In today’s blog, we are going to take a look at how to make a better wordlist. When performing password attacks, whether online or offline, wordlists are a much better approach than a traditional brute force. Even with an offline password attack using a machine designed to crack passwords efficiently, a brute force of just 8 characters takes over a day to complete. Wordlists on the other hand can be completed in a matter of minutes, oftentimes.
There are a number of different use cases for creating wordlists. Maybe you’re a penetration tester running an online password attack in an attempt to compromise a specific organizational application. Or maybe you’re an IT administrator trying to assess your organization’s password security in Active Directory to try and eliminate weak passwords. Whatever the case may be, creating custom password lists is a useful skill to help gauge risk from the perspective of a real attacker.
A Better Wordlist has to be Customized
A quick Google search will tell you that there are thousands of pre-built wordlists. These cover everything from the most common passwords, to sports teams, to words in different languages, etc. Here is a collection to get you started. These are great and most of them are probably more suited to be used in offline password attacks. However, to build a better wordlist we need to customize it to the organization we are trying to attack. It all comes down to efficiency. If we are limited to an online password attack, even a password list with the top 10,000 passwords can take hours or longer to complete, which we may not have.
Tools for a Better Wordlist
Here are some tools that are out there that can help you come up with a customized wordlist:
CeWL is a ruby program that can crawl a website and generate a wordlist of all words on the site that meet your length requirements. If you are testing an organization, or your own organization, CeWL can be used to ensure you capture all of the words that are specific to your organization. This tool will grab all sorts of information that employees may build their passwords off of, such as company name, names of products, addresses of offices, mission statements/sayings, etc. Once you run CeWL on a website, make sure you go back through and curate your list, removing words you don’t want to make your list as short and efficient as possible.
Combinator and Combinator3 can be used to combine words in a wordlist. For example, if you had the words cat, dog, and duck in a wordlist, this tool will create combinations like catdog, dogcat, and duckdog. Many employees combine simple words to make their password stronger, but as you will see, these tools make it easy for an attacker to overcome that obstacle. Combinator3 builds on the success of combinator, by allowing you to combine up to 3 files of individual words.
Crunch is a tool that can combine wordlists with mask attacks. For example, you can make Crunch start with the 4 character word ACME and then add 3 digits to the end, or three digits and a symbol to the end, or do the same to the beginning. Crunch is also a good tool if you have uncovered some passwords that all follow the same pattern. For example, if you know that the pattern used is uppercase, lowercase, lowercase, lowercase, digit, digit, symbol, Crunch can be used to brute force based on those specifications. This tool takes a little getting used to, but spend some time in the man pages and you’ll see that it is very powerful.
One of the best things to do when creating a wordlist is to run it through a set of transformation rules to get variants. This will do things like change the a’s to @ symbols, change S to either 5 of $, add three digits to the end, make it all caps, or reverse the capitalization. One of the best rules available is the d3ad0ne ruleset. John is an open source tool that is readily available and can take care of this for us. Here is a decent tutorial on how to do that.
Sometimes it is necessary to create a custom script to further manipulate your wordlist beyond the standard rules John provides. For example, I was recently on an engagement and knew the password was based off the word “Password” but had some symbols or letters involved. In this situation, I knew the first character would be either P or p, the second would be either A, a, @, or 4, etc. Using this information, I created a custom script that nested loops and created every possible combination of the characters specified for each position. All this to say, don’t be afraid to generate a custom script if you need to in a specific situation.
Hopefully this was a helpful guide on building a better wordlist. Using these tools, you can get away from the generic provided lists and hopefully generate smaller wordlists that don’t take as long, but have a much higher chance of success. As a next step, check out our blog on how a hacker guesses passwords to help you go beyond wordlists. As always, reach out with comments or thoughts on how you are using these.