Usernames, The Missing Piece: The OSINT Jigsaw Puzzle

hi everyone thanks for coming to my talk today Toki's usernames the missing piece of the ocean jigsaw puzzle but before we kick off just a little bit about myself I'm Simon Hall security sire on Twitter I've been in the industry now for over 10 years so while I'm on the rocker brookie talk first time speaking but I've got a wealth of Industry background so I came from a network in the security background moving through pentesting red teaming blue team in as well and with a kind of a background in ocean as well where you know working on CBEST engagements and various other bits and pieces I'm a principal security engineer had digital shadows but I do research

into various kind of tools and techniques CVEs exploits I do a lot of blogging and podcast there as well as well as leading the red team for digital shadows internal as well so why recycling isn't so good for your environment and so I guess we we all see kind of common law identifies when it comes down to user accounts and user profiles and there are many Pro identifies for a particular account but there are several that are commonly reused so we all know about password reuse and how bad it is for an environment right we can take a a password as an attacker and we can get initial access with it or we can use it

for a lateral movement or anything else photos we can take a photo from someone's profile and we can use that as a kind of pivot point to identify other profiles as well and then we come on to user names as well where we can take a single user name and have a one-to-many relationship so we can take that user name and identify kind of you know 15 other accounts with the same user name as well so hopefully everyone here is familiar with password reuse some why it's bad so we can take a single password and information from a particularly user account and we can gain access to many online accounts if someone's reusing the same password or

if you're on our pentest engagement and even cows and we gain access to a machine that's been cloned across an environment we may be able to take again a single password and administrator account and gain access to hundreds if not thousands machines we've all been there on pen test engagements so we can perform passwords Graham can perform pass air pass the hash and whatever else and result in shells so one of the lesser kind of pieces of information that I've seen out there and I've done a lot of work with this in the past is and I don't really see many people talking about it is is image reuse so if you've got a professional

networking profile out there and you've got a photon there the chances are you didn't create that photo for that particular profile and you created it on your holiday with your family or wherever and you've used that on your profile now we can actually take that image and we can reverse look it up using Google Image Search or we can use Ti or whatever else we want to use and we can go from a professional persona where there's limited information down to a potentially a personal persona where you may be disclosing more information so there's actually quite a nice pivot point there and I've actually gained some really good information from doing this so the username debate so the main

talk is around usernames I said whenever I discussed usernames and kind of their relevance in open source intelligence with people there's a lot of kind of come back and people saying it's pointless one of the things there's you know user names should be assumed to be public information 100% agree where that right we've all got it to it we've got some people have Instagram whatever else we're you know we want those likes we want those retweets we want people to share our information so the user name should be public the problem comes when we have a user name that is bleeding into our personal lives we use the same same handle as the Twitter on our

Instagram on a Facebook we use that on our ISP profile we use it on any of the provider profiles out there and this gives a bigger attack surface for the attackers to actually start being out to identify information moment person user names a useless alone couldn't disagree with this more it's not a silver bullet it never will be you know it's not like final ascetic credentials in bridge data but we can take a user name if it's the only identifier we've got for an individual we've run out of kind of information on the reamer addresses we can't find anything on those but we've managed to find a twitter handle we take that for that personal pair for that

person we can throw it into our impersonal breach data if we have it to identify email addresses passwords password hashes physical addresses whatever out so we can do a lot of things with a particular username we can even throw it into some it like name check and we can discover in you know 15 20 different accounts from a single username so there are a lot of things we can actually do with that say nothing about me this is normally mr. sis boots obviously got everything locked down you know their accounts are all randomly generated for every single service but that's not the case we're targeting VIPs we're targeting or the attackers attack on an individual in an organization where

they've been educated about password complexity they've been educated about password reuse and everything else but how many people are educated around user names not containing your year of birth your country code your first name surname first initial surname and you know there's not a lot of education around this so a password it can actually sorry a using can actually disclose a lot of information about a particular individual and often does so I'm going to run through this one pretty quickly due to time but you know there are a lot of methods out there where we can gather usernames for an individual last year we saw the OpenSSH in a user enumeration vulnerability it's a brute-force method but you know

it's still quite valuable for identifying where devs might log in to a particular organization you know every website out there these days still has some form of using a user numeration through password resets or for account creation and on bug bounties are often excluded but we also see RDP with no NRA so we can actually scrape usernames from those really easily but to be fair it's got RDP open these days you've got bigger problems so one of the key examples I absolutely love when it comes to gathering user names and user name disclosure Plusnet I'm sure a lot of people here familiar with Plusnet has a an organization you know pretty good ISP and actually one of the only a handful

of ISPs in the UK that will give you a static IP address as a domestic customer and one of the things that's lesser-known about this is that they actually associate if you have a static IP address with Plusnet they will associate your username for your account with your IP address so if someone gains your IP address in here using the static IP with those they can do a reverse lookup and look at the PTR records for for that particular IP address and they can actually gain your username really easily so from that there can be limited from an IP address through to a particular person's face book profile whatever else so I did a quick piece of research on

this and took 1/17 I was able to find 13,000 unique user names and company names and I want to be more research into this but from a manual kind of dig into some of these I was able to find Facebook account so as they provide Twitter accounts and numerous other things by punching in july-- name check but in one particular example I found a dues name check found a gift github prepaid further person found a Facebook account and the github repo actually contained information about service they were running on the same static IP address so you know it can be a valuable piece of information and this is all going from a single username so the life

cycle would be username so the problem with usernames is right we can generate them whatever we want but they will follow us through our life so a part of username can be nonsensical in a sense we can generate it with whatever characters we want but people were lazy we're all lazy we're all guilty of it will create username with a identifier of some kind in it you know whether there is the year of birth whether it is our first name surname or just a nickname that we've gone through childhood you know we'll we start off gaming we'll create a game a handle but we'll go from one game to another game then it becomes a part of our email

address what is the local part during like a gmail creation or whatever else and you know after 10 years you've now got it using them as actually inserted into your whole life and we can use that information to kind of profile particular individual a lot more accurately so we can take if we just have a username we can take that and throw it into forgotten passwords on various services Facebook on the Left eBay on the right I believe and we can use just a username and try and get some more information from these examples we can actually try and guess some of the information about email address Facebook for example will just give you the first

and last characters and the email address and just start up the rest a bay will do the same but truncate that as well but at least we face but you actually have an accurate count of the characters as well so you can use that as kind of their identifier shrank guess that email address in next example it's two services you found fifteen services you found twenty services of thirty services you can then take that information and collate it and make a bigger picture for a particular individual some of these services are really noisy Facebook for instance will just email the person so there's not great as an example to be fair but as I say when you've got about

thirty different services out there to go from someone's created a user account across a mall then the there kind of the picture becomes clear so once we've actually ascertained the email address we can go for the standard processor foreign it into breach data if we have access to that to find passwords and other email addresses associated for addresses and anything else we want to to gather but we can also just take the the username again if we have that rich data and do a initial search from as well so you know a username is useless alone that's an inaccurate statement we can do a lot whether user name and you know attackers do and we do when we do

Osen as well so just a quite quick wrap-up on this what we should be doing we should be educating users and ourselves that user names well they should be public for our likes and that's we need to retweet whatever right we should not blur the lines between our kind of service providers like our ISPs and kind of Twitter handles and the github accounts and everything else we should be making sure and educating people that there is a difference between the username you use from one service and the username you use for another one and how these can be used to against you you say over the password reset stuff the accounts will give you phone numbers partial phone numbers

partial email addresses if you do this across 30 different accounts you can actually overlap that information and gain almost full telephone numbers done this in cases where I've actually been two characters short before mobile number just from using various services so we need to be more careful and kind of be cautious about how we you reuse credentials and we use photos as well and don't overlook seemingly unimportant pieces of information such as a username or something else because these breadcrumbs can lead to a full chronic jigsaw puzzle coming together when it comes to our patrons those intelligence and if you do have a certify P address with plus net drop em a message and ask

them to remove your user name from their DNS records but that's it and thank you any questions do we have any questions silence you don't want to know don't go good but know the humor dress was made up so okay it doesn't seem to have any questions so thank you very much thank you