When you want to infiltrate an organization gaining some form of credentials will be key. One of the ways to gain these credentials would be to preform brute-force techniques, such as password spraying. But in order to preform these you would first need to have a list of potential usernames. This is where user enumeration comes in.
If the target organisation is Microsoft based you will most likely be able to use 2 usernames for each account. This is because Active Directory has 2 options for valid usernames. sAMAccountName (DOMAIN\user) and UserPrincipalNames (user.name@domain.tld). Most of the times the UPN will match the e-mailadres of the user. In the case where these dont match, or you need to know the username schemas for sAMAccountName document meta data may be able to help you.
If an organization publishes office files (word, excel, pdf, etc) on the internet there is a high chance that it will contain some form of metadata, one of which can be the Author and Creator fields. These field can contain internal usernames which you can use to guesse there naming schema.
Tools: PowerMeta, FOCA # MOVE TO OWN TOOLS PAGE
After finding out the user naming schema you can start to generate a user list. One of the ways todo is is to scrape employee names from linked in and generate a userlist based of the user naming schema. A tool called CrossLinked can help you with this.
Once you have generated user list you should try to validate if these are actually valid. The graph below shows some options you can use.
| What | Where | With what |
|---|---|---|
| Azure/O365 | https://login.microsoft.com/common/oauth2/token | MSOLSpray |
| Onprem | https://webmail.domain.com/owa/ or /ews/ | MailSniper |
| Service | info |
|---|---|
| hunter.io | find email addresses |
| emailrep | get e-mail ‘reputation’ |
| LinkedIn is your friend. |
| Name | Description |
|---|---|
| h8mail | Password Breach Hunting & Email OSINT tool, locally or using premium services. Supports chasing down related email. |