Brute force cred crunchers gifted Username Anarchy

dpauli, darren.pauli, darrenp, pauli.darren, paulid

Ruxcon Melbourne security bod Andrew Horton has created a tool to automate the generation of usernames in a bid to round-out brute force account attacks.

The HackLabs penetration tester says he created Username Anarchy to fill a feature gap left by basic username generation tools.

Horton (@urbanadventur3r) says it will help hackers reduce the risk of tripping brute force detection mechanisms and rate limiters by attempting password guessing against more likely usernames.

He says Username Anarchy goes beyond those in popular security applications such as BurpSuite by crafting likely logins from a target's social media platforms, documents, domains, and forums.

"Usernames are half the password brute force problem," Horton says.

"By attempting a few weak passwords across a large set of user accounts, user account lockout thresholds can be avoided."

Usernames can be pulled from social networking sources such as LinkedIn and Facebook, from metadata within documents including PDFs, Word, and Excel, and from aliases used on forums.


  • Plugin architecture for username formats
  • Format string style username format definitions
  • Substitutions. e.g. when only a first initial and lastname is known it will attempt all possible first names
  • Country databases of common first and last names from Familypedia and
  • PublicProfiler
  • Facebook common first and lastnames lists

Forum Usernames

  • common-forum-names.csv – A CSV file with forum names and the frequency they appeared with
  • common-forum-names-top10k.txt – The top 10,000 forum names
  • common-forum-names.txt – 1,774,313 forum names
  • phpbb-scraper.rb – a web scraper for usernames on PHPbb forums


Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019