETECTION STRING. "Member since" was not found on resulting page.
Looking up https://diy.org/john
! ERROR: BAD DETECTION STRING. "Member since" was not found on resulting page.

broken site - rottentomatoes

Looking up https://www.rottentomatoes.com/critic/guy-lodge/movies/
! ERROR: BAD DETECTION STRING. "Movies Reviews & Previews" was not found on resulting page.
Looking up https://www.rottentomatoes.com/critic/matthew-lickona/movies/
! ERROR: BAD DETECTION STRING. "Movies Reviews & Previews" was not found on resulting page.

The following previously "valid" sites had errors:
     AdultFriendFinder --> Bad detection code and string. Received Code: 404; Expected Code: 200.
     Fotolog --> Bad detection string.
     HaveIBeenPwnd --> Bad detection code and string. Received Code: 429; Expected Code: 200.
     IFTTT --> Bad detection string.
     LinkedIn --> Bad detection code and string. Received Code: 999; Expected Code: 200.
     Mixcloud --> Bad detection code and string. Received Code: 403; Expected Code: 200.
     Rate Your Music --> Bad detection code and string. Received Code: 503; Expected Code: 200.
     Soup --> Bad detection code and string. Received Code: 503; Expected Code: 200.
     VK --> Bad detection code and string. Received Code: 404; Expected Code: 200.
     WeedLife --> Bad detection code and string. Received Code: 200; Expected Code: 303.
     tribe --> Bad detection code and string. Received Code: 503; Expected Code: 200.
     tumblr --> Bad detection string.

┌─[18:13:37]─[~/tools/WhatsMyName]
└──> $  ll
total 352
drwxrwxr-x 8 ubuntu  4096 Jan  7 18:06 .git/
-rw-rw-r-- 1 ubuntu  1101 Dec 18 22:05 LICENSE.md
-rw-rw-r-- 1 ubuntu  4600 Jan  7 18:06 README.md
-rw-rw-r-- 1 ubuntu     9 Jan  6 22:01 requirements.txt
-rw-rw-r-- 1 ubuntu 47612 Jan  7 18:08 se-Fotolog.johndoe
-rw-rw-r-- 1 ubuntu 57521 Jan  7 18:08 se-IFTTT.fitbit
-rw-rw-r-- 1 ubuntu 36494 Jan  7 18:12 se-tumblr.test1
-rwxrwxr-x 1 ubuntu  9689 Jan  7 18:06 web_accounts_list_checker.py*
-rw-rw-r-- 1 ubuntu 88239 Jan  7 18:07 web_accounts_list.json

broken site - haveibeenpwned

Looking up https://haveibeenpwned.com/api/v2/breachedaccount/john%40example.com
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.

broken site - hubpages

Looking up http://hubpages.com/@test
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.
Looking up http://hubpages.com/@bob
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.

Add to website

https://storycorps.me/user/paul-swider/

https://www.google.com/search?num=40&newwindow=1&site=&source=hp&q=site%3Astorycorps.me+inurl%3A%2Fuser%2F&oq=site%3Astorycorps.me+inurl%3A%2Fuser%2F&gs_l=hp.3...1542.19004.0.19474.44.36.4.0.0.0.438.3440.18j9j1j0j1.29.0....0...1c.1.64.hp..17.4.448.0..0j46j0i131k1j0i46k1.Lb_r36VqHvM

AdultFriendFinder --> Bad detection code and string. Received Code: 404; Expected Code: 200.
Fotolog --> Bad detection string.
HaveIBeenPwnd --> Bad detection code and string. Received Code: 429; Expected Code: 200.
IFTTT --> Bad detection string.
LinkedIn --> Bad detection code and string. Received Code: 999; Expected Code: 200.
Mixcloud --> Bad detection code and string. Received Code: 403; Expected Code: 200.
MyBuilder.com --> Bad detection string.
Rate Your Music --> Bad detection code and string. Received Code: 503; Expected Code: 200.
Soup --> Bad detection code and string. Received Code: 503; Expected Code: 200.
tribe --> Bad detection code and string. Received Code: 503; Expected Code: 200.
tumblr --> Bad detection string.
VK --> Bad detection code and string. Received Code: 404; Expected Code: 200.
WeedLife --> Bad detection code and string. Received Code: 200; Expected Code: 303.
WeeWorld --> Bad detection code and string. Received Code: 500; Expected Code: 200.

Looking up http://klear.com/profile/john
! ERROR: BAD CODE AND STRING. Neither the HTTP response code or detection string worked.

# ./web_accounts_list_checker.py 
bash: ./web_accounts_list_checker.py: /usr/bin/python^M: bad interpreter: No such file or directory

plz:

dos2unix web_accounts_list_checker.py
git add web_accounts_list_checker.py
git commit -m "dos2unix web_accounts_list_checker.py"
git push

broken site - meetzur

Looking up http://www.meetzur.com/john
! ERROR: BAD DETECTION STRING. "Last Login" was not found on resulting page.

broken site - onlyfans

Looking up https://onlyfans.com/kyliesummers
! ERROR: BAD DETECTION STRING. "Posts" was not found on resulting page.
Looking up https://onlyfans.com/draeaxtell
! ERROR: BAD DETECTION STRING. "Posts" was not found on resulting page.

broken site - buzznet

Looking up https://www.buzznet.com/author/carolinegawlik/
! ERROR: BAD DETECTION STRING. ", Author at buzznet</title>" was not found on resulting page.

broken site - canva

Looking up https://www.canva.com/marketplacedesigners
! ERROR: BAD DETECTION STRING. "– Canva</title>" was not found on resulting page.

...
[!] 'check_uri' (thread=Thread-20, object={'name': 'T-Mobile Support', 'check_url': 'https://support.t-mobile.com/people/{account}', 'account_existence_code': '200', 'account_existence_string': 'connections', 'account_missing_string': '404 ERROR', 'account_missing_code': '404', 'known_accounts': ['admin', 'support'], 'category': 'social', 'valid': True}).
...
[!] HTTPSConnectionPool(host='api.zooppa.com', port=443)  Max retries exceeded with url  /api/v3/users?filters%5B%5D=login+is+jason-domke-b2bb4918 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x10a7ffcc0>  Failed to establish a new connection  [Errno 8] nodename nor servname provided, or not known',)) (thread=Thread-17, object={'name': 'Zooppa', 'check_uri': 'https://api.zooppa.com/api/v3/users?filters[]=login+is+{account}', 'pretty_uri': 'http://community.zooppa.com/en-us/users/{account}', 'account_existence_code': '200', 'account_existence_string': 'login', 'account_missing_string': 'avatar', 'account_missing_code': '200', 'known_accounts': ['test', 'hacker'], 'category': 'social', 'valid': True}).
...
[!] HTTPConnectionPool(host='www.authorstream.com', port=80)  Read timed out. (read timeout=10) (thread=Thread-18, object={'name': 'authorSTREAM', 'check_uri': 'http://www.authorstream.com/{account}/', 'account_existence_code': '200', 'account_existence_string': 'Presentations on authorSTREAM', 'account_missing_string': '', 'account_missing_code': '404', 'known_accounts': ['test', 'john'], 'category': 'presos', 'valid': True}).
...
[!] HTTPSConnectionPool(host='www.mixcloud.com', port=443)  Read timed out. (read timeout=10) (thread=Thread-14, object={'name': 'Mixcloud', 'check_uri': 'https://www.mixcloud.com/{account}/', 'account_existence_code': '200', 'account_existence_string': 'is on Mixcloud', 'account_missing_string': 'Page Not Found', 'account_missing_code': '404', 'known_accounts': ['test', 'john'], 'category': 'music', 'valid': True}).
...