- Kali Linux Web Penetration Testing Cookbook
- Gilberto Nájera Gutiérrez
- 431字
- 2021-07-16 12:53:49
Password profiling with CeWL
With every penetration test, reconnaissance must include a profiling phase in which we analyze the application, department or process names, and other words used by the target organization. This will help us to determine the combinations that are more likely to be used when the need to set a user name or password comes to the personnel.
In this recipe, we will use CeWL to retrieve a list of words used by an application and save it for when we try to brute-force the login page.
How to do it...
- As the first step, we will look at CeWL's help to have a better idea of what it can do. In the terminal, type:
cewl --help
- We will use CeWL to get the words on the WackoPicko application from vulnerable_vm. We want words with a minimum length of five characters; show the word count, and save the results to
cewl_WackoPicko.txt:cewl -w cewl_WackoPicko.txt -c -m 5 http://192.168.56.102/WackoPicko/ - Now, we open the file that CeWL just created and see a list of "word count" pairs. This list still needs some filtering in order to discard words that have a high count but are not very likely to be used as passwords; for example, "Services", "Content", or "information".
- Let's delete some words to have a first version of our word list. Our word list, after having removed some words and the count, should look similar to the following example:
WackoPicko Users person unauthorized Login Guestbook Admin access password Upload agree Member posted personal responsible account illegal applications Membership profile
How it works...
CeWL is a tool in Kali Linux that crawls a website and extracts a list of inpidual words; it can also provide the number of repetitions for each word, save the results to a file, use the page's metadata, and so on.
See also
There are other tools for similar purposes; some of them generate word lists based on rules or other word lists and some crawl a website looking for the most used words:
- Crunch: This is a generator based on a character set provided by the user. It uses this set to generate all the possible combinations. Crunch is included in Kali Linux.
- Wordlist Maker (WLM): WLM has the feature of generating a word list based on the character sets and it can also extract words from text files and web pages (http://www.pentestplus.co.uk/wlm.htm).
- Common User Password Profiler (CUPP): This tool can use a word list to profile the possible passwords for common user names and download word lists and default passwords from a database (https://github.com/Mebus/cupp).
- Computer Vision for the Web
- Python自然語言處理實戰(zhàn):核心技術(shù)與算法
- TypeScript實戰(zhàn)指南
- Visual C#.NET程序設計
- Mastering JBoss Enterprise Application Platform 7
- 零基礎學Python網(wǎng)絡爬蟲案例實戰(zhàn)全流程詳解(入門與提高篇)
- Mastering openFrameworks:Creative Coding Demystified
- OpenResty完全開發(fā)指南:構(gòu)建百萬級別并發(fā)的Web應用
- OpenCV with Python Blueprints
- Mastering Embedded Linux Programming
- Java高并發(fā)編程詳解:深入理解并發(fā)核心庫
- Processing開發(fā)實戰(zhàn)
- Isomorphic JavaScript Web Development
- Maya Programming with Python Cookbook
- Python數(shù)據(jù)分析與挖掘?qū)崙?zhàn)(第2版)