webbreacher / whatsmyname Goto Github PK
View Code? Open in Web Editor NEWThis repository has the JSON file required to perform user enumeration on various websites.
Home Page: https://whatsmyname.app/
License: Other
This repository has the JSON file required to perform user enumeration on various websites.
Home Page: https://whatsmyname.app/
License: Other
Some services support usernames containing .
. Others do not.
This is problematic for services which make use of a subdomain for profile URLs:
# grep -rn check_uri web_accounts_list.json | grep '//{'
133: "check_uri" : "http://{account}.blogspot.com",
299: "check_uri" : "http://{account}.deviantart.com/",
733: "check_uri" : "http://{account}.insanejournal.com/profile",
866: "check_uri" : "http://{account}.livejournal.com",
1335: "check_uri" : "https://{account}.skyrock.com/profil/",
1390: "check_uri" : "http://{account}.smugmug.com",
1434: "check_uri" : "http://{account}.soup.io/rss",
1566: "check_uri" : "http://{account}.tumblr.com",
1766: "check_uri" : "http://{account}.xanga.com/",
One approach would be to strip all .
from usernames only for these services. Other characters such as -
and _
may also be problematic.
Alternatively, another approach would be to simply skip these services if the username contains problematic characters.
Just ran the web checker script and found the following issues:
Engadget --> Bad detection string.
Lanyrd --> Bad detection code and string. Expected Code: 503; Received Code: 200.
Mixcrate --> Bad detection string.
diigo --> Bad detection string.
eBay --> Bad detection string.
instructables --> Bad detection string.
theguardian --> Bad detection string.
tribe --> Bad detection code and string. Expected Code: 500; Received Code: 200.
โ python web_accounts_list_checker.py -u mnciitbhu
...
- Looking up https://slashdot.org/~mnciitbhu
[+] Found user at https://slashdot.org/~mnciitbhu
...
From https://slashdot.org/~mnciitbhu
:
The user you requested does not exist, no matter how much you wish this might be the case.
Python requests
library uses a default value of True for allow_redirects
.
web_accounts_list_checker.py
does not specifically override the default, rendering the following matches inaccurate:
$ grep -rn 'code" : "302"' web_accounts_list.json -B 5 | grep name
21- "name" : "about.me",
43- "name" : "aNobii",
54- "name" : "appearoo",
232- "name" : "cHEEZburger",
320- "name" : "devRant",
453- "name" : "fanpop",
464- "name" : "Fiverr",
532- "name" : "FriendFinder",
543- "name" : "FriendFinder-X",
765- "name" : "ImageShack",
967- "name" : "meet me",
1011- "name" : "Mix",
1144- "name" : "Quora",
1177- "name" : "Pastebin",
1245- "name" : "PictureTrail",
1344- "name" : "ProductHunt",
1356- "name" : "PSNProfiles",
1499- "name" : "SmiteGuru",
1642- "name" : "TF2 Backpack Examiner",
1686- "name" : "Tripit",
1875- "name" : "wishlistr",
1897- "name" : "WordPress",
1919- "name" : "Xanga",
(Note: the line numbers won't match up with master
as I've modified my local web_accounts_list.json
file).
Fortunately, each of these matches is for the account_missing_code
, and the scanner defaults to presuming the account does not exist, so these matches won't affect web_accounts_list_checker.py
; however, they may affect downstream tools utilizing the JSON file, depending on implementation (specifically: are redirects followed).
$ grep -rn '"302"' web_accounts_list.json
26: "account_missing_code" : "302",
48: "account_missing_code" : "302",
59: "account_missing_code" : "302",
237: "account_missing_code" : "302",
325: "account_missing_code" : "302",
458: "account_missing_code" : "302",
469: "account_missing_code" : "302",
537: "account_missing_code" : "302",
548: "account_missing_code" : "302",
770: "account_missing_code" : "302",
972: "account_missing_code" : "302",
1016: "account_missing_code" : "302",
1149: "account_missing_code" : "302",
1182: "account_missing_code" : "302",
1250: "account_missing_code" : "302",
1349: "account_missing_code" : "302",
1361: "account_missing_code" : "302",
1504: "account_missing_code" : "302",
1647: "account_missing_code" : "302",
1691: "account_missing_code" : "302",
1880: "account_missing_code" : "302",
1902: "account_missing_code" : "302",
1924: "account_missing_code" : "302",
Submitted anonymously to me:
{
"name" : "Disqus",
"check_uri" : "https://disqus.com/by/{account}/",
"account_existence_code" : "200",
"account_existence_string" : "<title>Disqus Profile",
"account_missing_string" : "<title> Page",
"account_missing_code" : "404",
"known_accounts" : ["carlosharm"],
"category" : "discussion",
"valid" : true,
"comments" : [""]
},
{
"name" : "Free Republic",
"check_uri" : "http://www.freerepublic.com/%7E{account}/",
"account_existence_code" : "200",
"account_existence_string" : "view home page",
"account_missing_string" : "This account has been banned or suspended.",
"account_missing_code" : "304",
"known_accounts" : ["Lurkinanloomin","TigerClaws"],
"category" : "political",
"valid" : true,
"comments" : [""]
},
in the python script, if the search string is not found with the first test user, move to the second. could be the first user is no longer good.
mod the script to pick up bad user
Isn't this basically Sherlock?
https://github.com/sherlock-project/sherlock
But I like your project thought ๐
https://www.instagram.com/USERNAME/?__a=1
https://www.instagram.com/webbreacher/?__a=1 <-- output is in JSON
Just ran the newest python script and found that it didn't generate an se- file for every site that failed the check. @lehuff can you look into it? Here is the output and the listing of the dir. I'd expect one se- file for each of the failures, yes?
The following previously "valid" sites had errors:
AdultFriendFinder --> Bad detection code and string. Received Code: 404; Expected Code: 200.
Fotolog --> Bad detection string.
HaveIBeenPwnd --> Bad detection code and string. Received Code: 429; Expected Code: 200.
IFTTT --> Bad detection string.
LinkedIn --> Bad detection code and string. Received Code: 999; Expected Code: 200.
Mixcloud --> Bad detection code and string. Received Code: 403; Expected Code: 200.
Rate Your Music --> Bad detection code and string. Received Code: 503; Expected Code: 200.
Soup --> Bad detection code and string. Received Code: 503; Expected Code: 200.
VK --> Bad detection code and string. Received Code: 404; Expected Code: 200.
WeedLife --> Bad detection code and string. Received Code: 200; Expected Code: 303.
tribe --> Bad detection code and string. Received Code: 503; Expected Code: 200.
tumblr --> Bad detection string.
โโ[18:13:37]โ[~/tools/WhatsMyName]
โโโ> $ ll
total 352
drwxrwxr-x 8 ubuntu 4096 Jan 7 18:06 .git/
-rw-rw-r-- 1 ubuntu 1101 Dec 18 22:05 LICENSE.md
-rw-rw-r-- 1 ubuntu 4600 Jan 7 18:06 README.md
-rw-rw-r-- 1 ubuntu 9 Jan 6 22:01 requirements.txt
-rw-rw-r-- 1 ubuntu 47612 Jan 7 18:08 se-Fotolog.johndoe
-rw-rw-r-- 1 ubuntu 57521 Jan 7 18:08 se-IFTTT.fitbit
-rw-rw-r-- 1 ubuntu 36494 Jan 7 18:12 se-tumblr.test1
-rwxrwxr-x 1 ubuntu 9689 Jan 7 18:06 web_accounts_list_checker.py*
-rw-rw-r-- 1 ubuntu 88239 Jan 7 18:07 web_accounts_list.json
Just ran the checker and a number of sites are broken:
Add the https://codefights.com/profile/lanmaster53 site to the project
Look at knowem.com and namechk.com for more sites to enum
# ./web_accounts_list_checker.py
bash: ./web_accounts_list_checker.py: /usr/bin/python^M: bad interpreter: No such file or directory
plz:
dos2unix web_accounts_list_checker.py
git add web_accounts_list_checker.py
git commit -m "dos2unix web_accounts_list_checker.py"
git push
Make the python script multithreaded. Options are:
Looks like some are issues with timing out and could be fixed by extending the timeout, but the others seem to be legit bugs.
...
[!] 'check_uri' (thread=Thread-20, object={'name': 'T-Mobile Support', 'check_url': 'https://support.t-mobile.com/people/{account}', 'account_existence_code': '200', 'account_existence_string': 'connections', 'account_missing_string': '404 ERROR', 'account_missing_code': '404', 'known_accounts': ['admin', 'support'], 'category': 'social', 'valid': True}).
...
[!] HTTPSConnectionPool(host='api.zooppa.com', port=443) Max retries exceeded with url /api/v3/users?filters%5B%5D=login+is+jason-domke-b2bb4918 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x10a7ffcc0> Failed to establish a new connection [Errno 8] nodename nor servname provided, or not known',)) (thread=Thread-17, object={'name': 'Zooppa', 'check_uri': 'https://api.zooppa.com/api/v3/users?filters[]=login+is+{account}', 'pretty_uri': 'http://community.zooppa.com/en-us/users/{account}', 'account_existence_code': '200', 'account_existence_string': 'login', 'account_missing_string': 'avatar', 'account_missing_code': '200', 'known_accounts': ['test', 'hacker'], 'category': 'social', 'valid': True}).
...
[!] HTTPConnectionPool(host='www.authorstream.com', port=80) Read timed out. (read timeout=10) (thread=Thread-18, object={'name': 'authorSTREAM', 'check_uri': 'http://www.authorstream.com/{account}/', 'account_existence_code': '200', 'account_existence_string': 'Presentations on authorSTREAM', 'account_missing_string': '', 'account_missing_code': '404', 'known_accounts': ['test', 'john'], 'category': 'presos', 'valid': True}).
...
[!] HTTPSConnectionPool(host='www.mixcloud.com', port=443) Read timed out. (read timeout=10) (thread=Thread-14, object={'name': 'Mixcloud', 'check_uri': 'https://www.mixcloud.com/{account}/', 'account_existence_code': '200', 'account_existence_string': 'is on Mixcloud', 'account_missing_string': 'Page Not Found', 'account_missing_code': '404', 'known_accounts': ['test', 'john'], 'category': 'music', 'valid': True}).
...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.