Posted on

Cewl wordlist generator: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Cewl wordlist generator. Cewl stands for Custom Word List generation. It is written in ruby language. Unlike crunch that takes input from us to generate a wordlist, this tool spiders a given website to the depth specified by us and then creates a dictionary or wordlist from it. This wordlist can then be used for password cracking with tools the Brutus, Hydra, Medusa and John The Ripper. It was designed by Robin Wood based on a discussion on PaulDotCom about creating wordlists by spidering a target website.

Cewl can be downloaded from here. Kali Linux has cewl installed by default and for this tutorial we are using the same. Metasploitable 2will be used as target since it has lot of applications installed that can be used for testing it.

To use cewl, all we have to do is simply supply the URL you want to spider for as shown below.

Then it will create the wordlist for you as shown below.

Keeping the downloaded file (-k)

Specifying the ‘-k’ option the downloaded file can be saved.

Depth of spidering (-d)

When you specify a target to Cewl, it spiders to the dept of 2 by default. You can change it using this option. For example, let’s set the depth to 1.

Or 3 may be.

Minimum word length (-m)

This option can be used to set the minimum length of the passwords cewl creates. For example, nowadays, most services set the minimum length of the password to at least 5. So there’s no use creating passwords with length less than the minimum length your target has set, If you have noticed the above results, the default minimum length for cewl is 3. Let’s set it to 5 for example.

As you can see in the above image, there are no longer passwords of length less than 5.

Spidering other sites (-o)

Setting this option allows cewl to spider another external sites during spidering of the target.

Don’t scan specified paths (–exclude)

If the target website is too large, you may want to skip some paths or maybe you just want to skip some paths as they may not have any passwords. You can use this option what cewl to exclude the paths you don’t want to scan. Then paths should be supplied in a file.

–allowed

This option is used to specify regex patterns of the path to be followed. If the pattern doesn’t match, it drops the scan.

No wordlist please (-n)

If you don’t want the wordlist to be printed, you can use the “-n” option.

Saving the output (-w)

Till now, you have seen that Cewl has been printing the wordlists it creates to the terminal. The output can be copied and pasted in another file to be saved from using as a wordlist. But why take all this effort when we can just save the output to file, using the ‘-w’ option.

Use User agent (-u))

A user agent is a characteristic string that allows web server to identify the browser and operating system and we are using. You can see your user agent here. Using the (-u) option, cewl allows you to be get a specific user agent while spidering the website.

Groups of words (-g)

Setting this option allow cewl to return group of words along with single words.

Turn all generated passwords to lowercase (–lowercase)

Setting this option allows us to 16 turn all the passwords cewl generates into lower case.

Here is the result.

Include words with numbers too (–with-numbers)

While spidering, if cewl finds any words with numbers in them, it just ignores them. But many passwords contain numbers too. By setting this option, cewl collects numbers as well.

–convert-umlauts

Setting this option to while using cewl converts common ISO-8859-1 umlauts.

Include meta data too (-a)

When we set this option, Cewl includes metadata found while spidering the website apart from the words.

This metadata found is included at the end of the output files as shown below.

Save metadata found to a different file (–meta-file)

You can even save all the metadata found on the target site to a different file as shown below using the “–meta-file” option.

In the above image, you can see that cewl, while processing metadata creates a temporary file. This file known as cewl-temp.pdf is created in the /tmp directory by default. We can change the location of this file by using the “—meta-temp-dir” option as shown below.

Gather emails too (-e)

Not just metadata, you can even process emails using cewl with the ‘-e’ option.

Save collected emails in another file (–email-file)

These collected emails can also be saved in another file using the “–email-file” option.

Show the count for each word (-c)

Setting this option shows the count for each word.

Verbose mode (-v)

Just like every other tool, this tool to has verbose mode that gives detailed information.

Debug mode (–debug)

Similarly, the “–debug” option gives detailed debugging information too.

Authentication

Some sites need authentication to spider it. Cewl allows authentication of websites too.

It supports both basic authentication and digest authentication. The “auth_type” option is used to set the type of authentication. The “–auth _user” and “–auth_pass” option can be used to set username and passwords respectively.

Here’s the output.

Spidering through proxy

Spidering, no matter what the purpose is very noisy. Cewl has an option to spider through a proxy using the “–proxy_host” option.

You can even specify the port of the proxy using the “–proxy-port” option.

Cewl even has feature of authenticating to the proxy server using the “–proxy_username” and “–proxy_password” options.

Posted on

Hydra password cracker: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Hydra password cracker. Hydra password cracker runs on Linux, Windows, Solaris, FreeBSD/openBSD, QNX and macOS. Using Hydra, we can crack passwords of various protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra can be downloaded from here. This guide uses Hydra installed on default in Kali Linux and Metasploitable2 as target.

Single username (-l) and Password (-P)

If you want to check a single username and password with Hydra, the syntax is given below. Here we are testing the credentials on target system’s FTP server. This is normally useful when we have a general idea about at least one credential pair.

Hydra will test this credential and come with a result. Here it is found this credential accurate.

What if you can’t guess a password or have no knowledge about at least one credential pair. Then we need to test a large list of credentials using brute forcing by using a wordlist.

Specifying wordlist for usernames (-L) and passwords (-P)

You can specify wordlist containing usernames using the (-L) option and specify the wordlist containing passwords using the (-P) option as shown below.

Here, I am suing the same wordlist for both username and passwords. “Metsaploitable.txt”. These wordlists are normally created or obtained during the enumeration stage. For example, we obtained this during SMB enumeration of the target. Hydra found three credentials valid from this wordlist.

Restore a cancelled session (-R)

Sometimes we may need to test a large wordlist, with thousands of credentials in it. This may obviously take a lot of time and we may have to hit “CTRL+C” sometimes to cancel the session or maybe a power cut ended our scan abruptly.

Do we have to start from the beginning again? Don’t worry. You can restore the session from where you stopped in Hydra as shown below.

RIgnore the previous session (-I)

What if we don’t want to restart that session and to start a session afresh. We can just use the ignore (-I) command which asks it to ignore the previous session.

Scanning unconventional ports (-s)

You know every service has a default port on which it runs. For example, FTP (21), Telnet (23), and HTTP (80) etc. Sometimes administrators configure this service to run on unconventional ports to make them less conspicuous. Using Hydra we can even run password attack on these ports using the (-s) option. For example, imagine FTP is running on the port 2121 and not 21.

Target has SSL enabled (-S)

Using Hydra, we can connect using SSL with this option.

If the service has an old version of SSL, we can use the “-O” option.

Additional checks (-e)

Using this option, you can check accounts for null passwords (n), using username as password (-s) and using password as username and vice versa (-r).

Combo (-C)

Sometimes, instead of an usual wordlist, we have wordlists that have credentials in “login:pass” format as shown below.

If we want to use this type of wordlist, you can use this option.

-U

When you are using a wordlist with Hydra, by default it checks all passwords for the first username and then tries the next username. Using this option, we can loop around the passwords. The first password is checked for all the usernames and then it moves to next password and does the same.

Stop after getting the first successful pair of credentials (-f)

This option (-f) makes Hydra stop password cracking as soon as one successful pair of credentials are found.

Target multiple servers (-M)

Hydra allows us to perform password cracking on multiple servers at once. We need to provide a file containing IP addresses of the targets.

Stop after getting once successful pair on multiple servers (-F)

Setting the ‘-F’ option, Hydra stops after getting the first successful pair of credentials on multiple servers.

Saving the output (-o)

Till now, we have seen Hydra showing output on stdout. However, with the “-o” option, we can save the output of the tool to a file.

Format of the output file (-b)

Hydra allows you to save output in three formats, although the default format is text. It also allows you to save output in Json and Json v2 format.

Number of tasks (-t)

Tasks are number of persistent connections Hydra makes while testing. By default, it makes 16 tasks, but this can be changed using this option. For example, let’s set it to 19.

Module specific options (-m)

This option allows us to set module specific options. For example, FTP module in Hydra doesn’t have any module specific options. But other modules like HTTP have it. All the options for a specific module can be seen using the -U option. For example, lets change the option for http-get.

Waiting time (-w)

Hydra waits for 32 seconds for receiving responses for it queries. This option can be used to change this time. For example, let’s set it to 10 seconds.

Waiting time for login attempts (-c)

This option can be used set the waiting time for login attempts Hydra performs. It is useful only when a low task time is used.

Verbose mode (-v) (-V)

Hydra has two verbose mode. The lowercase verbose mode is the default verbose mode in any other tool.

If you want to see each login attempt Hydra makes, you need to use the (-V) option.

That’s all about Hydra password cracker.

Posted on

Crunch wordlist generator: Complete guide

Hello, aspiring ethical hackers. In this blogpost, you will learn about a tool named Crunch which is a wordlist generator. A wordlist or a dictionary is a file containing credentials that is useful while using any password cracking tool like Brutus, Hydra, Medusa or John The Ripper usually when you are using Dictionary attack.

A good wordlist goes a long way in the success of a password cracking attack and Crunch is one of the best wordlist generator tools there. Let’s see how to use Crunch to generate wordlist we want. Crunch is installed by default in Kali Linux and it can be started using command “crunch”. The syntax of crunch is given below.

crunch <min> <max> <options>

where “min” stands for minimum length of the password you want and “max” stands for the maximum length of the password string you want. To generate a wordlist containing random passwords with minimum and a maximum length 1 and 2 respectively, this is the command we have to use.

If you want a wordlist with characters you specify, you can also specify them as shown below.

Crunch already has a collection of character sets stored in “charset.lst” file located in /use/share/crunch/ directory. Here is the list of character sets it has.

For example, if you want to create the wordlist with only uppercase alphabets, you can use the command shown below.

What’s a wordlist without a saved file? (o)

Really, what is a wordlist without a saved file. To save the output, use the “-o” option as shown below.

Be careful with the size of the wordlist (b and c)

Sometimes while making a huge wordlist, the size of the wordlist may become too large in size, usually adding up to Giga bytes (GB). This can put a lot of pressure on memory and resource of the computer or may be even difficult to open. Don’t worry though. Crunch has a feature to overcome this problem using the “b” option. The “b” option can be used to set the size you want for the wordlist.

Once the size of the file reaches this limit, it saves the output to a new file with the same size. Let me show you practically. For example, here we create a wordlist and is size in 2620200 bytes as shown below.

Now, let’s create the wordlist size of just IMB as shown. While using the ‘-b’ option, ‘-o’ option and “START” are compulsory.

When we do this, instead of creating a single wordlist, crunch will create three wordlists as shown below.

Add up the size of the first three files and that should add up to the size of the “wordlist.txt” dictionary. Also note that while we use the “-b” option, the name of the wordlist is the first and last string in the wordlist.

Crunch can also create a wordlist with a specified number of lines. For example, the wordlist we created here has 3,75,922 lines.

Now, if you want your wordlist to have just 100 lines, you can use the ‘-c’ option to achieve this as shown below.

Let’s check the number of lines in each wordlist.

Remove duplication (d)

Using the ‘-d’ option, we can remove the duplicate characters from the values in the wordlist.

In the above wordlist, you can see duplicate characters like aa, bbb, ccc etc. Let’s say you want to limit the duplicate characters to two alphabets. This can be done by setting ‘2@’ value to -d option.

You can see that “bbb” and “ccc” are gone from the wordlist. The format to give value to the “-d” option is the number and the symbol. In ‘2@’, 2 is the maximum number of consecutive characters to be allowed and @ in the symbol of the characters we want to limit. The symbol for different character sets for crunch are given below.

Exit after a specific study is created (e)

You just don’t have to wait for the entire wordlist to be created with crunch. You can exit wordlist generation after a specific string is generated. Let’s see an example.

Now, you want to exit crunch after creation of string ‘ab’ in the above wordlist, you can do so as shown below.

Invert the strings (i)

Using this option (-i), we can insert the strings generated in Crunch. In the above wordlist, instead of aa, ab, ac, ba, it will be aa, ba, ca, ab.

Start with a specific string (s)

While creating a wordlist, you may have a feeling to try a specific string as password but not sure. But you want to try it first in your wordlist. You can set a starting string to the wordlist you are creating using the ‘-s’ option.

Don’t you want repeating characters (p)

Crunch can generate words that don’t have repeating characters using the ‘-p” option. Setting this option will generate factorial of characters in charset. For example, if there are 3 character in charset, setting this option will generate 3x2x1=6 words. While by default, crunch generates a wordlist the size of “characters in charset” to the power of maximum length specifically.

This option cannot be used along with ‘-s’ option and must be the last option to be specified. Also, this option ignores the maximum and minimum length specified but still needs two numbers to the specified.

You want to specify a pattern (t)

This option helps you to specify a pattern. The character set can be specified using symbol as shown below.

What if you want symbols to be treated literally (l)

Setting a specific pattern is very helpful while creating wordlists but what if we have to include @, % ^ character in the string. Don’t worry. Crunch has that option too. Using -l option asks crunch to treat the specified characters as literals instead of symbols pointed to other characters.

Save the wordlist as archive: (z)

Sometimes, need arises to save the generated wordlist as a compressed archive. With the “-z” option you can save generated wordlist as gzip, bzip, lzma and 7zip archives.

Resume whenever you want (r)

You may face some unexpected interruption while generating wordlists with crunch. This may be power cut or unexpected shutdown or some other problem which forces crunch to abort generating wordlists. Don’t you worry. Crunch has the resume (-r) option to restart from where it stopped or got aborted.

Disabling print percentage thread (u)

Its very nice to see crunch displaying the print percentage thread at the bottom while generating wordlist. But it you don’t like it, you can just disable this print percentage thread with the -u option.

That’s all about Crunch wordlist generator. Leave comments below.

Posted on

Brutus Password Cracker: Complete guide

Hello aspiring Ethical Hackers. In our previous blogpost, you learnt what is password cracking and various techniques of cracking passwords. In this blogpost, you will learn about Brutus password cracker, one of the popular tools that is used for cracking passwords.

Brutus is a password cracking tool that was actually designed to test for default credentials for routers . It was made public way back in October 1998 but it is still popular in present time. It is a portable password cracking tool and there is no need of installing it. It can be downloaded from here. It works only on Windows and supports cracking passwords of various protocols. They are,

  • HTTP (Basic authentication)
  • HTTP (HTML form/CGI)
  • POP3
  • FTP
  • SMB
  • Telnet

After downloading, we just need to extract the contents of the archive.

To run Brutus, click on the BrutusA2 application file.

It has three modes of operation. They are, wordlist, brute force and combo list where credentials are given as username/password pairs.

Brutus password cracker

For the purpose of demonstration, let’s try to crack FTP password of Metasploitable 2. I will be using the wordlist mode of attack for this. This wordlist was created while performing SMB enumeration of the target. Wordlists can also be generated using tools like Crunch, Cewl etc. After specifying the wordlist, I just need to click on “Start” to begin cracking passwords.

As the tool continues to crack credentials, any positive authentication results will be displayed as soon as they are found. In our current example, Brutus successfully extracted three credentials. They are,

  • user:user
  • postgres:postgres
  • msfadmin:masfadmin

Let’s use them to login into our target.

Successful. Similarly Brutus password cracker can be used to brute force credentials too.

Posted on

Password cracking for beginners

Hello aspiring Ethical hackers. In this article, you will learn what is password cracking and various types of password cracking. In Ethical hacking, password cracking is recovering passwords from data that has been stored in or transmitted by a computer system. Hackers use password cracking to grab credentials which can be helpful in further exploiting of the system. There are various password cracking techniques. They are,

1. Shoulder Surfing
2. Password Guessing
3. Dictionary Attack
4. Brute Force Attack
5. Rainbow Table Attack
6. Phishing
7. Sniffing
8. Malware

Let’s learn in detail of each attack.

1. Shoulder Surfing

Shoulder Surfing is one of the easiest password cracking techniques that doesn’t require use of any technology. In shoulder surfing, the hacker stands behind (or sits behind, position is not really important) the victim when he is entering his credentials and captures the credentials by simple observation. As you can see, this is the easiest way to capture credentials of the target.

2. Password Guessing

Another password cracking technique that doesn’t require any technology. In this technique, hacker tries to guess the password of the victim using his own mind. You may be surprised but this technique yielded me results at least 20% of the total attempts made.

3. Dictionary Attack

In a dictionary attack, a hacker uses a dictionary to crack passwords. A dictionary or wordlist has a huge list of words (possible passwords), each one of which is tried as a password. In Kali Linux, the dictionary or wordlists are present in /usr/share/dirb/wordlists directory.

4. Brute Force Attack

In a brute force attack, hackers use every possible criteria or password to crack the credentials. A brute force attack may be slow but it will eventually crack the password. A brute force attack works by calculating the hash function of every password string it has and compares it with one on the target system or victim.

5. Rainbow Table Attack

To understand Rainbow Table Attack, you need to first understand what is a Rainbow Table. A Rainbow Table is a database that contains huge list of plaintext passwords and their precompiled hashes. Unlike a Brute Force attack, Rainbow table attack bypasses calculation of a hash for every password string as it already has a pre compiled list of hashes.

6. Phishing

Phishing is one of the easiest methods to crack passwords. You have already learnt about phishing in our previous blogposts.

7. Sniffing

Sniffing or Man In The Middle (MITM) attack can also be used to crack passwords while they are on transit in a network. Learn more about sniffing here.

8. Malware

Malware is another way hackers capture credentials of their victims. Once hackers gain initial access to a system, they install malware which allows hackers to not only perform further malicious actions but also capture user credentials from the target system.