Chapter 3

You see those, “Top Passwords for Year 20XX” lists every year, and honestly, in my opinion they are just not really true anymore. Basic password requirements for servers mostly prevent the use of many of the passwords listed. In actively cracking public dump lists, the top passwords I have seen for the last several years are a combination of a person’s name (or names), numbers and possibly a symbol. People are creatures of habit, and patterns, and this is especially true when they create passwords. Names, important dates or numbers are easy to remember, so, these are usually what are used when creating a password. Many passwords also start with a capital letter and end with a symbol. It is hard to overcome years of proper language classes. 

I personally use Kali Linux for processing my wordlists, but I do most of my password cracking on a Windows 11 box. The most efficient cracking is done on a system with a very strong and fast GPU. In my...

Password Risks and Attacks

In today's digital age, where data and personal information are increasingly stored and transmitted online, the importance of using strong complex passwords cannot be overstated. Weak passwords remain one of the most significant vulnerabilities that can expose individuals and organizations to a wide range of cyber threats. But first, let’s look at the associated risks of weak passwords, underlining the critical role that strong passwords play in safeguarding digital assets.

Cybersecurity Attacks and Weak Passwords

Wordlists

You are a Pentester or a Red Team member in an active security assessment. You have recovered password hashes, but can’t pass them, or, use them as-is to gain further access. What are you to do? Crack them! Wordlists are very important when trying to crack passwords. Cracking programs can take a text file filled with words, also known as a wordlist or dictionary file, and use it to crack passwords. They literally take a word from the wordlist, encrypt it and compare it with the encrypted password hash. If it doesn’t match, it moves on to the next password. Most cracking programs use the wordlist directly word for word, while more advanced ones can also use the wordlist (or multiple wordlists) and manipulate them to create many new combinations of passwords to try. For example, some can take all the words in the wordlist and attach letters or numbers to the beginning or end of the word, or take two or more wordlist files and combine the words from both to make a...

Commonly Used Wordlists

All links were active websites at the time of this writing, but may change over time. Some are single wordlists; some pages have numerous wordlists. Of these, the Ignis, Clem9669, and the Hashmob lists are my favorites. I feel these three are...

Wordlists for Directory Path or Server Brute Forcing

Of course, password cracking isn’t the only use for wordlists. Many security tools use wordlists for web or directory path enumeration. These tools aren’t cracking passwords, but use wordlists to automatically search for directories or files on servers. These lists contain things like common control panel & configuration file names and webserver data paths. 

When you download wordlists, there are usually a lot of words that are duplicates or the wordlist can contain a lot of useless information. The following is a tool to clean up wordlists from useless or random junk:

Wordlists Included with Kali

Rock You Wordlist

One of the most popular wordlists used in cracking is the, “Rock You” wordlist. This is a large collection of millions of passwords that were actually used and pulled from a database dump.

If you notice, the Rockyou wordlist is zipped, the latest version of Kali offers to unzip it for you, or you can do it manually:

You can use the “cat” command to view the...

Wordlist Generator Tools

Downloading existing wordlists is not your only option. Several tools in Kali let you make your own personalized wordlists. CeWL is pretty useful as it lets you create passwords by grabbing information from a target website. Crunch is nice too as it allows you to create your own custom wordlists from scratch. Let’s take a closer look at how to use these tools.

CeWL

CeWL is a great tool for creating company related or theme-based wordlists. Many times, a user will create a password using words that relate to where they work or what they do. CeWL crawls a target website and builds a custom wordlist file using words found on the site.

CeWL crawls the target website and creates a wordlist with the terms that meet our criteria. The resultant text file might...

Crunch

Crunch is a great program that allows you to create your own custom password lists. Simple tell crunch what you want, the length and complexity, and Crunch makes it for you.

Alright, let’s start with an easy one:

Crunch - Using the Charset.lst File

We can use any of the defined sets, for example:

This command creates a wordlist that cycles through two-to-four-character words that contains all letters, numbers and symbols. Most websites are requiring new accounts to use at least letter and number combinations. So having wordlists with these combinations are a good start.

It is also very common to have strings of numbers in passwords. I have seen them...

Crunch: Creating Unicode Wordlists

Many languages include Extended or Unicode character. We can make a wordlist using “Unicode” characters with Crunch. The “mixalpha-space-sv” character set contains some of them.

As seen below:

mixalpha-space-sv = [abcdefghijklmnopqrstuvwxyzåäöABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ ]

We can use this character set to build a wordlist.

We now have a mixed character list for password cracking. We could take this and combine it with the previous “1 to 5 number” list for a pretty useful combination. Or we could use it in a hybrid attack having Hashcat add the numbers.

As seen below:

We will cover Hashcat in depth in a later chapter. For now, just know that the command above would take...

Crunch - Creating More Advanced Wordlists

We can use multiple character sets when creating words in crunch. Humans are creatures of habit and patterns, so you will find patterns when you crack passwords. You can create a custom wordlist with crunch using any pattern.

Simply, list each character set that you want to use, then use the “@,%^” characters and create a mask, just like you would with Hashcat. The “@” symbol represents characters from the first character set. The “,” the second, “%” represents the third character set, etc. You then use the “-t” pattern switch to build your pattern.

WARNING: This can Fill a Hard Drive Fast – Ye Have Been Warned

Confusing right? Let’s see an example:

You should see words like this:

aaa!!!#VVR

baa!!$#WUS

aba!*!#KTT

cab&!!)SSU

You should see the pattern we built:

Many times, you will find a word that is used over and over in password hashes, like a company name. Let’s say we find a string of passwords that have the fictitious company initials “WOW”, followed...

Hashcat - Creating Wordlists with Hashcat

A lot of Hashcat users don’t know that you can actually use the Hashcat tool itself to create wordlists. You can use any of the standard Hashcat “-a” attack commands to produce a wordlist. We will cover several of the Hashcat attack modes in a later chapter So, instead of walking through these step by step, I created a chart that shows some common uses: 

Hashcat Utils

Not too many in the security world know about the Hashcat Utilities. The utilities are a separate download from Hashcat and are a great set of resource tools for password cracking, and creating wordlists. You can download the Hashcat utilities from the tool website, then install by following the instructions provided on the site. For example, for a Windows install, you just unzip the latest release download and run the .exe you need.

Prepare Your Source Wordlists

Gather the wordlists you intend to combine. These can be standard dictionaries, common phrases, leaked passwords, or any other relevant sources. 

Using the Combinator Command:

Hashcat Keymap Walking Password Wordlists

Hashcat’s keymap walking tool, “KwProcessor”, quickly and easily generates password lists based on keymap walking techniques. Many users use keymap walk style passwords. In this section, we will take a quick look at how to use this tool.

Introduction

Keymap walking passwords are popular amongst many organizations, especially government entities. They are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.

You can create a complex password in this manner by using the shift key and including numbers in the pattern, as seen below:

Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”. This would create the password, “zaq12ws”. If we alternately used the shift key, we would get the password, “ZaQ1@wS” which is a little more complex.

What makes keymap...

Installing KwProcessor (kwp)

Like the Hashcat utils, kwp is an optional download from hashcat. Just download the latest release or you can make it from source. Downloading the latest release is the best option as it hasn’t been updated in a few years.

Keymaps and Routes

The Keymaps folder contains the keyboard layout for multiple languages:

The routes folder has 7 preconfigured keymap walks or routes that can be used to generate passwords:

We can use these preconfigured routes or create our own using command line switches.

Creating a KWP Wordlist

To create a simple kwp wordlist, we will use the English keymap and the “2-10 max 3 directional changes” route file, as seen below:

This causes kwp to create multiple keymap walk combinations, of 2-11 characters with a maximum of 3 direction changes:

The output of the command is sent directly to the screen, so to create an output file you would need to output the command to a text file:

You can then use the resultant text file as a wordlist in Hashcat.

To create a more complex wordlist, use one of the larger route files:

Foreign Language Keywalks

If you need to crack foreign language keywalks, just use one of the foreign languages keymap files. 

So, to create a Russian keywalk wordlist:

And the resultant file:

If we have a password hash list that contains any of the words that were generated, it will crack them.

Wordlist Wrap-up

In this chapter we covered wordlists, how to find them, or how to create your own. Wordlists are a major part of password cracking so it is good to master using them. Most modern passwords that you will run into are normally a combination of a name, numbers and symbol(s). I heavily use the Ignis lists when cracking passwords. I use the Hashcat Combinator tool to combine the smaller Ignis lists. The other wordlists I use extensively are the Facebook First and Last name lists. These are wordlists of usernames from a Facebook dump. Both of these are rather large for using the Combinator tool with, but combining them with the smaller Ignis lists or with a numbers lists is also highly effective.

Before we move on to using our wordlists with cracking tools to crack hashes, it’s important to understand what a hash is and what different types of hashes exist. We will cover this in the next chapter!