When looking through a network you may sometimes stumble upon any number of services that require usernames and passwords. If, for whatever reason, you need to get access to these services, and you don’t have access to the system administrator, you may find yourself needing to break into these services. If you’re lucky, the service is outdated, and an exploit exists that will let you breeze through the login, but you may sometimes have to resolve to good old-fashioned brute force.
Now, brute-forcing a networked service could take ages, and is usually deemed so unlikely to succeed that it’s not even worth trying to do. What you can do instead, is to attempt a dictionary attack.
Any form of dictionary attack requires a good dictionary. Now, you could go looking around the Internet for an existing dictionary or wordlist, but here are three reasons why you shouldn’t:
- Where’s the fun in that?
- You’ll get better results with a customized wordlist.
- You’ll earn more geek-credit by making your own.
Also, making your own is super simple and doesn’t take much.
For this task, I’ll be working on a Dell E4300 Laptop, running Ubuntu 10.04 Lucid Lynx, but it should be the same on most Linux distributions.
First of all, we need a few tools.
Grab CUPPS, the Common User Password Profiler, from http://www.remote-exploit.org/wp-content/uploads/2010/04/cupp-3.0.tar.gz
Next, we’ll grab some regular dictionaries available through the Linux Package Repository. Go to a terminal and type in
apt-cache search wordlist
This will show you a list of all the dictionaries available to you.
Let’s say that the network we’re on is located in Scandinavia. English is such a big part of the worlds language today (just try counting how many English terms have managed to find their way into your native tongue), so chances are that an English word might have been used as the password, so lets go ahead and install all the american-english wordlists, as well as the Danish, Swedish and Norwegian ones.
apt-get install wamerican wamerican-huge wamerican-insane wamerican-large wamerican-small wdanish wswedish wnorwegian
If you type in dpkg -L wamerican-insane you’ll see where this particular dictionary was installed. Change to that directory now. Usually this will be in /usr/share/dict/
We now have all the ingredients we need in order to cook up our very own dictionary. The first step is to concatenate all the wordlists into one massive list. Start out by creating a new file, called master-wordlist.
touch master-wordlist
Next step is to pipe the existing lists into master-wordlist.
wdanish >> master-wordlist
wswedish >> master-wordlist
wnorwegian >> master-wordlist
wamerican* >> master-wordlist
If you type in wc master-wordlist you’ll get a count of how many words are in the list. Obviously, as we’ve taken several lists and combined them, there will be duplicates. Also, as most dictionary attack tools support mixing cases, we can convert all the words to lowercase. To convert to lowercase and get rid of duplicates, run this:
tr A-Z a-z < master-wordlist > master-wordlist-lowercase
sort -u master-wordlist-lowercase > master-wordlist-sorted
Try counting the words now, should be significantly fewer than before.
We now have a pretty good wordlist for dictionary-based attacks, but there is a way to make it even better.
Unpack the cupp-3.0.tar.gz file you downloaded earlier, and run the cupp.py file by typing ./cupp.py -i
You will now be asked a series of questions about the owner of the system. Based on the answers, CUPP will generate a list of words that are likely to have been used as passwords. Now you can pipe those words into your master-wordlist, and you’re ready to run your dictionary attack.
P.S.: When I ran the CUPP I experienced some problems when adding additional keywords about the owner, that made the script crash. The solutions was to open the cupp.py-file with gedit, and find the line
words = raw_input(“> Please enter the words, separated by comma. [i.e. hacker, juice, black]: “).split(”, “).lower()
and replace it with
words = raw_input(“> Please enter the words, separated by comma. [i.e. hacker, juice, black]: “).lower().split(”, “)
Have fun, and let me know if you’re successful with your new and improved wordlist.