This script is largely a PoC for demonstrating the practicality of time-based username enumeration in certain circumstances.
To determine whether a site is vulnerable we require a valid username. Leveraging the known valid username we send a specified number of requests to the desired URI, measuring the response time and computing the average. We do the same for a known invalid username. We then compare the average response times. If there's a distinct difference in the response times (given an acceptable margin), the site may be vulnerable.
Leveraging a similar technique, we can attempt to exploit the vulnerability.
ruby enumerate.rb -x "http://google.com" -d "sessions[username]=PARAM&sessions[password]=a" --validuser "realemail@example.com" -c 10 --method POST --margin 100 --input-file "/Users/John/dictionary-file"
Usage: enumerate.rb [options]
-u, --validuser [USER] Valid username for comparison
-f, --input-file [FILEPATH] Path to dictionary filecontaining usernames
-c, --request-count [COUNT] Number of requests to send beforemaking a decision. Defaults to 10
-d, --query-data [DATA] HTTP data to send
-x, --uri [URI] Request URI
--method [METHOD] HTTP request method
--margin [MARGIN] Time margin for determining successful exploitation (Defaults to 50ms)
--cookies [COOKIES] HTTP Cookies to use in request
--proxy-address [PADDR] Proxy Address
--proxy-port [PPORT] Proxy Port
- Default Options: Default options currently aren't available.
Feel free to contact me with any questions, john.m.poulin@gmail.com