In article let’s assume that we have a task to perform a penetration test for online banking system to verify the ability to guess valid usernames and passwords. If you were a hacker what would you do? Speaking for myself, first I would write up a quick script to create a dictionary file for potential usernames, secondly, find out the company password policy (like password length, the number of special character and so on..), and based on that, I will build my own password dictionary file. Finally, automate the process to see if we can get a correct password or maybe perform a DoS and block the account after X numbers of failed attempts!! Many users are using the same username for their bank account, Facebook, Twitter, and other social media. So let’s forge a small Python script to illustrate how an attacker could use an ordinary publicly available information and build up a dictionary file which contains Twitter followers for XYZ Bank. At the time of writing this article, XYZ Bank has around 24,027 followers, let’s bring them up! Disclaimer: all of the actions explained in this article are counted under Passive Information Gathering and considered legitimate. We just spotlight a smart way of data collection. Twitter and many social websites have something called API < Application Programming Interface > which allows a programmer to write his own code to interact with Twitter and Get/Post information from/to Twitter. Fortunately, we have many libraries in Python that makes my job much easier, so all that I need to do is to register in Twitter developers and use the developer ID/keys in my script to run. The registration process should be something similar to these snapshots: –
Tweepy is a Python third-party library allow us to parse Twitter’s data; installing Tweepy is pretty easy:-
hkhrais@Hkhrais:~$ sudo apt-get install python-pip
hkhrais@Hkhrais:~$ sudo pip install tweepy
import tweepy
import time
#insert your Twitter keys here
consumer_key =‘blah blah blah’
consumer_secret=‘blah blah blah’
access_token=‘blah blah blah’
access_secret=‘blah blah blah’
auth = tweepy.auth.OAuthHandler(consumer_key, consumer_secret)
auth.set_access_token(access_token, access_secret)
api = tweepy.API(auth)
list= open(‘/home/hkhrais/Desktop/list.txt’,‘w’)
if(api.verify_credentials):
print ‘We successfully logged in.‘
user = tweepy.Cursor(api.followers, screen_name=“XYZbankgroup”).items()
while True:
try:
u = next(user)
list.write(u.screen_name +‘ n’)
except:
time.sleep(15*60)
print ‘We got a timeout … Sleeping for 15 minutes’
u = next(user)
list.write(u.screen_name +‘ n’)
list.close()
The code is almost self-explanatory, I passed consumer/token keys to function “OauthHandler” to identify/authenticate myself to Twitter, after that I asked to get followers ID for ‘XYZbankgroup‘ and store it in variable “user“.
According to Twitter development paper, there’s a limit for how many requests a program can ask, in case of getting followers ID we should wait around 15 minutes otherwise a limit excess exception will show up.
tweepy.error.TweepError: [{‘message’: ‘Rate limit exceeded’, ‘code’: 88}]
Execution Output
hkhrais@Hkhrais:~/Desktop/Tweets$ sudo python Twitter.py
[sudo] password for hkhrais:
We successfully logged in
We got a timeout … Sleeping for 15 minutes
We got a timeout … Sleeping for 15 minutes
We got a timeout … Sleeping for 15 minutes
We got a timeout … Sleeping for 15 minutes
…
We got a timeout … Sleeping for 15 minutes
Traceback (most recent call last):
File “Twitter.py”, line 31, in
Intelligence gathering requires careful planning, research, and, most importantly, the ability to think like an attacker. With a small Python script (around 25 lines), we could retrieve a 24,027 followers’ usernames for @XYZbankgroup which can be used as good dictionary usernames. Keep in mind that this script gets very handy especially if our target usernames are not English!
Twitter API https://dev.twitter.com/docs/twitter-libraries Tweepy library https://pypi.python.org/pypi/tweepy/
