Say for example you are contracted to conduct a Pentest on an organization and most parts of your contract may involve cracking password for access to one area or the other of the organization’s network, this may be one of the reasons why you may need to come up with a wordlist to work with. Creating a wordlist tailored to the target would save stress when you would have to begin the cracking process.
In many attempts at password cracking, we often need to use a wordlist that will essentially attempt thousands of potential passwords per second. This is often referred to as a dictionary attack, even though we need not rely solely on dictionary words. These wordlists may have any combination of characters and words in an attempt to crack a complex password offline.
Sometimes we may have indications of the target’s choice password or password components which may come from our knowledge of the target, e.g. girlfriend, neighbor, friend, etc. It could be their name, children’s names, a pet’s name, birthday, or job. We may also know the organization’s password policy (e.g. minimum 8 characters, uppercase and lowercase, etc.). Instances like this enables us to be able to generate a custom wordlist that reflects our knowledge of the target or the organization’s password policy.
Kali Linux, our ever reliable Pentesting OS has a tool called “crunch” that enables us create a custom password-cracking wordlist that we can use with various tools like aircrack-ng, John the Ripper, Cain and Abel etc. This wordlists enable us to save hours or days in password cracking if we can craft it properly.
STEP1 : Start Up Kali and Open Crunch
Click applications from up left, password attack and open Crunch
You can also just enter the command “crunch” in a terminal to start this tool.
This will open the crunch screen like that below.
STEP2 : Crunch Syntax
The basic syntax for crunch looks like this:
kali > crunch <min> max<max> <character set> -t <pattern> -o <output filename>
These are what the syntax mean
min = The minimum password length.
max = The maximum password length.
character set = The character set to be used in generating the passwords.
-t <pattern> = The specified pattern of the generated passwords. For instance, if you knew that the target’s birthday was 0128 (Jan 28th) and you suspected they used their birthday in their password (people often do), you could generate a password list that ended with 0128 by giving crunch the pattern @@@@@@@0128. This word generate passwords up to 11 characters (7 variable and 4 fixed) long that all ended with 0128.
-o <outputfile> = This is the file you want your wordlist written to.
Step 3: Crunch Manual
Let’s go to the man pages for crunch by entering:
kali > man crunch
This should open the manual pages for crunch like that below. The developers of crunch have packed these pages with a lot of info on how to get the most out of crunch.
If we page down a bit in these man pages, we will come to this page.
At the top we see the -f switch. This switch allows us to choose the character set we want to use to generate our wordlist. The syntax is:
-f /path/to/charset.lst <charactersetname>
Here we tell crunch where the charset.lst is with the full path and then select a particular character set from that list. In Kali, the charset.lst is at:
/usr/share/crunch/charset.lst
Step 4: Create Few Simple Wordlists
Now we will generate some simple wordlists for password cracking. If we are aware that the company has passwords between 4 and 8 characters, we can generate all the possibilities in crunch by typing:
kali > crunch 4 8
Where the first number (4) is the shortest word length and the second (8) is the longest word length.
When we execute this statement, crunch estimates how large the file will be (1812 GB) and then begins to generate the list. In this case, the file size is probably larger than we want to work with.
What if we knew that the target always used number passwords between 6 and 8 characters? We could generate a complete list of password possibilities meeting this criteria and send them to a file named numericwordlist.txt by entering:
kali>crunch 6 8 1234567890 -o numericwordlist.txt
If we knew that the target’s birthday was Jan 07 and they likely used that date (people often use their birth dates in their passwords to make it easier to remember) at the end of a ten character password? We could generate all the possibilities of ten-character passwords that end with 0107 (Jan 07) and send the output to a filenamed birthdaywordlist.txt, by typing:
kali > crunch 10 10 -t @@@@@@0107 -o birthdaywordlist.txt
The @ sign is use to represent a wildcard of all possibilities, while the literals “0107” represent the fixed values.
Step 5: Complex Wordlists with Crunch
With crunch we have the ability to select a specific character set or create our own character set for generating our password list. If we know the likely character set the target is using for their password, we can select the character set to generate our password list. We can find the choice of character sets at:
/usr/share/crunch/charset.lst
Now, if we know that our target is using an eight character password with only alphabetic characters, we can generate a list of all the possibilities in crunch with the command:
kali > crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha -o alphawordlist.txt
This will generate all the 8-character passwords using only the alphabetic characters (no numbers or special characters) and storing them in a file named alphawordlist.txt.
Summary
When cracking passwords, there are multiple methods of cracking unknown passwords. These include dictionary, rainbow table, brute force and others. If we know that parameters of the password or know something about the target and their possible passwords (birthday, pet names, spouse, etc.), crunch can be a very useful tool for generating specific wordlists to be used in a dictionary-like attack.job
As a word of advise, when setting up a password for your account, it is best to always use random out of the box passwords that would be something that relates in no way to you that way it would be hard for a black hat hacker to create a password list that is made up of words associated with your person.
This is a common act with hotels as they tend to set wifi passwords with names that are either related to the name of the hotel, address of the hotel, location of the hotel + hotel name etc. In the course of my job as a Penetration Tester, i have come across the weirdest of Passwords used by Corporate Organizations so nobody is above mistakes.
Pingback: Hacking Series – White Hack With Sly - SLYTECH