This is an extension to the blog entry I added about password cracking with NTLM, that article can be found here
However, that relies on matching your hashes to a pre-defined the wordlist, that would list is the rock you database which is publicly available, however after using CeWL you can add this to the rock you file for maximum results.
This article goes into a little bit more customization than generic version of this, while this also can use hashcat - this particular guide for variety makes use of "John the ripper" which is part of Kali.
This entry also includes some new tools for helping your wordlist with rules and munging, these new commands (for this entry) are:
CeWL (Custom Word List generator)
The point of this utility is if you know people have favourite likes you can get a list of "common phrases" on websites and use those phrases in your password wordlist to crack passwords, therefore using know attributes about people to target the attacks
which on the man pages is defined as "a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper"
The syntax for that would be as follows, if you wish to get it from the remote site:
cewl https://<remote domain>
CAUTION: This may set off some alerts and alarms as its an intrusion activity, so rather than target a live domain its safer to start a python instance listening on a custom port download the website HTML and scan that
Taking this into account, lets create a subdirectory now.....
mkdir bears.local
cd bears.local
Now we are here, visit the website you want to get a custom wordlist from and save the website as a HTML file, not with the images, we do not care about those, we care about the HTML content, so we can do that with wget magic:
wget www.bear.local
That will download only the index.html file from the target website, excellent, now we need an apache instance to serve that file to Kali
python3 -m http.server
That will start a a local server listening on port 8080 like this:
All good, start a new terminal session as that webserver is running in that current session now we can get content from the webserver with this:
cewl https://127.0.0.1:8080
Then you will get your wordlist from that website, which is a list of words that will be common and duplicates which is not good, so I used Google Bard to remove all the common words, yes that is the Google AI, nothing like getting AI to do all the boring work.
You then get a list of common words to use in your cracking attempts which is quite cool.....
The list above came from a load of text I grabbed from a website and it make a list of 960 words long in this particular list, but when Google AI did it job of removing "common words" it dropped to 460 words, which we can them apply rules to which comes later.
Rules : OneRuletoRuleThemAll.Rule
You can get more from here
However the summary is as follows from the website:
Password cracking is a staple part of pentesting and with a few exceptions, dictionary/rule based attacks are the predominant method in getting those ever-elusive plain text values. Cracking rigs have afforded pentesters and blackhats alike the ability to throw a few graphics cards at some hashes and achieve phenomenal speeds, for example, earlier this year an 8-GPU system broke 500GH/s against NTLM hashes (that’s over 500 billion hashes/second). Be afraid Windows passwords… be very afraid.Time is limited during a pentest and after acquiring a load of hashes you’ll quickly want to crack as many as you can. NotSoSecure decided to have a look at the success rates of different rules that are commonly used and @Stealthsploit has been looking at deriving a custom rule based from these tests that can better help satisfy his clear text cravings.
This sounds very promising indeed, this then takes you to the GitHub page that can be found here
git clone https://github.com/NotSoSecure/password_cracking_rules
This for me will be completed in the folder called /test it may be different for you.
Munge
This coverts a wordlist into "l33t" speak passwords which you will see in a moment, but first we need to get it which you can do from here
First we need to get the repo with this:
git clone https://github.com/Th3S3cr3tAg3nt/Munge
Then we need to run the python script in v2 not v3 of python.....
python2 munge.py -l 9 -i /test/words -o ~/test/newlist
This will then give us a list of modified passwords like this.....which includes all the silly thing people do like make CheeseGrater into Ch3353Grat3r and awful stuff like this, that can now be added to a wordlist.....
Hashcat with Wordlist and Rules
How we need to run JTR (or John the Ripper) with the hash file and the rules files as you can see below, you have two options the orignal hases from CeWL and the Munged ones, take your pick.
hashcat -m 1000 <user hahses> <password file> --force -r <rule list> --debug-mode=1
CeWL Option +Rules
hashcat -m 1000 ../Hashes.txt ../cewl-list.txt --force -r OneRuleToRuleThemAll.rule --debug-mode=1
Munge Option + Rules
