Wordlists for when you’re at a loss for words
Before we jump right into it I want to take a second to define the what of wordlists are. Just to make sure everyone is on the same page. A wordlist (also known as a word list) as described by cambridge is “a list of words, especially when these words are collected for a particular purpose, for example words that someone has to learn, or words explained in a dictionary”. But for hackers a wordlist is less about learning something but testing something. Wordlists are normally a file with one “word” per-line that gets fed into an automated testing or repeating tool in order to break, crack, or circumvent a control. The most common versions of this is some form of enumeration or password cracking.
Why Do We Need Wordlists?
Alright, so why all the hype about wordlists? Think of wordlists as the Swiss Army knife in a pentester’s toolkit. These nifty collections of words, phrases, and passwords are crucial for a few key reasons:
Cracking Passwords Like a Pro
First up, wordlists are essential for cracking passwords. When you’re trying to break into a system (legally, of course!), one of the most common methods is a brute force attack. This is where you systematically try every possible password until you find the right one. But let’s face it, trying “123456” or “password” over and over manually is a drag. That’s where wordlists come in—they automate the process, making it faster and way more efficient.
Finding Vulnerabilities
Next, wordlists help you uncover hidden vulnerabilities. Imagine you’re testing a web application and you need to find all the hidden directories or files. By using a wordlist, you can automate the discovery process, checking thousands of possible URLs in a fraction of the time it would take to do it manually. It’s like having a treasure map, but instead of gold, you’re finding security holes.
Speeding Up Your Workflow
Efficiency is the name of the game in pentesting. Wordlists speed up your workflow by providing a ready-made list of potential passwords, usernames, URLs, and more. Instead of spending hours brainstorming or guessing, you can dive straight into the action. It’s like having a cheat sheet for hacking (again, ethically!).
Customization and Flexibility
Another cool thing about wordlists is that you can customize them. Depending on your target, you might need specific words or phrases. For example, if you’re pentesting a company, you might include terms related to their business, products, or employees. Custom wordlists tailored to your specific target can dramatically increase your success rate.
Staying One Step Ahead
Cybersecurity is all about staying one step ahead of the bad guys. By using wordlists, you’re employing the same tactics that many attackers use. This not only helps you find vulnerabilities before they do but also prepares you to defend against similar attacks. In a nutshell, wordlists are a pentester’s best friend. They make the tedious task of guessing passwords and finding vulnerabilities much more manageable, giving you the edge you need to secure systems effectively. So next time you’re setting up a test, don’t forget to bring along your trusty wordlist!
Examples of wordlists in action
When it comes to enumerating something not every case is as easy as an IDOR. You won’t be able to just increment or decrement the number in an API call or URL to find every object. Lets take a real world example of this with WordPress. In vanilla WordPress you can make an HTTP request https://WPSiteName.com/?author=1
and this will return the user associated with “userID” number one. By just increasing the number by one and repeating the process you can find all the users on the site. But what if you want to enumerate something that isn’t number based?
Sticking with the WordPress theme we will tackle the challenge of enumeration the plugins used by the site. Since WordPress has a well documented folder structure the Plugins are stored in the following path https://WPSiteName.com/wp-content/plugins
but since the Plugins aren’t numbered like with the users you will have to know the names of each plugin that is installed (of course with older version of WP you can just look at the full like by hitting the /plugins
directory but that isn’t the point of the example). If we give every plugin name to our wordlist and try each of them we should get back some examples of plugins that are on the site. Like in the case of the “Classic Editor” plugin shown below.
Wordlists by Tool Examples
Alright, now that we’ve got a handle on what wordlists are and why they’re super important, let’s dive into some hands-on action. Here, we’ll walk through a basic example of using a wordlist in a penetration test. Don’t worry, we’ll keep it simple and fun!
Step-by-Step: Cracking a Password with Hydra
Set Up Your Environment: Make sure you have Hydra installed. If you don’t have it yet, you can easily grab it with a quick command. Open up your terminal and type:
sudo apt-get install hydra
Choose Your Target: For this example, let’s say we’re trying to crack into an FTP server. We’ll need the target IP address and the username. For simplicity, let’s use:
- IP address:
192.168.1.100
- Username:
admin
Grab a Wordlist: We’ll use the famous rockyou.txt
wordlist. If you don’t already have it, you can find it online or in your Kali Linux distro. This wordlist contains millions of common passwords.
Run Hydra: Now, let’s put it all together. Fire up Hydra with the following command:
hydra -l admin -P /path/to/rockyou.txt ftp://192.168.1.100
Here’s what’s happening:
-l admin
specifies the username.-P /path/to/rockyou.txt
points to our wordlist.ftp://192.168.1.100
is the target service and IP.
Watch the Magic Happen: Hydra will start running, trying each password from the wordlist until it finds the right one or exhausts the list. Keep an eye on the terminal – once it hits the correct password, it’ll let you know.
Step-by-Step: Cracking a Password with John the Ripper
Set Up Your Environment: Make sure you have John the Ripper installed. You can install it with:
sudo apt-get install john
Get a Password Hash: Suppose you have a hashed password stored in a file called password.hash
.
Prepare Your Wordlist: Again, we’ll use rockyou.txt
for this example.
Run John the Ripper: Execute the following command to start cracking:
john --wordlist=/path/to/rockyou.txt password.hash
Here’s the breakdown:
--wordlist=/path/to/rockyou.txt
specifies the wordlist.password.hash
is the file containing the password hash.
Check the Results: John will run through the wordlist and try to match the hash. You can view the cracked password with:
john --show password.hash
Building Your Own Wordlist.
Alright, so you’ve got the basics down, and now you’re ready to get your hands dirty and create your own wordlist. It’s like crafting a secret weapon tailor-made for your target. Here’s how you can get started:
Why Bother with Custom Wordlists?
You might be wondering, why not just use the pre-made ones? Well, custom wordlists can be a game-changer. They let you focus on specific targets, making your attacks more efficient and effective. Plus, it’s a lot of fun to see your custom list crack a tough nut.
Getting the Right Ingredients
Think of building a wordlist like cooking up a recipe. You need the right ingredients, and in this case, it’s all about collecting relevant words. Here are a few places to start:
Social Media Profiles: People love to share bits of their lives online. Check out their Facebook, Twitter, LinkedIn, and Instagram for potential keywords.
Company Websites: If you’re targeting a specific company, browse their official site. Look at employee bios, press releases, and blogs for potential words.
Forums and Communities: Dive into forums, Reddit threads, or community boards related to your target. People often use common jargon and phrases that can be gold for your list.
Scraping Tools: Use tools like CeWL (Custom Wordlist Generator) to automate the process. CeWL can crawl websites and generate a list of words based on the content it finds.
Crafting Your Masterpiece
Once you’ve gathered your words, it’s time to put them together. Here’s a simple process:
Organize Your Words: Keep things tidy. Group your words based on categories like names, places, common phrases, etc.
Use Wordlist Generators: Tools like Crunch can help you generate a list based on specific parameters (e.g., minimum and maximum length, character sets). This way, you can fine-tune your wordlist to be as broad or specific as you need.
Combine and Conquer: Mix and match your words. Combine names with dates, common phrases with variations, etc. For instance, if you have the word “Summer” and the year “2024,” you can create combinations like “Summer2024,” “2024Summer,” and so on.
Testing and Tweaking
Now, you’ve got your shiny new wordlist. But the job isn’t done yet. It’s crucial to test it and make adjustments. Here’s how:
Run a Test Attack: Use a tool like Hydra or John the Ripper with your wordlist to see how it performs. Start with an easy target to get a feel for its effectiveness.
Analyze and Adjust: If the list isn’t hitting the mark, go back and tweak it. Add new words, remove irrelevant ones, and refine your combinations.
Stay Updated: Keep your wordlist fresh. As new information comes in, update your list. This keeps you prepared for future tests.
A Few Tips to Keep in Mind
Optimize Your Wordlist: Sometimes, smaller, more targeted wordlists can be more effective than huge ones. Tailor your wordlist to your specific target if possible.
Use Multiple Tools: Different tools have different strengths. Hydra is great for online attacks, while John the Ripper excels with offline password cracking.
Stay Patient: Cracking passwords can take time, especially with complex passwords. Be patient and let the tools do their work.
Have Fun with It: Building a wordlist can be as creative as you want it to be. It’s about thinking outside the box and using your detective skills to gather the best possible words. So go ahead, experiment, and see what works best for you.
Further Reading
Alright, you’ve made it this far—awesome! Now let’s dive into some great resources to help you level up your wordlist game and pentesting skills.
Websites and Blogs:
- Kali Linux Official Documentation: The go-to place for everything related to Kali Linux, including how to use its pentesting tools effectively.
- OWASP (Open Web Application Security Project): A fantastic resource for learning about web security, including numerous guides and tools.
- Hack The Box: An online platform to test and improve your hacking skills in a controlled, legal environment.
- Pentestmonkey: Great scripts, cheat sheets, and tutorials for pentesters.
Popular Wordlists:
- SecLists: A collection of multiple types of lists used during security assessments.
- Rockyou.txt: One of the most famous wordlists in the pentesting world. Great for brute force attacks.
- Weakpass: A comprehensive collection of wordlists designed for password cracking.
- Awesome Wordlists: A curated list of wordlists for bruteforcing and fuzzing
- Wordlists by Krypton: A collection of wordlists for many different usages. They are sorted by their content.
Tools:
- Crunch: A wordlist generator where you can specify a standard character set or a custom one.
- CeWL: A custom wordlist generator that spiders a URL to create a wordlist of words that appear on the site.
- John the Ripper: A fast password cracker with a large community and many wordlist options.
Books:
- “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto: A must-read for anyone serious about web application security.
- “Metasploit: The Penetration Tester’s Guide” by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni: Learn how to use Metasploit for real-world pentesting.
- “Hacking: The Art of Exploitation” by Jon Erickson: Great for understanding the fundamentals of hacking and exploitation.
Communities and Forums:
- Reddit: r/HowToHack: A friendly community for beginners and experts alike, sharing knowledge and experiences.