Skip to main content

How to Crack Passwords, Part-2 (making wordlist)


password-cracking-explained

As we had seen in the previous part that, to hack any passwords we should make a good wordlist, for that we can use social engineering or any guessing method, but offcourse guessing works in very few cases or even if it works it can take weeks or months to get the passwords. So here we will see how to make a wordlist to crack passwords.

In many of our password cracking methods, we often need to use a wordlist that will essentially attempt thousands of potential passwords per second. This is often referred to as a dictionary attack.

Despite of the fact that it is slow, you have to learn brute-force attack if you want to be a hacker as in many stages it will help you a lot and for that you need a good wordlist.

Using Pre-build Dictionary

The good thing about kali linux is – it will give you some pre build wordlists which can help you at tough times. One of the main such wordlist is rockyou.txt , you can find this wordlist inside cd /usr/share/wordlists/ .

Rockyou.txt is a wordlist that consist of real life passwords which are from the accounts that are being compromised at some stage of time. So it contains word that are used by people in real time. you can see passwords inside this wordlist by nano rockyou.txt.

But always keep a fact in mind that it contains a large amount of passwords so in real life it can take you a lot of time to complete it, and also you have less chance of success as passwords depend on your victim and rockyou contain some general passwords only. So next 2 methods will be more useful for you.

Crunch

Crunch is a pre-build tool inside kali linux and it’s easy to use tool. You can open it by typing crunch inside your terminal.

To see the usage of crunch you can type man crunch inside your terminal which will show you how to use crunch effectively where man means manual.

Let’s see how to make wordlist from crunch.

You can see from the above image that we use crunch 2 5 -o wordlist.txt , here 2 shows minimum length and 5 shows maximum length. Here -o is used to save it in a file so that we can use it further for brute-forcing.

Similarly we can use crunch 4 6 1234567 -o wordlist.txt , here 1234567 indicate that our wordlist will contain only these digits. So yes crunch is a good tool, mainly if you social engineer your target or collect his/her information from social media which will help you to create a good wordlist.

Cupp

This is my favourite tool for making wordlist. You can download this tool from github by typing cupp github inside your browser and then copy the github link inside your terminal as git clone <url>.git and this will download your tool.

It is a very easy to use tool just go inside your cupp directory and type ./cupp.py -i as shown below-

The best thing of cupp is that it will ask many personal informations about victim and make a wordlist according to that and if you don’t want to give any specific information then press enter as you can see in above image. Again, for collecting information you can use various social media.

So yes i will suggest you to use cupp as it will make more specific wordlist according to the victim. Also you can use ./cupp.py -help to see some more options.

So i hope that this help you in making wordlist. Just practice to make wordlist by your own as it will give you more confidence. And never try to brute force on any machine/website/application that you do not own as it will cause you trouble. You can try these attack on some machines like owasp, metasploitable, etc as these are made for such purpose only.

In my post how to hack facebook you can see the easier method – phishing which can give you passwords much easier but it also requires good social engineering. But offcourse brute-forcing is also equally important.

 

Comments

Popular posts from this blog

How To Identify Spoofed Calls and Text Messages

by|Jan 21, 2020|Spoofed Call|0 commentsIs There a Way to Identify a Spoofed Caller’s Identity?Visit our case studies page to get an idea as to how Rexxfield can help you positively identify the individuals behind harassing, anonymous, online or, mobile phone spoofed calls or email messages.What is a Spoofed Call?Spoofing is when a scammer deliberately changes the information sent to your Caller ID screen to camouflage their true identity. Scammers commonly use “next-door neighbor spoofing”, so it indicates that an inbound phone call is coming from a local or regional number, or they spoof a number from a firm or a federal government agency that you may already recognize and trust. If you fall for it, they use scripted scam pretexts to try and convince you to give bank account, credit card, PayPal, or other valuable personal details, which can be made use of in fraudulent activity. How to uncover a spoofed numberTo find out if a number is spoofed, you can search the rever…