First step in brute force attack is generating username and password list and a strong and limited password list is very important for brute force attack or any password attack. Many tools in kali Linux are used for this purpose. In my book I will discuss two tools of kali Linux to generate a list for usernames or password.
a) CEWL:
It is very important too of kali Linux that is used to generate a password list related to our target. It is mostly used to generate a password list for brute force attack on a website for its username and password. As we provide link of our target website to cewl takes words used in this website that we can save in file.
But there is a question that why we save all the word used in a website? Answer is that mostly the username and password are words that are used in (description) or (programming) of website. So, we save the word of a website in our password list. In this case chances of username and password cracking during brute force attack increase.
So, cewl is very best tool and we must learn it completely for website hacking by brute force attack. Now we will different commands of cewl to generate different types of password list.
TO SEE ALLL OPTIONS OF CEWL:
(cewl -h)
TO GENRATE A SIMPLE PASSWORD LIST:
(cewl + link of website -w + filename) e.g.
(cewl http://www.facebook.com/ -w facebook.txt)
Password list from target
TO GENERATE A LIST SMALL LETTERS WORDS:
(cewl + link of website --lowercase -w + filename) e.g.
(cewl http://vulnweb.com –lowercase -w vulnweb.txt)
TO COLLECT MORE WORDS FROM MORE DEPTH OF WEBSITE:
(cewl + link of website -d + depth -w + filename) e.g.
(cewl http://www.google.com/ -d 4 -w google.txt)
TO SEE DETAILS DURING GENERATING A PASSWORD LIST:
(cewl + link of website -v -w + filename) e.g.
(cewl http://example.com/ -v -w example.txt)
TO CHECK THE OCCURANCE OF A WORD OR ITS REPEAT NUMBERS IN WEBSITE:
(cewl + link of web -c | more) e.g.
(cewl http://example.com/ -c |more)
TO SET MINIMUM LENGTH OF WORDS IN PASSWORD LIST:
(cewl + link of website -m + no. -w + filename) e.g.
(cewl http://alibaba.com/ -m 5 -w ali.txt)
This command will provide you the minimum length of password 5 and up to five.
TO GENERATE A LIST WITH NUMBER AND WORD COMBINATIONS:
(cewl + link of website --with-number -w + filename) e.g.
(cewl https://www.sans.org/ --with-numbers --w sans.txt)
TO GENERATE A LIST CONSISTING OF EMAIL ADDRESSES:
(cewl + link of website -n -e -w + filename) e.g.
(cewl https://www.sans.org/ -n -e -w email.txt)
TO BYPASS THE FIREWALL DURING GENERATING LIST OPEN THE BURP SUITE AND RUN THE FOLLOWING COMMAND IN TERMINAL:
(cewl + link of website --proxy_host 127.0.0.1 --proxy_port 8080 -w + filename)
Then change your user agent in burp suit. You must use proxy host and port as you used in burp suit.
Word list with emails of target
These were some main commands of cewl. You can use other options also. You must use mixture of options during generating strong password list. Cewl will help you very much during brute force attack so good luck for cewl.
b) CRUNCH:
It is very powerful password list generating tool of kali Linux. We can generate password list of any type with crunch. It is very small tool and easy to use. Mostly pre install in new versions of kali Linux if not then you can install it using following command.
(apt-get install crunch -y)
Crunch has only one command to generate a password list, that is;
(crunch + minimum length of password + maximum length of password + type of words which you want to include your list -o + filename to save) e.g.
(Crunch 4 8 1234567890abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ%@&^ -o password.txt)
As a result crunch will provide you a list consisting of different combinations of words provided by you in command. This list can be used in brute force attack. So, you must use crunch. Best of luck for crunch.