Wordlist Generation

Using passwords for authentication is one of the most amazing methods as they are simple to implement and there is almost zero learning curve from the user's end. However, this proves to be its own downfall. Passwords can be guessed, phishing, recorded or stolen in so many different ways since they are a shared secret. Over decades many the process of using passwords have been refined and reinforced to make them more robuts but they are still suscpetible to the most simple forms of attack.

Here we will begin with the most basic form of attack "GUESSING" the password. In order to guess the password, we need a list of possible passwords that the victim could use. The following are some of the techniques for generating wordlists that will help in cracking the password or using it in systems/applications to pass authentication.

Bespoke Wordlist

When we try to infliterate a corporate network one of the first things to do is to create a wordlist that born out of the commom words and terminologies that the company uses in its documents, websites, social media posts, etc.

The following command can be used on a website to scrap words of it,

cewl www.particle42.com -m 8 -d 12 -w p42-cewl.txt

-m 8 - This picks all 8 characters and greater words out of the website

-d 12 - This defines the depth that the tool should dig within the website for words

Once the list is ready, it will be composed of words that form very weak passwords since most applications require passwords to be strong with a combination of Upper, Lower, Numerals and special characters.

We will use another password cracking tool John the Ripper to generate the password list that we desire based on the password rules that the company may have.

Besides the rules that the configuration file contains, we will add another rule that adds 2 digits to the end of each word.

sudo vim /etc/john/john.conf

# Try the second half of split passwords
-s x_
-s-c x_ M l Q
# Add two numbers to the end of each password
$[0-9]$[0-9]

Now we can generate the wordlist from the scrapped data from the website,

john --wordlist=p42-cewl.txt --rules --stdout > p42-wordlist.txt

Bruteforce Wordlist

Bruteforce wordlist as the name suggests is brute approach to creating a wordlist that contains every combination of letters, numbers and special characters. This process is extremely cumbersome and creates an extremely large file. This can be time consuming to execute as it will take a very long time to try out every combination.

Here are a few examples to create wordlists using crunch,

crunch 6 6 -t ,@@^^%

6 6 denotes the minimum and maximum number of characters the password will contain.

, represents the upper case of a character.

@ represents the lower case of a character.

^ represent special characters.

% represent numbers.

Further we can create wordlists that has predefined set of characters using the following command,

crunch 4 6 0123456789ABCDEF -o crunch.txt

This creates a password of minimum lenght 4 and maximum length 6 with the mentioned characters.

Combining word lists

Under circumstances that you find that you have 2 files that have to be combined to create a mutated word list file, then combinator binary within hashcat utilities can be used.

/usr/lib/hashcat-utils/combinator.bin file1.txt file2.txt > mutated.txt