With every penetration test, reconnaissance must include a profiling phase in which we analyze the application, department or process names, and other words used by the target organization. This will help us to determine the combinations that are more likely to be used when the need to set a user name or password comes to the personnel.
In this recipe, we will use CeWL to retrieve a list of words used by an application and save it for when we try to brute-force the login page.
- As the first step, we will look at CeWL's help to have a better idea of what it can do. In the terminal, type:
cewl --help
- We will use CeWL to get the words on the WackoPicko application from vulnerable_vm. We want words with a minimum length of five characters; show the word count, and save the results to
cewl_WackoPicko.txt:cewl -w cewl_WackoPicko.txt -c -m 5 http://192.168.56.102/WackoPicko/ - Now, we open the file that CeWL just created and see a list of "word count" pairs. This list still needs some filtering in order to discard words that have a high count but are not very likely to be used as passwords; for example, "Services", "Content", or "information".
- Let's delete some words to have a first version of our word list. Our word list, after having removed some words and the count, should look similar to the following example:
WackoPicko Users person unauthorized Login Guestbook Admin access password Upload agree Member posted personal responsible account illegal applications Membership profile
CeWL is a tool in Kali Linux that crawls a website and extracts a list of individual words; it can also provide the number of repetitions for each word, save the results to a file, use the page's metadata, and so on.
There are other tools for similar purposes; some of them generate word lists based on rules or other word lists and some crawl a website looking for the most used words:
- Crunch: This is a generator based on a character set provided by the user. It uses this set to generate all the possible combinations. Crunch is included in Kali Linux.
- Wordlist Maker (WLM): WLM has the feature of generating a word list based on the character sets and it can also extract words from text files and web pages (http://www.pentestplus.co.uk/wlm.htm).
- Common User Password Profiler (CUPP): This tool can use a word list to profile the possible passwords for common user names and download word lists and default passwords from a database (https://github.com/Mebus/cupp).