Having a good wordlist is critical to carrying out a successful password attack. It is important to know how you can generate username lists and password lists. In this section, we will discuss creating targeted username and password lists.
Practice
Generate a Wordlist
Tools such as Cewl - Custom Word List generator can be used to effectively crawl a website and extract strings or keywords. Cewl is a powerful tool to generate a wordlist specific to a given company or target.
CeWL is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper. Optionally, CeWL can follow external links.
cewl -w list.txt -d 5 -m 5 http://target.net
Gathering employees' names in the enumeration stage is essential. We can generate username lists from the target's website. For the following example, we'll assume we have a {first name} {last name} (ex: John Smith) and a method of generating usernames.
Thankfully, there is a tool username_generator that could help create a list with most of the possible combinations if we have a first name and last name.
python3 username_generator.py -w users.lst
Crunch is one of many powerful tools for creating an offline wordlist. With crunch, we can specify numerous options, including min, max, and options
Crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:
CUPP - Common User Passwords Profiler is an automatic and interactive tool written in Python for creating custom wordlists. For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc., this could be a helpful tool to generate passwords based on this known information.
#Interactive mod
python3 cupp.py -i
#Pre-created wordlists
python3 cupp.py -l
# Alecto database default logins
python3 cupp.py -a
LDAPWordlistHarvester is an other greate tool from p0dalirius. It generates a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or 'mangling' a password such as password: p@ssword, Pa$$word, Passw0rd, and so on.
Hashcat rule sets are located at /usr/share/hashcat/rules/. You can generate a wordlist using a rule as follow:
# Create wordlist from a rule
hashcat -r /usr/share/rules/best64.rule wordlist.txt --stdout > new_wordlist.txt
To create your own rules, you definitely want to check this hashcat documentation, but here is an example of creating your custom rule and some notes about useful functions:
Description
Function
Example Rule
Ex. Input
Ex. Output
Append Char
$X
$1$2
Password
Password12
Prepend Char
^X
$1$2
Password
12Password
Capitalize the first letter and lower the rest
c
c
password
Password
Uppercase all letters
u
u
password
PASSWORD
Note that if the rule functions are:
On the same line, separated by a space: Hashcat will use them consecutively on each password of the word list.
On separate lines: Hashcat will use each rule separately on each password of the word list.
# Using following rule file:
# $1 c
$ hashcat -r my.rule password.txt --stdout
Password1
# Using following rule file:
# $1
# c
$ hashcat -r my.rule password.txt --stdout
password1
Password
Let's assume an AD password policy that requires an upper case letter, a special character, and a numerical value. We may use the following rules along with hashcat:
# Rules file
# Capital letter at the beginning,
# random number and special character at the end -> common human behaviour ;)
$ cat my.rule
c $1 $!
c $2 $!
c $1 $2 $3 $!
# Generate the wordlist
hashcat -r my.rule passwords.txt --stdout > new_passwords.txt
John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:
# Create wordlist from a rule
john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout > wordlist.txt
Pseudohash is a Python password list generator tool that can generates millions of keyword-based password mutations in seconds.
# --common-paddings-after Append common paddings after each mutated word
# --common-paddings-before Append common paddings before each mutated word
# --custom-paddings-only Use only user provided paddings for word mutations (must be used with -ap AND (-cpb OR -cpa))
# --append-padding VALUES Add comma seperated values to common paddings
# --append-numbering LEVEL Append numbering range at the end of each word mutation (before appending year or common paddings).
#Examples
python3 psudohash.py -w password --common-paddings-after -y 2020-2023
python3 psudohash.py -w password --common-paddings-before -an 3 -y 1990-2022
