Default Passwords:
The first thing to check during a password attack, credentials by default. For example, if we perform a penetration test and access the management web interface of a CISCO router, we must verify that the default identifiers have been changed. Which is often not the case.
Here is a list of websites that reference the default passwords of different manufacturers/websites/interfaces...
1 - https://cirt.net/passwords
2 - https://default-password.info/
3 - https://datarecovery.com/rd/default-passwords/
Leaked Passwords:
It is possible that the target of the password attack is a user. In other words, a human who usually reuses the same password on several websites. In this situation and if you are lucky, it may be that the user’s password is present in one of the many data leaks present on the web. To check, here are some sites and tools that provide resources on disclosed passwords:
1- SecList Leaked-Database a GitHub that bundles a good number of leak passwords.
2 - PwnedOrNot a command line tool that allows to list leaks associated with an email addresse and sometimes even to retrieve a password
- HaveIBeenPwned, which is no longer presented, a web interface to check whether an email is present in published data leaks.
Generate a Wordlist:
CeWL: You can find the project here. This is a command line tool that can be used to efficiently crawl a website and extract strings or keywords. It is a powerful tool to generate a Wordlist specific to a given company or target.
CeWL is an application written in ruby that explores (spider) a given URL, up to a specified depth, and returns a wordlist that can then be used by password crackers such as John the Ripper. Optionally, CeWL can follow external links.
Bash:
cewl -w list.txt -d 5 -m 5 http://target.net
username_generator: Generating a wordlist of usernames can sometimes be tedious. First, it is essential to collect the names of employees during the recognition stage in order to generate lists of usernames, for example, from the target website.
Suppose we have a {first name} {last name} (ex: Jean Dupont), then there is a tool able to create a list with most possible combinations via given names and surnames. This is username_generator, a python script.
Bash:
python3 username_generator.py -w users.lst
Crunch: This is a powerful tool to create wordlist offline. With crunch, we can specify many parameters, including min, max, and options.
Bash:
#min=2 max=2 charset=01234abcd outfile=crunch.txt
crunch 2 01234abcd -o crunch.txt
Crunch also allows us to specify a character set using the -t option to combine the words of our choice. Here are some options that can be used to help create different combinations:
@ - lowercase alphabetic characters
, - uppercase alpha characters
% - numeric characters
- special characters, including space
Bash:
#min=6 max=6 option=pass[0-9][0-9] outfile=stdin
crunch 6 6 -t pass%%
CUPP: CUPP or Common User Passwords Profiler is an automatic and interactive tool written in Python to create custom word lists. For example, if you know certain details about a specific target, such as their date of birth, pet name, company name, etc., this tool could be useful for generating passwords based on this known information.
Bash:
#Interactive mod
python3 cupp.py -i
#Pre-created wordlists
python3 cupp.py -l
# Alecto database default logins
python3 cupp.py -a
Ruled-Based Attacks:
This type of attacks assume that the attacker knows something about the target’s password policy.
The creation of passwords in companies generally follows certain guidelines and policies and should, in theory, generate only complex valid passwords. Using pre-existing word lists can be useful for generating passwords that comply with a policy. For example, by manipulating or "distorting" a password such as 'password' we get: p@ssword, Pa$$word, Passw0rd.
John The Ripper, has a configuration file that contains a set of rules. It is located in/etc/john/john.conf or/opt/john/john.conf depending on your distribution or how john was installed. You can read/etc/john/john.conf and search for List.Rules to see all available rules.
To use a rule the following command is used:
Code:
john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout
I wouldn’t talk about creating custom rules in this post, but here is an article for the curious:)
Memo/Cheat-Sheet:
You can find on this page of my site, all the techniques mentioned in the form of a technical cheat sheet.
The first thing to check during a password attack, credentials by default. For example, if we perform a penetration test and access the management web interface of a CISCO router, we must verify that the default identifiers have been changed. Which is often not the case.
Here is a list of websites that reference the default passwords of different manufacturers/websites/interfaces...
1 - https://cirt.net/passwords
2 - https://default-password.info/
3 - https://datarecovery.com/rd/default-passwords/
Leaked Passwords:
It is possible that the target of the password attack is a user. In other words, a human who usually reuses the same password on several websites. In this situation and if you are lucky, it may be that the user’s password is present in one of the many data leaks present on the web. To check, here are some sites and tools that provide resources on disclosed passwords:
1- SecList Leaked-Database a GitHub that bundles a good number of leak passwords.
2 - PwnedOrNot a command line tool that allows to list leaks associated with an email addresse and sometimes even to retrieve a password
- HaveIBeenPwned, which is no longer presented, a web interface to check whether an email is present in published data leaks.
Generate a Wordlist:
CeWL: You can find the project here. This is a command line tool that can be used to efficiently crawl a website and extract strings or keywords. It is a powerful tool to generate a Wordlist specific to a given company or target.
CeWL is an application written in ruby that explores (spider) a given URL, up to a specified depth, and returns a wordlist that can then be used by password crackers such as John the Ripper. Optionally, CeWL can follow external links.
Bash:
cewl -w list.txt -d 5 -m 5 http://target.net
username_generator: Generating a wordlist of usernames can sometimes be tedious. First, it is essential to collect the names of employees during the recognition stage in order to generate lists of usernames, for example, from the target website.
Suppose we have a {first name} {last name} (ex: Jean Dupont), then there is a tool able to create a list with most possible combinations via given names and surnames. This is username_generator, a python script.
Bash:
python3 username_generator.py -w users.lst
Crunch: This is a powerful tool to create wordlist offline. With crunch, we can specify many parameters, including min, max, and options.
Bash:
#min=2 max=2 charset=01234abcd outfile=crunch.txt
crunch 2 01234abcd -o crunch.txt
Crunch also allows us to specify a character set using the -t option to combine the words of our choice. Here are some options that can be used to help create different combinations:
@ - lowercase alphabetic characters
, - uppercase alpha characters
% - numeric characters
- special characters, including space
Bash:
#min=6 max=6 option=pass[0-9][0-9] outfile=stdin
crunch 6 6 -t pass%%
CUPP: CUPP or Common User Passwords Profiler is an automatic and interactive tool written in Python to create custom word lists. For example, if you know certain details about a specific target, such as their date of birth, pet name, company name, etc., this tool could be useful for generating passwords based on this known information.
Bash:
#Interactive mod
python3 cupp.py -i
#Pre-created wordlists
python3 cupp.py -l
# Alecto database default logins
python3 cupp.py -a
Ruled-Based Attacks:
This type of attacks assume that the attacker knows something about the target’s password policy.
The creation of passwords in companies generally follows certain guidelines and policies and should, in theory, generate only complex valid passwords. Using pre-existing word lists can be useful for generating passwords that comply with a policy. For example, by manipulating or "distorting" a password such as 'password' we get: p@ssword, Pa$$word, Passw0rd.
John The Ripper, has a configuration file that contains a set of rules. It is located in/etc/john/john.conf or/opt/john/john.conf depending on your distribution or how john was installed. You can read/etc/john/john.conf and search for List.Rules to see all available rules.
To use a rule the following command is used:
Code:
john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout
I wouldn’t talk about creating custom rules in this post, but here is an article for the curious:)
Memo/Cheat-Sheet:
You can find on this page of my site, all the techniques mentioned in the form of a technical cheat sheet.