Enumerating usernames

Enumerating usernames

Tools used;
browser:iceweasel
web app: Mutillidae

This simply will let us know if a username has already been used, to achieve this simply attempt to log in with usernames, it doesn't matter if you don't know the password as we are simply enumerating usernames so we can later launch a brute force attack

first we use one test username we have no idea if this username has been used already (I used the name jess) the result was

therefore there is no username of jess registered on the system

secondly i used a common username admin  the result is

this clearly demonstrates that although the password we supplied was incorrect there is definitely  a username called admin - we can now attempt to brute force the admin username using hydra or burpsuite (intruder)