Before login

You are here: Home » Creating the Perfect Password List

Creating the Perfect Password List

/ by / Mr. P / on / August 17, 2010 @ 3:53 pm
Windows Logon

Introduction

Ever been doing a penetration test, and used up your default password lists, but still not managed to break in to a file, or a server? Ever been responding to an incident in a forensic capacity, and realised you can't break into a file which is crucial to your investigation? Chances are, your password list is quite "generic" - i.e., goes for your average Joe, but has no specificity relating to your individual target. These generic wordlists have their uses, but not today, and not for a large amount of situations.

This tutorial is going to show you how to craft targeted password list - one I can guarantee will give you a higher percentage of success in a shorter amount of time, on average. If you've never created a custom password list - fear not, it's an easy task, and you will enjoy password cracking far more than ever before!

 

Brief Background

Ok, so I'm not going to spend too long on the background - I realise it's somewhat boring, and you're probably going to skip this section. Please don't - at least skim over it so you understand the basics of what's going on, and you will more fully appreciate the work the various authors of the tools have done.

We're going to use a few different tools to accomplish our aim, but the basic principal stays the same with all of them: An information source (be it you, files, or the internet) is fed into them (not literally fed, in the case that the former is you), and then a list of passwords that are relevant to keywords found, are fed back out to you in nice lists, with variations added to emulate common user habits. Let me give you an example - say you did some research, and found out your target "Max Hackable" had a pet dog named "Lily", and spent every Saturday at a dog-owners-club called "Pampered Pooches". So, you feed those key words into your password tool, and a big list comes out (92620 words, in my case) - you put it to work, and end up cracking the password: L11yP00ch3s. That's not a password you'd ever dream of cracking with a generic list, no matter how big - yet you just did it in a matter of seconds with a custom list!

Well, if you think this is something you'd be interested in finding out, read on!

 

The Juicy Stuff

Alright, so, I'm going to walk you through a few different tools here, and you can use each of them for different reasons, at your discretion.

 

CUPP (Common User Password Profiler): This tool is mainly used when you know a bit about the person from Social Reconnaissance (rather than online reconnaissance), and so there's no real electronic record of what you know. This tool takes your input via interactive questions, and generates a nice custom wordlist based on that. Let's stick with our scenario of "Max Hackable". Download the CUPP from http://www.remote-exploit.org/wp-content/uploads/2010/04/cupp-3.0.tar.gz, and make sure you have Python installed. Untar it (tar xfz cupp-3.0.tar.gz), and change into the directory (cd cupp-3.0.tar.gz). Next, execute it with a "./cupp.py -i" and away you go! The easiest way is to show by example, so take a look here:

root@box:~/Tools/Information Gathering/Passwords/cupp$ ./cupp.py -i

[+] Insert the informations about the victim to make a dictionary [low cases!]
[+] If you don't know all the info, just hit enter when asked! ;)

> Name: Max
> Surname: Hackable
> Nickname: Machack
> Birthdate (DDMMYYYY; i.e. 04111985):


> Wife's(husband's) name: Jeane
> Wife's(husband's) nickname: Hackable
> Wife's(husband's) birthdate (DDMMYYYY; i.e. 04111985):


> Child's name: Little
> Child's nickname: LJ
> Child's birthdate (DDMMYYYY; i.e. 04111985):


> Pet's name: Lily
> Company name: Insecure Systems


> Do you want to add some key words about the victim? Y/[N]: y
> Please enter the words, separated by comma. [i.e. hacker, juice, black]: computer, system, systems, pampered, pooches, pooch, dogs, dog
> Do you want to add special chars at the end of words? Y/[N]: y
> Do you want to add some random numbers at the end of words? Y/[N]y
> Leet mode? (i.e. leet = 1337) Y/[N]: y

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to Max.txt, counting 272226 words.
[+] Now load your pistolero with Max.txt and shoot! Good luck!
 

In a matter of around about 1 second, I had a password file of 272225 passwords:

root@box:~/Tools/Information Gathering/Passwords/cupp$ wc -l Max.txt
272225 Max.txt

Some of the passwords included this:

*trim*

Pooches369
elttiL%%$
System288
System289
LJLittle--*
LJLittle--)

Insecure Systems_^_
MaxMachack&&#
dog_-!
Insecure Systems_^@

*trim*

After this point, it's up to you, but I think it's fairly obvious that you feed that wordlist into your desired program ;)

 

 

Wyd (Who's Your Daddy Password Profiler): Wyd is a tool designed to create a password list based on the contents and meta-data of plain, html, php, doc, ppt, mp3, pdf, jpeg, and odp/ods/odp files. It's up to you how you get these files, but it's generally accepted that you would either have them from a previous hack or physical access, or have downloaded them from the companies website (many companies put PDF's or DOC's on the web). I will show you an excerpt from using Wyd on a single .doc file, though you can use this on an entire directory at once (though this will produce much output). This tools is Perl based, so have Perl installed. Download it from http://www.remote-exploit.org/wp-content/uploads/2010/01/wyd-0.2.tar.gz:

Install dependencies for Ubuntu 10.04 (or similar for your system): apt-get install catdoc mp3info jhead libopenoffice-oodoc-perl libtext-pdf-perl pdftk

root@box:~/Tools/Information Gathering/Metadata/wyd-0.2$ ./wyd.pl -o final_wordlist.txt FlightPlan_Notice.doc

*
* ./wyd.pl 0.2 by Max Moser and Martin J. Muench
*


** Done
 

This quietly outputs the contents to "final_wordlist.txt", as specified by the "-o" option. An excerpt from the contents of the final wordlist:

 Date
2008-01-24
REPLACES
United
States
of
America
ANSI
Administered
by
F****nce
Inc
on
behalf
DOCUMENT
TYPE
timothy@sch*****org
5th
Please
also
Michael
La***on

These lists can also be fed back through the CUPP to "mangle" them and add the necessary variations.

 

RSMangler (Random Storm Mangler): RSMangler will take set of keywords, and quite simply, mangle them. Better used on only a few words (such as 5 or less), but can be of use if you have a large CPU and a large wordlist (such as one generated from Wyd). Usage and results are both fairly simple, but effective. It's Ruby based, so have Ruby installed. Download it from http://www.randomstorm.com/tools/rsmangler_1.0.tar.bz2, and follow thus:

root@box:~/Tools/Password Tools/rsmangler$ ./rsmangler.rb -f input_words_file.txt > output_file.txt

Make sure your input_words_file contains your main keywords you wish to use. Mine was thus:

root@box:~/Tools/Password Tools/rsmangler$ cat list.txt
Max
Hackable
Lily
Pampered
Pooches

Which produced the following (trimmed):

123MaxPampered
MaxPampered123
MaxPooches
MaxPoochesMaxPooches
sehcooPxaM
Maxpooches
maxpooches
MAXPOOCHES
mAXpOOCHES

 

 

AWLG (Associative Word List Generator): An online tool which is very similar to Wyd. Works based on "Google Dorks", and basically searches for your term and compiles you a list based on this. The advantage is that it's online, and it searches Google, so it can produce some good and varied results. The disadvantage is that you have to wait in line, which can sometimes be a bit of a pain, though is hardly an "offput", considering this is free. Go here: http://awlg.org/index.gen

 

 

Bonus - Get Some Extra Data:

Just a quick "bonus" for you, in case you wanted to try and get some extra data from any sort of tool - this can be useful when building keywords, or help you know where to look. I'll cover more "exifdata" stuff in a future post, but for now, go to http://www.sno.phy.queensu.ca/~phil/exiftool/, and download the .tar.gz file. Extract it, and run "exifdata" on any file you want. In this example, I'll run it on a picture I got from Twitpic:

root@box:~/Tools/Information Gathering/Metadata$ ./exiftool image.jpg
File Modification Date/Time     : 2010:08:17 12:04:20+09:30
Exif Byte Order                 : Little-endian (Intel, II)
Make                            : Motorola
Camera Model Name               : Droid
Software                        : 2.1-update1
Modify Date                     : 2010:08:17 00:11:21
Exposure Time                   : 1/40
F Number                        : 2.8
Exposure Program                : Program AE
ISO                             : 57
GPS Version ID                  : 2.2.0.0
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Latitude                    : 29 deg 52' 53.00" N
GPS Longitude                   : 97 deg 56' 25.00" W
GPS Position                    : 29 deg 52' 53.00" N, 97 deg 56' 25.00" W

I trimmed the output to the interesting stuff, just to demonstrate. So just from one picture, we already have a GPS location, which leads to possible interests/other keywords that can be used. Exiftool can be used on any sort of file with exifdata, such as Microsoft Word Docs, PDF's, etc.

 

Conclusion

This concludes my brief tutorial on generating nice password lists. Have fun, stay safe, and remember - don't do anything to systems you don't own if you don't have express permission to do so (in written, signed, and documented format, preferably with a Lawyer present). Thanks.

/tags/