Generate Wordlists

Theory

Having a good wordlist is critical to carrying out a successful password attack. It is important to know how you can generate username lists and password lists. In this section, we will discuss creating targeted username and password lists.

Practice

Generate a Wordlist

Tools such as Cewl - Custom Word List generator can be used to effectively crawl a website and extract strings or keywords. Cewl is a powerful tool to generate a wordlist specific to a given company or target.

CeWL is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper. Optionally, CeWL can follow external links.

cewl -w list.txt -d 5 -m 5 http://target.net

Gathering employees' names in the enumeration stage is essential. We can generate username lists from the target's website. For the following example, we'll assume we have a {first name} {last name} (ex: John Smith) and a method of generating usernames.

Thankfully, there is a tool username_generator that could help create a list with most of the possible combinations if we have a first name and last name.

python3 username_generator.py -w users.lst

Crunch is one of many powerful tools for creating an offline wordlist. With crunch, we can specify numerous options, including min, max, and options

#min=2 max=2 charset=01234abcd outfile=crunch.txt
crunch 2 2 01234abcd -o crunch.txt

Crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:

@ - lower case alpha characters

, - upper case alpha characters

% - numeric characters

^ - special characters including space

#min=6 max=6 option=pass[0-9][0-9] outfile=stdin
crunch 6 6 -t pass%%

CUPP - Common User Passwords Profiler is an automatic and interactive tool written in Python for creating custom wordlists. For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc., this could be a helpful tool to generate passwords based on this known information.

#Interactive mod
python3 cupp.py -i

#Pre-created wordlists
python3 cupp.py -l

# Alecto database default logins
python3 cupp.py -a

LDAPWordlistHarvester is an other greate tool from p0dalirius. It generates a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.

./LDAPWordlistHarvester.py -d 'domain.local' -u 'Administrator' -p 'P@ssw0rd123!' --dc-ip 192.168.1.101

Rule-Based Wordlists

Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or 'mangling' a password such as password: p@ssword, Pa$$word, Passw0rd, and so on.

Hashcat rule sets are located at /usr/share/hashcat/rules/. You can generate a wordlist using a rule as follow:

# Create wordlist from a rule
hashcat -r /usr/share/rules/best64.rule wordlist.txt --stdout > new_wordlist.txt

You can also use the OneRuleToRuleThemAll rule to generate a wordlist.

Create your own rules

To create your own rules, you definitely want to check this hashcat documentation, but here is an example of creating your custom rule and some notes about useful functions:

Description	Function	Example Rule	Ex. Input	Ex. Output
Append Char	$X	$1$2	Password	Password12
Prepend Char	^X	$1$2	Password	12Password
Capitalize the first letter and lower the rest	c	c	password	Password
Uppercase all letters	u	u	password	PASSWORD

Description

Function

Example Rule

Ex. Input

Ex. Output

Append Char

$1$2

Password

Password12

Prepend Char

$1$2

Password

12Password

Capitalize the first letter and lower the rest

password

Password

Uppercase all letters

password

PASSWORD

Note that if the rule functions are:

On the same line, separated by a space: Hashcat will use them consecutively on each password of the word list.
On separate lines: Hashcat will use each rule separately on each password of the word list.

# Using following rule file:
# $1 c
$ hashcat -r my.rule password.txt --stdout 
Password1

# Using following rule file:
# $1
# c
$ hashcat -r my.rule password.txt --stdout
password1
Password

Let's assume an AD password policy that requires an upper case letter, a special character, and a numerical value. We may use the following rules along with hashcat:

# Rules file
# Capital letter at the beginning, 
# random number and special character at the end -> common human behaviour ;)
$ cat my.rule
c $1 $!
c $2 $!
c $1 $2 $3 $!

# Generate the wordlist
hashcat -r my.rule passwords.txt --stdout > new_passwords.txt

John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:

# Create wordlist from a rule
john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout > wordlist.txt

Pseudohash is a Python password list generator tool that can generates millions of keyword-based password mutations in seconds.

# --common-paddings-after  Append common paddings after each mutated word
# --common-paddings-before Append common paddings before each mutated word
# --custom-paddings-only Use only user provided paddings for word mutations (must be used with -ap AND (-cpb OR -cpa))
# --append-padding VALUES Add comma seperated values to common paddings
# --append-numbering LEVEL Append numbering range at the end of each word mutation (before appending year or common paddings).

#Examples
python3 psudohash.py -w password --common-paddings-after -y 2020-2023
python3 psudohash.py -w password --common-paddings-before -an 3 -y 1990-2022

References

TryHackMe | Cyber Security TrainingTryHackMe

Last updated 6 months ago