⚠️ Password Cracking : Wordlist and Rules

This is an extension to the blog entry I added about password cracking with NTLM, that article can be found here

NTDS Password Hash Dumping

Warning: Please get the relevant approval before analyzing live data, this usually needs to come from security and HR.

However, that relies on matching your hashes to a pre-defined the wordlist, that would list is the rock you database which is publicly available, however after using CeWL you can add this to the rock you file for maximum results.

This article goes into a little bit more customization than generic version of this, while this also can use hashcat - this particular guide for variety makes use of "John the ripper" which is part of Kali.

This entry also includes some new tools for helping your wordlist with rules and munging, these new commands (for this entry) are:

CeWL (Custom Word List generator)

The point of this utility is if you know people have favourite likes you can get a list of "common phrases" on websites and use those phrases in your password wordlist to crack passwords, therefore using know attributes about people to target the attacks

which on the man pages is defined as "a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used  for password crackers such as John the Ripper"

The syntax for that would be as follows, if you wish to get it from the remote site:

cewl https://<remote domain>

CAUTION: This may set off some alerts and alarms as its an intrusion activity, so rather than target a live domain its safer to start a python instance listening on a custom port download the website HTML and scan that

Taking this into account, lets create a subdirectory now.....

mkdir bears.local
cd bears.local

Now we are here, visit the website you want to get a custom wordlist from and save the website as a HTML file, not with the images, we do not care about those, we care about the HTML content, so we can do that with wget magic:

wget www.bear.local

That will download only the index.html file from the target website, excellent, now we need an apache instance to serve that file to Kali

python3 -m http.server

That will start a a local server listening on port 8080 like this:

All good, start a new terminal session as that webserver is running in that current session now we can get content from the webserver with this:


Then you will get your wordlist from that website, which is a list of words that will be common and duplicates which is not good, so I used Google Bard to remove all the common words, yes that is the Google AI, nothing like getting AI to do all the boring work.

You then get a list of common words to use in your cracking attempts which is quite cool.....

The list above came from a load of text I grabbed from a website and it make a list of 960 words long in this particular list, but when Google AI did it job of removing "common words" it dropped to 460 words, which we can them apply rules to which comes later.

Rules : One Rule to Rule them all

You can get more from here

However the summary is as follows from the website:

Password cracking is a staple part of pentesting and with a few exceptions, dictionary/rule based attacks are the predominant method in getting those ever-elusive plain text values. Cracking rigs have afforded pentesters and blackhats alike the ability to throw a few graphics cards at some hashes and achieve phenomenal speeds, for example, earlier this year an 8-GPU system broke 500GH/s against NTLM hashes (that’s over 500 billion hashes/second). Be afraid Windows passwords… be very afraid.

Time is limited during a pentest and after acquiring a load of hashes you’ll quickly want to crack as many as you can. NotSoSecure decided to have a look at the success rates of different rules that are commonly used and @Stealthsploit has been looking at deriving a custom rule based from these tests that can better help satisfy his clear text cravings.

This sounds very promising indeed, this then takes you to the GitHub page that can be found here

Let’s clone that GitHub page to get the file with this:

git clone https://github.com/NotSoSecure/password_cracking_rules

This for me will be completed in the folder called /test it may be different for you.


This coverts a wordlist into "l33t" speak passwords which you will see in a moment, but first we need to get it which you can do from here

Or in the words from the website "A dirty little python script to munge dictionary words into possible passwords"

First we need to get the repo with this:

git clone https://github.com/Th3S3cr3tAg3nt/Munge

Then we need to run the python script in v2 not v3 of python.....

python2 munge.py -l 9 -i /test/words -o ~/test/newlist

This will then give us a list of modified passwords like this.....which includes all the silly thing people do like make CheeseGrater into Ch3353Grat3r and awful stuff like this, that can now be added to a wordlist.....

Hashcat with Wordlist and Rules 

How we need to run JTR (or John the Ripper) with the hash file and the rules files as you can see below, you have two options the orignal hases from CeWL and the Munged ones, take your pick.

Generic Syntax

hashcat -m 1000 <user hahses> <password file> --force -r <rule list> --debug-mode=1

CeWL Option +Rules

hashcat -m 1000 ../Hashes.txt ../cewl-list.txt --force -r OneRuleToRuleThemAll.rule --debug-mode=1

Munge Option + Rules

hashcat -m 1000 ../Hashes.txt ../munge-list.txt --force -r OneRuleToRuleThemAll.rule --debug-mode=1

Pass the Hash - really simple

Once you have the hashed password value, even if you don’t actually successfully crack the password back to ASCII text, you can utilize that hash to remotely login as that user - this is called pass the hash……

Careful, many security products will detect the pass the hash action, and will probably notify your security team that it’s been going on - again I stress this is more for education and learning.

You have two options if you wish to try this you could use “evil-winrm” as a remote logon prompt as that user, alternatively, if it’s a remote desktop session, you could use the utility “xfreerdp” to take control of that users remote desktop session.


if you know the hash, which you do of the use that you wish to gain remote access from the command is this:

evil-winrm -i <ip address> -u <username>  -H <hash>

IP is the address where the victim is logged in, the user name needs to be fully qualified so for a work group it’s just the username for a domain it’s domain\user, the H must be a capital H…..


this will connect a remote desktop session using this command, obviously for this, you will need the GUI interface on Kali - she will not be able to emulate this via a shell….

xfreerdp /v:<ip address>  /u:<username> /pth:<hash>

Password Advice πŸ» 

While the advice has always been to have a secure password or better yet using password manager to remember all your passwords, many people still don’t get the message.

If you are in the habit of taking your favorite football club and put in special characters at the end and making certain letters numbers, lol you consider this is very secure it’s not.

Then you have the advice about three or more words, but that’s advice gets lost in translation as well, humans being human will pick words clearly in the dictionary and many humans will pick words don’t mean anything to them for example:


While that is technically secure, it doesn’t mean anything if you use it to you, it’s also three dictionary words with numbers at the end, which is this article pretty much says rule lists and Munge - can be told to do stuff like this with a password.

The other problem seems to be password duplication, many people will use the same password on multiple websites with some magical hieroglyphics at the end to fool the human brain into thinking it’s secure, the problem arises when you use the same password on multiple websites, then one of those websites leaks some data and expose your password and username, if this happens and you’re using multiple websites with the same password, you instantly are compromised, taking your eight quadrillion years to crack your password, down to a couple of minutes or hours.

Password, managers are key to the success in the fight against compromised accounts, password manager requires a master password that you need to remember, and then all your other passwords I remembered from that one account, which now includes MFA authentication - however, I will spread your NFA authentication tokens across different applications like Authy, Microsoft authenticator, and Google authenticator authenticator - don’t put all your eggs in one so-called philosophical basket.

Then, if you’ve never heard of MFA or 2FA - you have a problem, the services were offered, almost certainly need to be enabled, they are another line of defense against threat actors, though these secondary authentication messages are not full proof, MFA exhaustion is where you will continually get an MFA prompt until you tap approved because it’s irritating your human brain 🧠 - even with secondary authentication you still need to remain vigilant about authentications you approve.

Passkeys - Drop Password

The future is to get rid of the password, so there’s nothing to crack, and you to the ever evolving landscape of keeping things secure - that is already happening and it’s called passkey - and pulse key does not require a password, all you need is your user name and a token on your device which is stored securely so it can’t be breached.

This is also the case for all my Kali Linux servers, I don’t connect them with a username and password, I connect them with my passkey - which happens to be securely store in 1Password (no, this is not a sales pitch)

Login ID/Username

This is the final point about keeping yourself secure, your email address is public Nothing you can do about that, it’s the one bit of information you need to give a stranger if you wish to receive emails emails.

However, this does not need to be the same for all your username or login ID’s - at work Active Directory illustrates this beautifully the attribute assigned “mail” is your public mail address for many company’s , it follows the format “FirstName.Surname@Company.Extension” this is pretty standard in many organizations, however, the login ID or in windows that will be called your UPN or user principal name - that does not have to be the same as your email address, in many companys it is because for supportability it makes more sense.

Keeping these values, the same not only gives threat actors your email address publicly, but it also gives you the login ID internally whether this be UPN or NetBIOS (that’s the pre-windows 2000 login ID limited to eight characters)

Giving an example if you take my local domain, which is non-routable so please don’t try anything stupid, that domain is bears.local, this is how one of my accounts set up:

My email address is lee@diepiggydiedie.com
Login ID is ubergeekbear@bears.local

In this example, my public email address is not the same as my actual internal login, so if someone exposes my email address which will be quite common if you use it as your username then my internal login ID will not be public at the same time.

Username mixup

Internaly that is very easy to accomplish because it’s an update to an attribute in active directory, however externally it’s not that simple, unless you own your own domain, or if you use an email anonymizing service.

This is an actual example for me, unfortunately hair grows, that means you need to get it cut, this is handled by an application, called Booksy - I don’t trust applications like this, so I’m not about to expose my actual email address to those services, usually because when you do the free service sells your email to everybody bulk mailing company on the planet, so for using that, apparently free service you end up with an inbox full of crap.

Protect yourself with Services like “hide my email” then you have the option to delete the email account or prevent forwarding to your actual email - your move spammers

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„