Creating Password Lists
From the OSINT searches, we have learned a great deal about SUCK and their organization. The next step is to find more targeted information about the company, the people, the location, and their customers by developing more customized password lists. We have all used large password lists in the past and specifically in THP1, but we are looking to crack that 70%+ rate. To achieve this, we need to create custom and smart word lists based on our victim companies and related industries.
In the last book, we used the crackstation list, which we will definitely use again, but after having a great password base, you need to also build a list of custom passwords.
Wordhound
(https://bitbucket.org/mattinfosec/wordhound.git) (Kali Linux)
Wordhound is a tool that creates word lists and dictionaries based on Twitter searches, PDF documents, and even Reddit sub-reddits. So to target our victim company, we can grab all the results from their tweets and even words that might be associated with the company.{1}
Wordhound didn’t run right off the bat in Kali Linux at the time of writing this book, so I had to do a
few modifications:
● git clone https://bitbucket.org/mattinfosec/wordhound.git /opt/wordhound/
● apt-get install python-setuptools
● cd /opt/wordhound && python setup.py install && ./setup.sh
I had some issues with tweepy, so i had to manually git clone it and re-download it:
● manually install tweepy
○ pip install -U pip
○ git clone https://github.com/tweepy/tweepy.git /opt/tweepy/
○ cd /opt/tweepy
○ python ./setup.py install
○ /usr/local/bin/pip install requests[security]
○ service ntp restart
Once you get everything working, we need to edit the configuration file:
● cd /opt/wordhound && gedit wordhound.conf.dist
● Input the relevant information such as your twitter API key if you want to use twitter.
If you don’t currently have a Twitter API key, you can get one from here:
https://apps.twitter.com/app/new. Once you get your key, write down your:
○ Consumer Key (API Key)
○ Consumer Secret (API Secret)
○ Access Token
○ Access Token Secret
● cp wordhound.conf.dist wordhound.conf After adding these to your wordhound.conf.dist file, save or move that copy to wordhound.conf. That is really the only initial configuration you will need to get this all working. For our first run, we are going to first generate a dictionary from a website. This will scrape the webpage and make a unique
list of words to use for our password list.
To start Wordhound:
● cd /opt/wordhound
● python Main.py
● 1. Generate Dictionary
● 3. Create new industry
○ Enter industry: SUCK
● 1. Generate Dictionary
● 1. SUCK
● 1. Create new client
○ SUCK
● 1. Generate Dictionary from website.
○ http://www.securepla.net
● How many levels: 3
● gedit "data/industries/Hacker Playbook/Hacker Playbook/WebsiteDictionary.txt"
Now, with a good list from websites, we need other sources of data to append to that list. One great source of valuable data is Twitter. Twitter usually includes very relevant data based on specific searching. We can use Wordhound to go through Twitter on a specific word or words and grab all the unique words from it. Let’s run this by choosing:
● 4. Generate Dictionary from twitter search term.
○ Search Term: hacking
● gedit data/industries/Hacker\ Playbook/Hacker\
Playbook/TwitterSearchTermDictionary.txt
Another favorite source of data is from Reddit. This is where you get creative. You need to find the
right sub-reddits that represent your company or industry. You can try a multitude of different sub-
reddits to find out which best suit your engagement.
Since our target in this case is a security company, we can parse one of my favorite sub-reddits:
/r/netsec. Let’s see what types of unique words we can identify:
● 5. Generate Dictionary from Reddit
○ netsec
We can see from /r/netsec, that we have a lot of new words to add to our potential password list that
we might not have caught with the other lists. Target industries from different subreddits–maybe the
city they belong to, the company, the industry, etc.
Comments
Post a Comment