Password Profiling and Wordlist

Wordlists play a crucial role for professionals like, Penetration testers and cybersecurity experts, especially when it comes to activities related to passwords. These include Dictionary Attacks, Password Cracking, Brute-Force Attacks, Security Assessments, and Testing.

In essence, Wordlists are known to be the collection of words, phrases, or character combinations that are systematically used for various purposes within the field of cybersecurity.

Most importantly, when it comes to password-related activities, wordlists are the heart of the operation. They provide the potential password options necessary for effective testing. Imagine wordlists as a foundation upon which the entire process of penetration testing is built. 

If you're interested in delving into wordlists and learning the basics of password cracking, there's a resource linked below for you to explore.

Password Cracking: Methods and Tools

This article provides an in-depth exploration of various password cracking methods and tools used by cybersecurity professionals to assess and enhance password security. Understanding these techniques is crucial for effective security practices.

Wordlists come in two primary forms:

  1. Self-Generated Wordlist: This involves crafting your own collection of potential passwords using tools like crunch, cupp, and more. These tools allow you to tailor the wordlist to your specific needs.
  2. Pre-Built Wordlist: These wordlists are carefully assembled based on common and real-life passwords. They're ready to use and can save valuable time during testing.

Let's take a closer look at their applications within Kali Linux environment:

Pre-built WordLists

Pre-built wordlists come ready-made with a wide collection of potential passwords based on real-life scenarios. These wordlists are easily accessible in Kali Linux, and you can also manually download them from different websites.

The one commonly I use is "rockyou.txt" as well as the "CrackStation's Password Cracking Dictionary." But, CrackStation's Password Cracking Dictionary requires a lot of internet data for downloading, so I prefer "rockyou.txt" due to its accessibility.

You can conveniently locate various wordlist path, including "rockyou.txt," through a pre-installed application on your Kali Linux system. Simply access the main menu, under "Password Attack," section, you will notice the "Wordlists" application.

On click, you'll come across an array of directories and file locations housing the wordlists on terminal.

> wordlists ~ Contains the rockyou wordlist

├── amass -> /usr/share/amass/wordlists
├── dirb -> /usr/share/dirb/wordlists
├── dirbuster -> /usr/share/dirbuster/wordlists
├── fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
├── fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
├── john.lst -> /usr/share/john/password.lst
├── metasploit -> /usr/share/metasploit-framework/data/wordlists
├── nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
├── rockyou.txt
├── sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
├── wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txt

In particular, I've highlighted the "rockyou.txt," which resides within the /usr/share/wordlists directory.

If you wish to swiftly view the available wordlists within any directory, you can use the "ls -l" command followed by the specific path.

└─$ ls -l /usr/share/amass/wordlists
total 9624
-rw-r--r-- 1 root root 4576030 May  9 10:33 all.txt
-rw-r--r-- 1 root root 1426217 May  9 10:33 bitquark_subdomains_top100K.txt
-rw-r--r-- 1 root root    3384 May  9 10:33 deepmagic.com_top500prefixes.txt
-rw-r--r-- 1 root root  605754 May  9 10:33 deepmagic.com_top50kprefixes.txt
-rw-r--r-- 1 root root   14683 May  9 10:33 fierce_hostlist.txt
-rw-r--r-- 1 root root  921601 May  9 10:33 jhaddix_all.txt
-rw-r--r-- 1 root root  925145 May  9 10:33 sorted_knock_dnsrecon_fierce_recon-ng.txt
-rw-r--r-- 1 root root   58452 May  9 10:33 subdomains.lst
-rw-r--r-- 1 root root 1117832 May  9 10:33 subdomains-top1mil-110000.txt
-rw-r--r-- 1 root root  149229 May  9 10:33 subdomains-top1mil-20000.txt
-rw-r--r-- 1 root root   33771 May  9 10:33 subdomains-top1mil-5000.txt                                                                                                                                  

If you're interested in exploring the practical applications of these wordlists, the "John the Ripper" article is an excellent resource to dive into. 

John the Ripper and Johnny: Usage and Examples

This guide provides usage instructions and examples for John the Ripper and Johnny, two popular password cracking tools. These tools are widely used by cybersecurity professionals to assess and strengthen password security.

It provides insights into the usage and effectiveness of these tools for password-related tasks.

Generate a Wordlist

When pre-built wordlists failed to crack a password, self-generated wordlists step in, to improve our chances of success. These customized lists focus on the unique characteristics of the target, making password cracking more effective.

You can find various Password Profiling tools in the Password Attack sub-menu, such as, CeWL and crunch. But mostly, I use cupp password profile wordlist generator.

Let's explore these tool and learn the way to generate a wordlist.

CeWL: Custom Wordlist Generator

CeWL is a ruby app that spiders a given URL to a specified depth, optionally following external links, and returns a list of words that can then be used for password cracker.

To learn how to use it, either click on "Cewl" application, or run "cewl -h" command to access the help documentation.

└─$ cewl -h
CeWL 5.4.8 (Inclusion) Robin Wood ( (
Usage: cewl [OPTIONS] ... <url>

-h, --help: Show help.
-k, --keep: Keep the downloaded file.
-d <x>,--depth <x>: Depth to spider to, default 2.
-m, --min_word_length: Minimum word length, default 3.
-o, --offsite: Let the spider visit other sites.
--exclude: A file containing a list of paths to exclude
--allowed: A regex pattern that path must match to be followed
-w, --write: Write the output to the file.
-u, --ua <agent>: User agent to send.
-n, --no-words: Don't output the wordlist.
--lowercase: Lowercase all parsed words
--with-numbers: Accept words with numbers in as well as just letters
--convert-umlauts: Convert common ISO-8859-1 (Latin-1) umlauts (ä-ae, ö-oe, ü-ue, ß-ss)
-a, --meta: include meta data.
--meta_file file: Output file for meta data.
-e, --email: Include email addresses.
--email_file <file>: Output file for email addresses.
--meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
-c, --count: Show the count for each word found.
-v, --verbose: Verbose.
--debug: Extra debug information.

--auth_type: Digest or basic.
--auth_user: Authentication username.
--auth_pass: Authentication password.

Proxy Support
--proxy_host: Proxy host.
--proxy_port: Proxy port, default 8080.
--proxy_username: Username for proxy, if required.
--proxy_password: Password for proxy, if required.

--header, -H: In format name:value - can pass multiple.

    <url>: The site to spider.

For this demonstration, let's generate a wordlist using CeWL

Our target will be

Open a terminal and start by entering following format: 

cewl <Target Host/URL> -w <custom-wordlist>


  • -w: Save the output string to a text file.

└─$ cewl -w cewl-wordlist.lst
CeWL 5.5.2 (Grouping) Robin Wood ( (

Afterward, you can use the "ls" command to list files and directories. You'll find the generated file there.Afterward, you can use the "ls" command to list files and directories. You'll find the generated file there.

└─$ ls

To take a look, open the file using a text editor like Nano. 

└─$ nano cewl-wordlist.lst

And there you have it!

Let’s try with an another parameter:


  • - C: show the count for each word found. Let’s see how. Here you see the count number on the right side of a word.
└─$ cewl -c
CeWL 5.5.2 (Grouping) Robin Wood ( (
Acunetix, 9
learn, 6
more, 6
the, 6
http, 5
vulnweb, 5       
com, 5
Review, 5
scanner, 5

Crunch: Generate Wordlists from Character set

Kali Linux offers a convenient solution for crafting your own dictionary, thanks to the tool known as Crunch.

To get started, first locate "Crunch" from application menu and click on it. 

This action will display it’s basic usage instructions on your terminal screen.

$ crunch
crunch version 3.6

Crunch can create a wordlist based on criteria you specify.  The output from crunch can be sent to the screen, file, or to another program.

Usage: crunch <min> <max> [options]
where min and max are numbers

Please refer to the man page for instructions and examples on how to use crunch.

But, if you want detailed information and it’s various examples, then access the manual page for Crunch by typing "man crunch."

└─$ man crunch 

Now, Let's generate a wordlist using Crunch:

Open a terminal and begin by following these command:

crunch <min-range><max-range>[<specify-desigered-string>] -o <output-file>

Now, run following command on terminal:

└─$ crunch 3 4 tech@12 -o crunch_test.txt
Crunch will now generate the following amount of data: 13377 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 2744 

crunch: 100% completed generating output

Upon execution, you can see the resulting wordlist. you can open it using any text-editor.

Crunch also allows you to create wordlists with specific word limits, letters, and even special characters – simply provide the relevant specifications.

CUPP - Common User Passwords Profiler

The most common way to authenticate a form is the combination of a username or password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection.

Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values.

  • A weak password might be very short or only use alphanumeric characters, making decryption simple. 
  • A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password.

That is why CUPP comes in place, and it can be used in situations like legal penetration tests or forensic crime investigations.

Steps to Install & Usage

Cupp not come pre-installed with Kali Linux and so, we have to install it manually. Before installing CUPP on Kali Linux, update the repositories.

└─$ sudo apt update

To Install CUPP use the following commands:

└─$ sudo apt install cupp

4. After installation, execute the tool using the following command to access its help documentation. 

└─$ cupp --help                          
usage: cupp [-h] [-i | -w FILENAME | -l | -a | -v] [-q]

Common User Passwords Profiler

  -h, --help         show this help message and exit
  -i, --interactive  Interactive questions for user password profiling
  -w FILENAME        Use this option to improve existing dictionary, or output to make some pwnsauce
  -l                 Download huge wordlists from repository
  -a                 Parse default usernames and passwords directly from Alecto DB. Project Alecto uses purified databases of
                     Phenoelit and CIRT which were merged and enhanced
  -v, --version      Show the version of this program.
  -q, --quiet        Quiet mode (don't print banner)

Let's generate a wordlist using CUPP:

1. To Create a Wordlist using CUPP then run cupp in interactive mode:

└─$ cupp -i
[+] Insert the information about the victim to make a directory
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name:
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):

> Partners) name:
Partners) nickname: 
> Partners) birthdate (DDMMYYYY):

> Child's name:
> Child's nickname: 
> Child's birthdate (DDMMYYYY):

> Pet's name:
> Company name:

Do you want to add some keywords about the victim? n

2. In the end, it will presented with a wordlist. 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to wordlist.txt, counting 7324 words.
[+] Now load your pistolero with wordlist.txt and shoot! Good luck!

Post a Comment

If you have any doubts or any queries you can specify here.

Previous Post Next Post