Carrie Roberts //*
*UPDATE: I’ve improved on the “Gathering Contacts with Burp” method by creating a dedicated extension. This provides the following improvements over what I blogged about here: 1) The output is tab delimited and imports into Excel much cleaner 2) It avoids duplicates for the most part. 3) It doesn’t miss results that don’t have the pipe symbol in the results, such as those that end in “…” 4) It gets rid of extra junk at the end of the name, like “, CPA” or “, CISSP” 5) It includes which LinkedIn site the name is from (www, eu, ca, it, nz, etc.) See here for usage instructions:
As part of reconnaissance when performing a penetration test, it is often useful to gather usernames. The usernames may come in handy for performing a password spraying attack for example. One easy way to gather employee names is to use a Burp Suite Pro extension with a little Python script as described in this blog. You can then massage these employee names into any username format. You may be able to discover the username format by analyzing the metadata of documents posted to a company’s public web sites as described here.
To collect employee names with Burp, you’ll need to do the following steps.
1) Install the Python Scripter extension from the Extender–>BApp Store tab in Burp Suite Pro
Note: You may need to download the Jython standalone JAR file and point Burp to it if you have not done that before.
2) Copy and paste this code into the newly available “Script” tab.
3) Configure the Extension to save output to a file. This is where your usernames will be written. You can optionally select the “Show in UI” option, but the output window truncates items when the list gets too long.
4) Configure your browser to use Burp as a proxy as you normally would. From the browser, do a Google search of the following form (don’t forget the “/in” on the end of “linkedin.com”:
site:linkedin.com/in “Company Name”
The script will write the name that shows up before the text ” | LinkedIn” or “| Professional Profile – LinkedIn” in the search results to the output file. In this example, it would write “James Lee – Hacker – Black Hills Information Security” and “Derek Banks”. Google limits the results to 10 per page. You can click on additional pages of results to get more employee names written to the file.
You can gather a large list of employee names quickly and easily with this method. Try importing the list to Microsoft Excel where you can use formulas to turn employee names into the appropriate username format such as first initial followed by last name. It is also a good idea to use the “Remove Duplicates” functionality in Excel since the script may export the same employee name multiple times.
5) When you are done, unload the Python Scripter or erase the script code so you don’t burden Burp with inspecting all responses.
*We’re so happy Carrie continues to guest post on the BHIS blog!
You can learn more from Carrie in her classes!
Check them out here:
Available live/virtual and on-demand!