Scraping Potential Passwords from a Target’s Website using CeWL

Hacking OSINT Pentesting Uncategorized

Welcome back, my novice hackers!

In my series on cracking passwords, I began by showing off some basic password-cracking principles; developed an efficient password-cracking strategy; demonstrated how to use Hashcat, one of the most powerful password-cracking programs; and showed how to create a custom wordlist using Crunch. In this tutorial, I will show you how to create a custom wordlist based upon the industry, business or personal interests of the target using CeWL.

Most password-cracking programs are only as good as the wordlist that you provide them. Brute-force password cracking is very tedious and time consuming, but if you can find an appropriate and well-designed wordlist that is specific to the user whose password you are trying to crack, you can save yourself hours—maybe even days—of password cracking.

Crunch is great at creating wordlists based upon a set of rules such as the number of characters, the character set, etc., but doesn’t enable us to choose a wordlist that is particular to a business or industry or interests. We humans are not always very creative and often fall victim to the familiar, especially when generating passwords. If we understand that, it can be helpful to finding potential passwords and generating a relevant password list.

For instance, employees at a construction company are more likely to use words for passwords that are used in their industry, such as lumber, girder, build, soffit, eave, etc. People in the drug industry are more likely have passwords such as prescription, drug, narcotic, barbiturate, etc. You get the idea.

It’s simply human nature that words that we use in our everyday experience will first pop into our heads when we are considering passwords. That’s why so many people use their pet’s name, spouse’s names, children’s names, birthdates, street address, anniversaries, etc. They aren’t very creative and use words and numbers that first come to mind.

We can use this lack of creativity to develop a specific wordlist for a specific company, industry or person. That’s what CeWL can do for us. It’s designed to grab words from the company’s or person’s website to create a wordlist specific to that company or person in order to crack passwords of the users at that business.

Let’s get started.

Fire Up Kali & CeWL Help

First, fire up Kali and open a terminal. Next, let’s type the “cewl” command and get its help screen.

  • kali > cewl –help

Note the depth (-d) and the min_word_length (-m) switches. The -d switch determines how deep (the default is 2) into the website CeWL will crawl grabbing words, and the -m switch determines the minimum length of words it will grab. Since most firms have a minimum password length, there’s no need to grab short words. In this case, I will be setting the minimum to 7 letters.

Step #2 Build a Custom List with CeWL

Now, to build a custom wordlist, we set CeWL to scraping words from the website of our friends at SANS Institute. We can do this by typing:

  • kali > cewl -w customwordlist.txt -d 5 -m 7 www.sans.org

Let’s break that down.

  • -w customwordlist.ext: the -w means write to the file name that follows.

  • -d 5: the depth (in this case, 5) that CeWL will crawl to website.

  • -m 7: the minimum word length; in this case it will grab words of 7 characters minimum.

  • www.sans.org: the website we are crawling.

This command will then crawl the sans.org website to a depth of 5 pages, grabbing words at least 7 letters long. After several hours of crawling through the website, CeWL places all of the words it found into the file customwordlist.txt. We can then open it with any text editor; in this case, we will use Leafpad.

  • kali > leafpad customwordlist.txt

This will open the file like that below.

Note that these words are a reflection of the industry that SANS Institute is in—information security.

Step #3 Combine This List with a List Generated by Crunch

Now, combine this wordlist with another wordlist, or one generated by crunch. Place these words first as they are specific to this user or company and are more likely to be correct.

Of course, we can use CeWL to create custom wordlists for password cracking targets other than employees at a particular company. For instance, if we know the individual who is our target is a soccer fan, we use CeWL to crawl a soccer site to grab soccer related words. That is, we can use CeWL to create specific password lists based upon just about any subject area by simply crawling a website to grab potential keywords.

Stay tuned: we will continue to explore new and better ways to crack passwords in this series, so keep coming back, my novice hackers!