Hey There,

As we all know, brute forcing authentication credentials is amongst the top 3 vulnerabilities on the web. In fact it’s moved up as being the second most-used attack vector in the OWASP Top 10 2013 list, from it’s third position in the OWASP Top 10 2010 list 

This means as security testers, we need tons of password lists with us to use. So what are the various ways in which we can collect and add more passwords to our list?

Some of the methods I use are here:

1. Burp Suite Intruder

If you are using Burp Intruder, (especially the professional version) you have access to a lot of different types of payloads. They can be listed as:

(Taken from http://portswigger.net/burp/help/intruder_payloads_types.html)

2. John The Ripper’s default password lists

This configuration itself is really excellent. However, you also need separate lists to feed your hungry-panda John The Ripper! (JTR)

The default list for JTR is available when you install JTR… to invoke JTR, type $john passwd - this file is available in the same directory as john

OR you can specify to John the password list to use with $john <password_file_and_path>

3. So many other tools with Kali - You can check out this link to see the other tools and their tutorials on how to use

Now to the subject of discussion… what are some really good ways to access a huge password list:

1. This site has a collection of 10,000 passwords in zipped format along with the frequency of use  

2. Try using Athena 2.0 which is available at http://www.project2025.com/athena.php This is a real work of art. It crawls the whole web and looks for passwords and proxies - cool, ain’t it! - The latest version of Athen is here: http://www.project2025.com/AthenaII.zip

3. Then there’s Pastebin and also PastebinLeaks  - the best way to search for passwords on paste bin.com is:

On Chrome type pastebin.com and press Tab

Then type “passwords” or “password” or “cracks” without the quotes

PastebinLeaks is an aggregator (RSS Feed website) for Pastebin and has some really cool hacks and passwords from pastebin.com

4. A Google Advanced Search can get you tons of stuff. Some of the searches can be:

inurl:passwords filetype:xls

inurl:admin intext:password

filetype:xls password OR passwords OR cracks

(username=* | username:* |) | ( ((password=* | password:*) | (passwd=* | passwd:*) | (credentials=* | credentials:*)) | ((hash=* | hash:*) | (md5:* | md5=*)) | (inurl:auth | inurl:passwd | inurl:pass) ) filetype:log

"login: *" "password= *" filetype:xls

And many many more searches can be obtained at www.exploit-db.com/ghdb/

5. Go to filestube.com and search for password files of various types (els, txt, rtf, doc, pdf etc) - http://www.filestube.to/query.html?q=password+xls&select=All

6. Torrent sites have a ton of password files in them. You can check them out and download 

You can also check out the other techniques used for password farming

Then there’s this post about the top 500 worst passwords. Take time to read through some of the comments, they lead to setting up more password collections… 

Hope this helps in some way...

Thanks,

WTHack

Can we hack you before the hackers do?

Views: 53

Tags: 10, 2010, 2013, 500, Burp, JTR, John, OWASP, Port, Ripper, More…Suite, Swigger, The, Top, farming, filestube, ghdb, google, hacking, passwords, pastebin, pastebinLeaks, top, worst

Comment

You need to be a member of Internet Society Malaysia Chapter to add comments!

Join Internet Society Malaysia Chapter

Comment by ☠☠ pɐuɹɐʞ uɐɹıʞ ☠☠ on June 11, 2014 at 6:33pm

Also if you're looking for a place to get tons of hashed passwords for any Rainbow attacks, check out this site: http://openwall.info/wiki/john/sample-hashes

CURRENT EC - 2013 to 2014

Julian Vincent - Chair

A. Razif Ramli - Vice-Chair

Dr Suhaidi Hassan - Vice-Chair

Amir Haris Ahmad - Secretary

Adil Hidayat - Treasurer

Rinalia Abdul Rahim - EC member

Sivanathan Subramaniam  - EC member

Syahril Aziz - EC member

PAST EC - 2012 to 2013

Julian Vincent - Chair

A. Razif Ramli - Vice-Chair

Dr Suhaidi Hassan - Vice-Chair

Jagdish Singh - Secretary

Tan Tze Meng - Treasurer

Adil Hidayat - EC member

Amir Haris Ahmad - EC member

Selvakumar Manickam - EC member

PAST EC - 2010 to 2012

Julian Vincent - Chair

A. Razif Ramli - Vice-Chair

Yong Yoon Kit - Vice-Chair

Jagdish Singh - Secretary

Zaharin Mohd Nadzri - Treasurer

Lai Heng Choong - EC member

Sharina Puteh - EC member

COLLABORATION PARTNERS