Web Application Testing: Password Lists

[loftrat]

Evening All :)

I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;)

One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem.

For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well.

Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one?

I don't need any hashes or anything, just plain text passwords.

Cheers all :)

[digip]

Backtrack always has a password list in each distro. I forget the path to the folder, but its under /pentesting.

[loftrat]

Did consider that (thanks :) ), but I don't think it's a particularly large list.

It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random.

[pizzaguy]

Just saying, for the wordlist you talked about, assuming my calculations are correct, there are approximately 1.496x10^26 combinations of strings for every character on a normal keyboard (I count 74) with a length of 1 to 14. if one does only the 36 letters and numbers that goes down to 6.316x10^21

That could translate to a file of:

176498198800000002031616 bytes or

172361522265625001984 kilobytes or

168321799087524416 megabytes or

164376756921410.56 gigabytes or

160524176681.065002 terabytes or

156761891.2901025 petabytes or

153087.78446299 exabytes

sorry about the useless reply, I couldn't help it

[digininja]

Don't know how long it will be till I get things posted but I just did a rainbow table and password list swapshop at Shmoocon so I've now got a large collection of both. Some time in the next week I'll try to go through them all and get them listed and available for download.

I'll try to remember to post to here when I do but I'll definitely be posting it to my twitter list, @digininja

[loftrat]

@pizzaguy: Think I'm gonna need a bigger hard drive :D :D

@digininja: Thanks, if you could that would be useful :)

[operat0r_001]

My personal wordlist :)

ADDED 2.3GIG wordlist

* theargonlistver2_wordlist.zip (83meg) > .rar(154meg) > .lst ( plan text 1.9gigs)

* ran john on it and sort and uniq

* results in 2.3G wordlist no dupes

* DOWNLOAD:

<a href="http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar">word.lst.s.u.john.s.u.200.part01.rar</a><br>

<a href="http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar">word.lst.s.u.john.s.u.200.part02.rar</a><br>

<a href="http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar">word.lst.s.u.john.s.u.200.part03.rar</a>

http://trac.kismac-ng.org/wiki/wordlists

[mubix]

<snip>

http://trac.kismac-ng.org/wiki/wordlists

Thats an awesome source of lists. Thanks!

[Infiltrator]

My personal wordlist :)

ADDED 2.3GIG wordlist

* theargonlistver2_wordlist.zip (83meg) > .rar(154meg) > .lst ( plan text 1.9gigs)

* ran john on it and sort and uniq

* results in 2.3G wordlist no dupes

* DOWNLOAD:

<a href="http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar">word.lst.s.u.john.s.u.200.part01.rar</a><br>

<a href="http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar">word.lst.s.u.john.s.u.200.part02.rar</a><br>

<a href="http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar">word.lst.s.u.john.s.u.200.part03.rar</a>

http://trac.kismac-ng.org/wiki/wordlists

That's what I've been looking for. Thanks for posting that up.

Edited April 3, 2010 by Infiltrator

[Burning Aces]

i have a 25 or something gb word list if you are still needing one

[Infiltrator]

i have a 25 or something gb word list if you are still needing one

Hell yeah, if you could that will be much appreciated.

[Burning Aces]

Hell yeah, if you could that will be much appreciated.

alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done

also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb

is rapidshare good?

[Infiltrator]

alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done

also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb

is rapidshare good?

As long as I can download it, it's good enough for me. Again, thank you very much.

[Burning Aces]

As long as I can download it, it's good enough for me. Again, thank you very much.

alright, uploading now

[digininja]

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

[Burning Aces]

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

err tbh im actually not sure, as the only time i unrar'ed it was on windows and i was unable to open the file through standard notepad, and ive never needed to use it as i have smaller files that i update with any new passwords i find or use

[Infiltrator]

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

Dictionary attacks are not as efficient as brute force attack is, in the end no matter how large the password list is it will never be that efficient.

But yes you are right.

[digininja]

If you want to check it unrar it in linux then use head to check the start and tail to check the end, if it looks like sequential chars then you've got the brute force dictionary

[Burning Aces]

If you want to check it unrar it in linux then use head to check the start and tail to check the end, if it looks like sequential chars then you've got the brute force dictionary

ugh ill leave it extracting over night, and post here tommorow

[Infiltrator]

alright, uploading now

So how are you doing with that large password list? Finished uploading it yet or gave up.

[Burning Aces]

So how are you doing with that large password list? Finished uploading it yet or gave up.

shit i fell asleep and laptop went to standby. will do tommorow at work

[Infiltrator]

shit i fell asleep and laptop went to standby. will do tommorow at work

No dramas. Whenever you can.

[wqevwevqwevqwrevwfd]

lol @burningaces

I am also intrestted in this file ;)

[Infiltrator]

lol @burningaces

I am also intrestted in this file ;)

That's not just a file, it could be multiple large files. But it should make my password cracking job easy.

[Burning Aces]

That's not just a file, it could be multiple large files. But it should make my password cracking job easy.

its one really large file, uploading to my rapidshare account tommorow..lol