-[ Password profiling using wyd.pl ]- -[ Examplary usage 1: Penetration testing on a public internet server ]- -[ Preface ]- During a penetration test on a public internet server, a pop3 and a webserver service could be identified. It was possible to gather some information about possible usernames but no password could be guessed. After testing the default wordlist available in the testers toolset, none of the account could be successfully cracked. -[ Usage of the password pofiling technique ]- Because the tester has access to the companies website, he has a good ressource of possible passwords. Productnames, locations, slang or specific jargon words are often used as user passwords. Loyality to the company/product might be one reason, uncreativity and simplicity another one. -[ Gathering the website ]- Using any website mirroring tool the whole website can be retrieved. "wget -r" does a great job on that. Lets give it a shot: mkdir ~/target-website cd ~/target-website wget -r http://www.target-website.com After a while, wget has fetched the whole website content to the local directory. The authors suggest to get as much data as possible. See "man wget" for more detail usage on wget. -[ Profiling - Round one ]- To generate a customized list of potential passwords. You have to use "wyd.pl". wyd.pl -o ~/possible-passwords.txt ~/target-website That's it. After a few minutes, depending on the amount of data from the website, wyd.pl has finished and you will have a file with potential passwords (~/possible-passwords.txt). -[ Profiling - Round two ]- A lot of people dont have a common word as a password. They often use a word like "London" and add something like "123" so they get "London123". Those are permutations of common words. At first sight this seems to be difficult to guess, but the defacto standard password cracker "John the cracker" has a lot of preconfigured permutation / mangling rules. To further enhance our first results, we use "john" to permutate our gathered info to get a more complete possible-password-list with modifications. There are two ways of doing this. Either by using UNIX pipes to combine wyd.pl and john, or you use the existing ~/possible-passwords.txt file as input into john. The authors suggest this version, because it allows more control. ./john --rules --wordlist=~/possible-passwords.txt --stdout If you like you can add ">> ~/possible-passwords-mangled.txt" to that comand to write the output to a file instead of the console. -[ The Attack ]- It's not part of this how to. Most often its a simple dictionary attack using common known bruteforcer tools and your custom profiled dictionary. -[ ------------------------------------------------------------------ ]- -[ Examplary usage 2: Crime investigation - Password protected file ]- -[ Preface ]- During a crime investigation some computer systems have been aquired for further evidences. After analyzing the aquired disk images, possible relevant files could be identified. Fraud.rar Planing.rar and Accounts.rar where password protected rar archives. The rest of the files on the disks seemed to be regular data like .mp3 files, Word files etc. After testing the default wordlist available in the testers toolset, none of the protected files could been extracted due to not having the right password. -[ Usage of password pofiling technique ]- Disk images are holding a complete copy of the data when aquiring the orignial harddisks. Quite often, the used passwords are stored somewhere in the computersystem of a person or are related to them. This may sound weird in the beginning, but how many person you know are using the title of their favourite song as their password. PDF's, Presentations, Documents and plain-text data are very likely to hold at least the partial password of its user. By profiling the accessible directories and files on the harddisk the investigators may find the password in a short amount of time. -[ Prepare the data ]- Depending on the available system and diskspace the aquired image can be either mounted or the accessible data can be copied to a specific folder. This document does not contain details how to do this but "losetup" or "mount -o loop" can help you here a lot. For the rest of this document we asume that the relevant data is stored on "/mnt/evidences". -[ Continuation ]- See the use case explanation from above. -[ ------------------------------------------------------------------ ]- -[ Additionaly information ]- -[ Strings / Binary file inclusion ]- wyd.pl has an additional option "-s ". When you have a lot of unsupported file formats, which are not ascii based, you can use this option to make wyd.pl to parse all files using the UNIX command "strings". The parameter is a number which defines the minimum length of printable amount of characters that must be available within a file, before "wyd.pl" will treat them as a word. The problem with strings is, that it will detect a lot of useless "false-positives". If you dont get any success wihout the "-s" option, you can give wyd.pl another shot.