https://github.com/p0dalirius/timebasedloginuserenum

A script to enumerate valid usernames based on the requests response times.
https://github.com/p0dalirius/timebasedloginuserenum

enumerate leak login python side-channel-attacks time

Last synced: 4 months ago
JSON representation

A script to enumerate valid usernames based on the requests response times.

• Host: GitHub
• URL: https://github.com/p0dalirius/timebasedloginuserenum
• Owner: p0dalirius
• Created: 2022-03-09T09:38:08.000Z (almost 4 years ago)
• Default Branch: master
• Last Pushed: 2022-05-03T10:39:51.000Z (over 3 years ago)
• Last Synced: 2024-12-18T18:45:29.583Z (about 1 year ago)
• Topics: enumerate, leak, login, python, side-channel-attacks, time
• Language: Python
• Homepage: https://podalirius.net/
• Size: 92.8 KB
• Stars: 18
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

          
# TimeBasedLoginUserEnum



  A script to enumerate valid usernames based on the requests response times.

  


  

  

  

  




## Features

**Requirement**: A valid username on the application (no need for password)

 - [TimeBasedLoginAnalysis.py](./TimeBasedLoginAnalysis.py)

   + [x] Analysis of the response time differences between a valid and invalid username.

   + [x] Plot analysis results to a graph (option `-S` of ) or export to file (option `-f `).

   + [x] Multithreaded login tries.

 

 - [TimeBasedLoginUserEnum.py](./TimeBasedLoginUserEnum.py)

   + [x] Extract only usernames returning responses times that stands out.

   + [x] Multithreaded login tries.

   

## Usage

```

$ ./TimeBasedLoginUserEnum.py -h

usage: TimeBasedLoginUserEnum.py [-h] -u USERNAME -f USERNAMES_FILE [-t THREADS] [-s SAMPLES] [-v]

Enumerate valid usernames based on the requests response times.

optional arguments:

  -h, --help            show this help message and exit

  -u USERNAME, --username USERNAME

                        Username

  -f USERNAMES_FILE, --usernames-file USERNAMES_FILE

                        List of usernames to test

  -t THREADS, --threads THREADS

                        Number of threads (default: 4)

  -s SAMPLES, --samples SAMPLES

                        Number of login tries (default: 20)

  -v, --verbose         Verbose mode. (default: False)

```

## Demonstration

You can test this tool with the Flask app in [app.py](./test_app/app.py) and the wordlist [users.txt](./test_app/users.txt). 

**Step 1: Analysis of time differences between valid and invalid usernames**

First step is to analyze whether there is a time based leak of information on the login tries:

```

./TimeBasedLoginAnalysis.py -u podalirius -S

```

![](./.github/graph.png)

**Step 2: Enumerate usernames based on response times**

Now that we know that there is a time based leak of information, we can enumerate users with this command:

```

./TimeBasedLoginUserEnum.py -u admin -t 32 -s 100 -f ./test_app/users.txt

```

![](./.github/example.png)

## Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.