Wordlists For Penetration Testing


A wordlist is a file (a text file in most cases but not limited to it) that contains a set of values that the attacker requires to provide to test a mechanism. Whenever an attacker is faced with an Authentication Mechanism, they can try to work around it but if that is not possible then the attacker has to try some well-known credentials into the Authentication Mechanism to try and guess. This list of well know credentials is a wordlist. And instead of manually entering the values one by one, the attacker uses a tool or script to automate this process. Similarly, in the case of cracking hash values, the tool uses the wordlists and encodes the entries of wordlists into the same hash and then uses a string compare function to match the hashes. If a match is found then the hash is deemed as cracked. 

Cracking passwords is really an art form that is required on just about every type of penetration test. Wordlists are one type of tool that penetration testers and other cybersecurity professionals need to make their jobs easier and more efficient. Anyone who needs to discover or recover passwords should learn to use wordlists with their password cracking software.


Wordlists in Kali Linux

Since Kali Linux was specially crafted to perform Penetration Testing, it is full of various kinds of wordlists. This is because of the various tools that are present in the Kali Linux to perform Brute-force Attacks on Logins, Directories, etc. In this section, we will go through some of the wordlists from the huge arsenal of wordlists Kali Linux contains.


Wordlists are located inside the following directory


/usr/share/wordlists


Here, we have the dirb directory for the wordlists to be used while using the dirb tool to perform Directory Bruteforce. Then we have the dirbuster that is a similar tool that also performs Directory Bruteforce but with some additional options. Then we have a fern-wifi directory which helps to break the Wi-Fi Authentications. Then we have the Metasploit which uses wordlists for almost everything. Then there is a nmap wordlist that contains that can be used while scanning some specific services. Then we have the Rockstar of Wordlists: rockyou. This is compressed by default and you will have to extract it before using it. It is very large with 1,44,42,062 values that could be passwords for a lot of user accounts on the internet. At last, we have the wfuzz directory that has the wordlists that can be used clubbed with wfuzz.


Dirb Wordlists

To view the wordlists inside the dirb directory, navigate to the following directory


usr/share/wordlists/dirb


Type the following command to list all the wordlists contained

tree


Rockyou wordist

Rockyou.txt is a set of compromised passwords from the social media application developer also known as RockYou. It developed widgets for the Myspace application. In December 2009, the company experienced a data breach resulting in the exposure of more than 32 million user accounts. It was mainly because of the company’s policy of storing the passwords in cleartext.


Simply navigate to the following directory.


usr/share/wordlists


When first booting Kali Linux, it will be compressed in a gz file. To unzip run the following command. It will decompress and ready for use on any kind of attack you want.


gzip -d /usr/share/wordlists/rockyou.txt.gz
ls -la


Wfuzz Wordlists

Wfuzz tool was developed to perform Bruteforcing attacks on web applications. It can further be used to enumerate web applications as well. It can enumerate directories, files, and scripts, etc. It can change the request from GET to POST as well. That is helpful in a bunch of scenarios such as checking for SQL Injections. It comes with a set of predefined wordlists. These wordlists are designed to be used with wfuzz but they can be used anywhere you desire. The wordlists are divided into categories such as general, Injections, stress, vulns, web services, and others.


To view the wordlists, navigate to the following directory and type the tree command


usr/share/wordlists/wfuzz
tree


Looking into the Injections directory we see that we have an All_attack.txt that is a pretty generic wordlist for testing injections. Then we have a specific one for SQL, Directory Traversal, XML, XSS injections. Moving onto the general directory, we see that we have the big.txt that we discussed in the Dirb section. We have common.txt that also is the default wordlist in many tools due to its small size. Then we have the extensions_common.txt which contains like 25-ish extensions that might be enumerated against some files that can be considered low-hanging fruits. Then we have the http_methods.txt wordlist. It contains the HTTP Methods such as POST, GET, PUT, etc. They can be used while testing if the target application has any misconfigured methods enabled or they forgot to disable them at the application and server level. mutations_common.txt also contains a bunch of uncommon extensions that could lead to the enumerations of rare artifacts. 


Then we have the spanish.txt wordlist for the Spanish words/names/passwords. The other directory contains the common passwords and names that can be used to extract usernames or passwords at some forget password form where it responds with such messages that the user exists or it doesn’t exist. Let’s move onto the stress directory. It contains a wordlist designed to stress test the mechanism. It contains wordlists that contain the alphabets or numbers or special characters and hex codes for the same. Then we have the vulns directory, which contains the wordlists specially made for testing a particular vulnerability. We have the apache wordlist, CGI wordlist, directory wordlist, iis wordlist, oracle9 wordlist, SharePoint wordlist, tomcat wordlist, and many more. Use these wordlists into a specific scenario where you are confirmed about the framework and versioning information and just use it to target a particular entry point.


Online Wordlists

We learned about the huge collection that Kali Linux contains. But sometimes they tend to be not as latest as we require. This can happen in a scenario in which a new 0-day has been discovered. There will be no entry in those dictionaries. This is where we can go wild searching on the internet but it is vast and takes more time.


Github Wordlists

This is where we can snoop in GitHub as many people might create such a dictionary. So, searching GitHub might give you those new and fresh dictionaries or it can help you find that specific dictionary that you require to fuzz a specific framework.


A list of Github wordlists can be found at the following URL


https://github.com/search?q=wordlists&ref=simplesearch


Seclists

Seclists are a collection of multiple types of wordlists that can be used during Penetration Testing or Vulnerability Assessment, all collected in one place. These wordlists can contain usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, etc.


It is available on Github at the following URL


https://github.com/danielmiessler/SecLists


To install on Kali Linux, we will use the apt command as given below


apt install seclists  


The installation will create a directory by the name of Seclists inside the following location.  


/usr/share


Going through we can see the different categories of wordlists such as Discovery, Fuzzing, IOCs, Misc, Passwords, Pattern Matching, Payloads, Usernames, and Web-Shells.


cd /usr/share/seclists
cd Passwords
tree


Assetnote Wordlist

The Assetnote Wordlist releases a specially curated wordlist for a whole wide range of areas such as the subdomain discovery or special artifacts discovery. The best part is that it gets updated on the 28th of Each month as per their website. This is the next best thing that was released ever since the Seclists.


It is available at the following URL


https://wordlists.assetnote.io/


To download all wordlists at once, you can use the following wget command


wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/ -nH


Packetstorm Wordlists

Packet Storm Security is an information security website that offers current and historical computer security tools, exploits, and security advisories. It is operated by a group of security enthusiasts that publish new security information and offer tools for educational and testing purposes. But much to our surprise, it also publishes wordlists. Any user that has crafted some specified wordlist can submit their wordlist on their website. So, if you are looking for a unique wordlist be sure to check it out. 


It is available at the following URL:


https://packetstormsecurity.com/crackers/wordlists


Cleaning Wordlists

Till now we saw multiple wordlists that contain thousands and thousands of entries inside them. Now during penetration testing on your vulnerable server or any CTF, it is possibly fine as they are designed to handle this kind of brute-force but when we come to the real-life scenario things get a little complicated. As in real life, no development team or owner is going to permit you to perform a thousand after thousand wordlist brute-force. This can hamper its quality of service to other customers. So, we should decrease the wordlist entries. This might sound counterproductive but it is not. The wordlists might contain some payloads that might be exceeding 100 characters or even be too specific for them to extract anything directly. Then we do have some payloads that are the way to similar to each other that if we replace any one of them, the result remains the same. Jon Barber created a script that can remove noisy charters such as ! ( , %. Furthermore, tidy the wordlist so that it can be more effective.


The script is available on Github at the following URL.


https://github.com/BonJarber/SecUtils/tree/master/clean_wordlist


Usage:

Specify your wordlist and the script will output you a new version with the suffix "_cleaned"


./clean_wordlist.sh <wordlist>


To view the changes you can do:


diff original.txt_cleaned <(sort original.txt) | more


Crafting Wordlists

In this section, we will discuss some utilities that aids a penetration tester in crafting his own wordlists


Cewl

CeWL is a Ruby application that spiders a given URL to a specified depth, optionally following external links, and returns a list of words that can then be used for password crackers such as John the Ripper. CeWL also has an associated command-line app, FAB (Files Already Bagged) which uses the same metadata extraction techniques to create author/creator lists from already downloaded. It is available on Github at the following URL:


https://github.com/digininja/CeWL


Here we are running CeWL against the target URL and saving the output into a wordlist by the name of list.txt


cewl <target_URL> -w list.txt
head list.txt


Crunch

Crunch is a wordlist generator where you can specify a standard character set. It comes default to Kali. Crunch can generate all possible combinations and permutations. Here, we used crunch to craft a wordlist with a minimum of 3 and a maximum of 10 characters and writing the output inside a wordlist by the name of list.txt.


crunch 3 10 <criteria_string> -o list.txt
head list.txt


Common User Passwords Profiler (CUPP)

A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password. This is where Cupp comes into use as it can be used in situations like legal penetration tests or forensic crime investigations. It is available on Github at the following URL:


https://github.com/Mebus/cupp


To use the tool, enter the following command:


cupp -i


Enter the details of the target user that will be required and upon submission, you have a wordlist that is generated especially for the user.


Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary-building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features that can be used to create that perfect dictionary for pretty much any kind of testing situation. Here, we defined the base and length as 5 and then create a wordlist. The wordlist contains the numeric up to 5 digits. It is available on Github at the following URL:


https://github.com/LandGrey/pydictor


Here, we defined the base and length as 5 and then create a wordlist. The wordlist contains the numeric up to 5 digits.


python pydictor.py --len 5 5 -base d -o list.txt


Bopscrk

Bopscrk (Before Outset PaSsword CRacKing) is a tool to generate smart and powerful wordlists for targeted attacks. It introduces personal information related to the target and combines every word and transforms it into possible passwords. It also contains a lyric pass module which allows it to search lyrics related to the favourite artist of the target and then include them into the wordlists. It is available on Github at the following URL:


https://github.com/R3nt0n/bopscrk


BEWGor

BEWGor is designed to help with ensuring password security. It is a Python script that prompts the user for biographical data about a person, referred to as the Subject. This data is then used to create likely passwords for that Subject. BEWGor is heavily based on Cupp but they are different in some ways as it presents vastly Increased Information Detail on Main Subject, it includes support for an arbitrary number of family members and pets, Users can use permutations to generate possible passwords. Also, BEWGor can generate huge numbers of passwords, create Upper/Lower/Reverse variations of inputted values, save raw inputted values to a Terms file before variations are generated, set upper and lower limits on output line length, and check that an inputted Birthday is valid. Birthdays must not be the future, a false leap day, June 32nd, etc. It is available on Github at the following URL:


https://github.com/berzerk0/BEWGor


DyMerge

A simple, yet powerful tool – written purely in python – takes given wordlists and merges them into one dynamic dictionary that can then be used as ammunition for a successful dictionary-based (or bruteforce) attack. It is available on Github at the URL given below:


https://github.com/k4m4/dymerge


An example usage is given below:


./dymerge.py ~/a.txt ~/b.txt -o output.txt


Running DyMerge, we provide output.txt as the wordlist to be created by merging a.txt and b.txt.


Mentalist

It is a GUI tool for crafting custom wordlists. It uses common human paradigms for creating password-based wordlists. It can craft the full wordlist with passwords but it can also create rules compatible to be cracked with Hashcat and John the Ripper. It generates by joining nodes which in turn take a shape of a chain. The initial node in the chain is called the Base Words node. Each base word is then passed to the next node in the chain as it is processed. That’s how the words get modified throughout the wordlists. After working on the chain, it finally writes the result of the chain into the file specified or converts it into the rules as per the user request.


For offline cracking, there are times where the full wordlist is too large to output as a whole. In this case, it makes sense to output to rules so that Hashcat or John can programmatically generate the full wordlist. Download the release from GitHub.


https://github.com/sc0tfree/mentalist/releases/tag/v1.0


Conclusion

The point that we are trying to convey through this article is that wordlist is one of the most important assets a penetration tester can have. There are multiple resources to get a wordlist and multiple tools to craft a wordlist of your own. We wanted this article to serve as your go-to guide whenever you are trying to learn or use a wordlist or any of the tools to craft a wordlist.


References

Post a Comment

Previous Post Next Post