ProfessionalCommunity Edition

Guessing usernames for known users

• Last updated: March 1, 2024

• Read time: 2 Minutes

Burp Intruder has a built-in username generator that takes an input and produces a list of potential usernames using common patterns. For example, if you were to provide the input Carlos Montoya the generator would return carlos.montoya, mcarlos, and similar combinations.

This is useful in circumstances where you know details of a specific user (for example, their name or email address) but don't know their exact username. It provides a more targeted way of enumerating usernames than a generic name list.

Steps

1. In Burp's HTTP history, identify a failure message for a username-based authentication mechanism.
2. In the message, highlight the username value, right-click, and select Send to Intruder.
3. Go to Intruder > Positions. Notice that Burp has automatically added the username as a payload position.
4. Select Sniper from the Attack type drop-down menu.
5. Go to the Payloads tab.
6. Select Username generator from the Payload type drop-down.
7. Enter an input that you want to base the generated usernames on into the Enter a new item field of the Payload settings section and click Add. You can add multiple inputs per attack if required.
8. Enter the number of usernames you want Burp to generate into the Maximum payloads per item field. Burp generates this number of usernames for every input added.
9. Click Start attack. Intruder generates its list of potential usernames and runs an attack testing each username in turn.
10. Analyze the attack results to check for interesting patterns, such as usernames that results in anomalous error messages, response times, or a different HTTP response code.