Sunday, October 11, 2009

Creating wordlists with JTR

(mirrored from carnal0wnage.attackresearch.com)

Nothing new, probably covered else where but useful to revisit (maybe)...at least for my notes.

We had to try to bruteforce the ColdFusion admin password on a past pentest (more on that in another post--still testing the new MSF ColdfFusion modules). After trying my popular passwords (short) list I came nil so decided to use some words from the site we were trying to break into and use john to mangle the list up for some additional passwords to try.

you start with you initial list of words (you can also use CeWL http://www.digininja.org/projects/cewl.php to generate a site specific wordlist for you)

you then throw them into John and have the rules file mangle them.

yomoma@c0:~/pentest/john/run$ ./john --wordlist=/tmp/passwords-startwith.lst --rules --stdout | ./unique /tmp.passwords-mangled.lst

started with:

blah
carnal
0wnage
carnal0wnage
carnalownage

ended up with 159 words (it dropped the carnal0wnage after the upcase, not sure why) based on the default word mangling rules with john (that may or may not be that useful to you).

that's where JTR Config Maker from http://reusablesec.googlepages.com/jtrconfiggenerator can come in handy.

specifically " -Option (3) allows you to create word mangling rules. For example, add two numbers to the end of the dictionary word, and replace ‘a’ with an ‘@’."

so i F'ed with it for awhile and came up with a pretty good list i thought that was better than the default rules. You can pretty much set any type of mangle rule you want, save the rules file and even export out your john.conf to use so you can generate your password list like above.

If people are interested in more detail on this process let me know via comments.

1 comment:

  1. I wouldn't mind hearing more about this. I know wordlist generation isn't exactly new or groundbreaking knowledge, but it is useful nonetheless.

    ReplyDelete