Most people incorporate commonly used words as their passwords. Studies show when people select random passwords, there is very little randomization to the words. Furthermore, as more large sites have their user’s passwords leaked, attackers are figuring out common password obfuscation techniques people use and writing their exploits around those techniques. Think you are being clever about replacing a “0” (zero) with the letter O, or replacing the number “3” with the letter “E” – well attackers know this and are now incorporating that into their password cracking programs.
The website How Secure is Your password (https://howsecureismypassword.net/) estimates how long a computer would take to brute force your password. However, when you add in parallel processors, multi-tasking, and advances in processing power, you can assume this number will exponentially decrease. Using these techniques and knowledge attackers have gained from recent password attacks we know password attacks can now be reduced from years to just days.
One common technique being used by attackers is to create custom dictionary files that target organizations or individuals from specific websites such as an organizations website, blog, Linkedin profiles, Twitter, or Facebook.
CeWL is a tool that is built into Kali Linux and other Linux based distributions. It can also be installed on most systems that do not have it. CeWL, mean the Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
To use CeWL, open up a command prompt in Kali Linux (your favorite Linux distribution). The reason we prefer Kali Linux is because CeWL works right out of the box.
To use CeWL you simply type in the command, the target url and what you want the output file to be.
cewl www.drchaos.com -w drchaospasswords.txt
This will generate a word list from our target URL (use a URL you have permission to scrape). By default, CeWL sticks to just the site you have specified and will go to a depth of 2 links, this behavior can be changed by passing arguments.
Be careful if setting a large depth and allowing it to go offsite, you could end up drifting on to a lot of other domains that you do not have permission to scrape.
By default CeWL will scrape all words of 3 characters or more and output the results to the screen. This length can be increased and the words can be written to a file rather than screen so the app can be automated. CeWL by default will not go further than two links down in a domain. This depth can also be changed if needed. We can do this by using the –d option to set the depth.
We may also want to set the minimum word count. For example we may want to target words with 8 or more characters. We can do this by using the –m switch.
In the following example we will limit our site search to a depth of 1 and limit our word count to 8 or more character words. We issue the following command:
You can now use this wordlist in popular programs such as john the ripper and other security tools to audit the password strength of your organization.