Sunday, June 19, 2011

Wordlists & Password Profiling with CRUNCH, WyD, & CUPP

Today I am going to show you how to use three (3) different tools in Linux (Backtrack 5) for creating targeted wordlists to help speed up and increase the chance of success for your dictionary attacks. I will be covering the use of CRUNCH for pure wordlist generation, and then I will cover the use of WyD and CUPP which use password profiling techniques to create targeted wordlists to narrow your attacks. I will provide the written walk through here with a video at the end. Let's begin with CRUNCH...

++++++++++++++++++++++++++++CRUNCH - WORDLIST GENERATOR+++++++++++++++++++++++++++++

CRUNCH is a wordlist generator based on the user specified character set. It takes the character set designated by the user and generates all combinations and permutations possible into a nice new wordlist for you to use in your dictionary/bruteforce tools. It supports lower and upper alpha-numeric as well as special character set and also has the ability to break the output into multiple files based on the number of lines or designated file size. It also has the ability to pause and resume which is helpful when generating very large wordlists that may take some time to fully compile. You can download the latest version from the sourceforge homepage, which is located here:

You will need to download and extract using the following methods:
               COMMAND: tar -zxvf crunch-3.0.1.tgz
               COMMAND: cd crunch-3.0.1/
               COMMAND: make && make install
Crunch can be used to create great wordlists and with the proper sytnax can even be piped directly into brute-forcing tools, for example AirCrack and CowPatty can use the piped output for Wireless password cracking (I highly suggest CowPatty if you are dealing with large wordlists due to restrictions in AirCrack on the number of keys that can be processed).

Basic syntax of CRUNCH looks like this (See MAN Pages for details):
./ crunch <min-len> <max-len> [-f /path/to/charset.lst charset-name] [-o  wordlist.txt]
      [-t [FIXED]@@@@] [-s startblock] [-c number]

Breakdown of Syntax:
o   min-len = minimum length string to start at (REQUIRED)
o   max-len = maximum length string to end at.  (REQUIRED)
o   charset = defines the char set to use (If you leave it will use lower case alpha only.
§  NOTE: If you want to include the space character in your character set you must enclose your character set in quotes, like so: "abc ". If you want to use char set files you can reference the -t argument below or just paste it in (check my Hashcat tutorial for full char sets you can use, or reference the charsets.lst that install s with Crunch in default directory).
o   -b = number[type: kb/mb/gb] - which specifies the size of the output file (no space between the number and type (50kb/50mb/50gb).
§  NOTE: only works if -o START is used and the output files will be in the format of starting letter-ending letter for example: ./crunch 4 5 -b 20mib -o START will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt, wcydu-zzzzz.txt
o   -c <number> = Is similar to -b above but breaks the files based on the number of lines to write to the output file. It also requires -o START to be used
§  NOTE: The output files will be in the format of starting letter-ending letter for example: ./crunch 1 1 -f /pentest/password/crunch/charset.lst mixal- pha-numeric-all-space -o START -c 60 will result in 2 files: a-7.txt and 8-\ .txt The reason for the slash in the second filename is the ending character is space and ls has to escape it to print it (so Yes you will need to put in the \ when specifying the filename because the last character is a space)
o   -f </path/to/charset.lst> <charset-name> = Allows you to specify a character set from the charset.lst
o   -i = Inverts the output so instead of aab,aac,aad you get baa,caa,daa
o   -o <wordlist.txt> = defines the file to write output to
o   -p <charset> OR -p <word1 word2...> = This tells the tool to not generate words that have repeating characters and produces a much smaller wordlist, generally only helpful if you know the password policy doesn't allow this
o   -q <filename.txt> = tells the tool to read from filename.txt and perform permutations based on what is read from file. This can not be used with the -s or -t arguments below
§  NOTE: it also ignores the min and max length arguments despite the fact that they must still be included as part of the sytax to run properly
o   -r = this tells the tool to resume where it left off, although you have to make you re=start it with the exact same command that was last used with the addition of the -r at the end (does not work with -s in original command so just remove it when resuming)
o   -s <startblock> = this defines the string to start running crunch on
o   -t <@*%^> = this is helpful for someone who may have been shoulder surfing and knows some of the characters but not all, as this argument allows you to specify a pattern and define positions to replace (and how to replace), for example:
o   -t *^ssw@rd%
§  __ssw_rd_ = the fixed letters
§  @ will insert lower aplha (a-z)
§  * will insert upper alpha (A-Z)
§  % will insert numbers (0-9)
§  ^ will insert symbols (!@#$%^&*)
·        Eventually this would work the word P@ssword1 into our final output which would help us find the password needed for this example
o   -z <gzip|bzip2|lzma> = This will tell crunch to compresses the output from the -o option using the chosen method (gzip/bzip2/lzma).

EXAMPLE: ./crunch 4 4 abc123 -b 1mb -o START
               Generates all possibilities of 4 characters in length (min is set to 4 and max as well)
using the charset of abc123, with defined output file size of not to exceed 1mb
EXAMPLE: ./crunch 1 4 abc123 -b 1mb -o START
               Generates all possibilities from 1 to 4 characters in length (min is set to 1 and max
              is set to 4) using the charset of abc123, output files not to exceed 1mb

NOTE: You can use a quick "cat filename.txt" to check what words are created and inserted into the file, or "wc -l <filename.txt>" to list the word count. If you look at the above shots you can see how you can split the file output based on size, which is impacted by the length designated and char set used. You should be able to figure it out from here. 
+++++++++++++(TUT) Who's Your Daddy Password Profiler (WYD)++++++++++++++++
OK, so that covers CRUNCH and how we use it to create a raw wordlist with every possibility, but this may take a while to attack how can we increase our chances for dictionary attack? We can use the Who's Your Daddy password profiling tool, a.k.a. WyD, to aid us in creating a much narrower wordlist more targeted at the individuals or members of our target site. It and the next tool CUPP are brought to us by the great folks over at Social Engineer [dot] Org. The Who's Your Daddy Password Profiler is a great tool to have in your arsenal, as it can be used to scrape information from web content and the files found on websites to extract usable information that can be used in creating more effective wordlists for dictionary attacks. You can download it from the SE site, found here:
The supported file types that it is capable of scraping info from include: plain, html, php (partially, as html), doc, pdf, mp3, ppt, jpeg, odt/ods/odp, and anything unknown with MIME type text/plain will be processed with strings
As usual you will need download and extract the files in order to get starte, like so:
               COMMAND: tar -xvf wyd-0.2.tar.tar
               COMMAND: cd wyd-0.2/
To start WyD and see the options that we have available, simply type this:
               COMMAND: perl
You may be asking: OK but how do I actually use this thing? Don't you worry; I will show you...We will need to use a common Linux tool called WGET to retrieve our entire victim's website. This tool is typically available by default in almost all Linux distros, so you should not have any problems. You can research this on the side as it has tons of options I can't go into here. For now just follow these steps to make a new folder and then move into it so we can recursively download the web content from our target site, like this:
               COMMAND: mkdir /victim-site
               COMMAND: cd victim-site/
               COMMAND: wget -r
WGET will take a while to get everything but once it is done you can find the results in the victim-site/ folder you ran the WGET command from. Now in order to create a custom wordlist using WyD you will need to use the following command:
               EXAMPLE: perl -o /path/to/ouput/file -t -b -e file/OR/path/to/victim-site/
               COMMAND: -o victim-wordlist.txt -t -b -e /home/SkyWalker/victim-site/

Breakdown of the above, which I commonly use when running this:
o   -o /path/to/output/file = tells it to send everything to file instead of printing to the screen via STDOUT. This file will become our potential wordlist (or wordlists if the -t argument is also used).
o   -t = this will tell it to create separate files based on each file type find that the tool uses to extract data from for profiling. This can only be used with the "-o" option referenced above, and will create as many output files as types found/used. 
§  NOTE/EXAMPLE: file is 'victim.txt' and there are words found in PDF, plain-text, JPEG and HTML files, you will find the following output files if used: 'victim.txt.pdf', 'victim.txt.jpeg', 'victim.txt.plain' and 'victim.txt.html'.
§  -b = this will tell the tool to disable the removal of non-alpha characters from the start of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.
o   -e = this will tell the tool to disable the removal of non-alpha characters from the end of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.
o   <filename> OR /path/to/directory/ = this defines where WyD will work its magic
ERRORS: If you experience any errors due to missing perl modules:
·        Ignore them and WyD will still run, but it will run without any modules that had errors. Not the end of the world but not the best we can do either.
·        Install the missing perl modules that are referenced in the error notes. In order to do this take note of the modules (and associated websites) that are referenced in the errors.
§  If you want to search via the web here is a great place to check details on any perl packages, and links to other helpful info:

That sums up Wyd, so now I will show you how we can make use of our findings from WyD with the help of CUPP to take things a step further and increase our chances even further for our dictionary attack.
++++++++++CUPP - Common User Passwords Profiler TUTORIAL+++++++++++++++++

CUPP stands for Common User Passwords Profiler, and is a great tool to add to any security testers collection and pairs strongly with the WyD tool covered above. It is a Python tool than can be used for password profiling to strengthen your dictionary attacks by creating targeted dictionaries, or wordlists, to use in attacks.
A weak password might be very short or only use alphanumeric characters, making decryption simple as you will find it in almost any of the common wordlists you can find with a quick Google Search. Another type of weak password that can be easily cracked is one that can be easily guessed. Typical passwords that people commonly use might consist of things like pets names, family, girlfriends/boyfriends, birthdays, and other important date/events, or common things people obsess about like God, sex, love, and money. You will find a lot of these items in common passwords but building a smaller wordlist to work with can sometimes save you a lot of time. CUPP will help to generate a wordlist for you based on what Social Engineering [dot] Org calls "predicting specific target passwords by exploiting human vulnerabilities". You will need to download the file from here:
You can extract it using the usual commands:
               COMMAND: tar -xvf cupp2.tar.tar
               COMMAND: python –h
Now you will have two ways to use this tool. You can either use the interactive menu or you can parse results from WyD (which was covered above). I will start with the overview of how to use it for parsing WyD results and then I will cover interactive mode.
OK, assuming you have already used the WyD tool discussed above then you can also use CUPP to parse the results and work its magic. In order to do this you will need to use the following syntax at the console:
               COMMAND: python -w /path/to/file/<filename-from-WyD-output>

To check how many words were created:
               COMMAND: wc -l output-wordlist.txt

In order to bring up interactive mode you will simply start the CUPP tool and use the "-i" argument to prompt for interactive mode ("python -i"). The tool will ask you a series of questions about your victim, and then use that information to help create a targeted wordlist you can use. When it is done asking you the basic questions you will also have a chance to choose any "extras", like having it also add special characters to the end of the words it creates. It can also add numbers to the end as well as performing an l337 permutation. Once it is done it will create a text file in the CUPP folder labeled by your answer to the first interactive question.
This wraps up my tutorial/overview of few helpful password profiling tools which will certainly aid in creating custom wordlists to facilitate faster dictionary attacks and with higher success rates. I have also included a video of everything below for those of you who enjoy visual learning. I hope you have enjoyed things this week and please stay tuned for more to come in the future, and remember to ensure you have a strong password for all your safe keepings. If you have any questions or suggestions on anything covered today please leave a comment and let me know or shoot me an email or PM. Until next time...


PS – I originally did the write up for installing and running things on Cygwin, but then I shot the video using it on Linux. It works either way, although there are less problems and full functionality of all tools in Linux. Here is the VIDEO for those that are interested:

No comments:

Post a Comment