loftrat Posted February 9, 2010 Share Posted February 9, 2010 Evening All :) I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;) One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem. For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well. Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one? I don't need any hashes or anything, just plain text passwords. Cheers all :) Quote Link to comment Share on other sites More sharing options...
digip Posted February 9, 2010 Share Posted February 9, 2010 Backtrack always has a password list in each distro. I forget the path to the folder, but its under /pentesting. Quote Link to comment Share on other sites More sharing options...
loftrat Posted February 9, 2010 Author Share Posted February 9, 2010 Did consider that (thanks :) ), but I don't think it's a particularly large list. It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random. Quote Link to comment Share on other sites More sharing options...
pizzaguy Posted February 10, 2010 Share Posted February 10, 2010 Just saying, for the wordlist you talked about, assuming my calculations are correct, there are approximately 1.496x10^26 combinations of strings for every character on a normal keyboard (I count 74) with a length of 1 to 14. if one does only the 36 letters and numbers that goes down to 6.316x10^21 That could translate to a file of: 176498198800000002031616 bytes or 172361522265625001984 kilobytes or 168321799087524416 megabytes or 164376756921410.56 gigabytes or 160524176681.065002 terabytes or 156761891.2901025 petabytes or 153087.78446299 exabytes sorry about the useless reply, I couldn't help it Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2010 Share Posted February 10, 2010 Don't know how long it will be till I get things posted but I just did a rainbow table and password list swapshop at Shmoocon so I've now got a large collection of both. Some time in the next week I'll try to go through them all and get them listed and available for download. I'll try to remember to post to here when I do but I'll definitely be posting it to my twitter list, @digininja Quote Link to comment Share on other sites More sharing options...
loftrat Posted February 10, 2010 Author Share Posted February 10, 2010 @pizzaguy: Think I'm gonna need a bigger hard drive :D :D @digininja: Thanks, if you could that would be useful :) Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted February 19, 2010 Share Posted February 19, 2010 My personal wordlist :) ADDED 2.3GIG wordlist * theargonlistver2_wordlist.zip (83meg) > .rar(154meg) > .lst ( plan text 1.9gigs) * ran john on it and sort and uniq * results in 2.3G wordlist no dupes * DOWNLOAD: <a href="http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar">word.lst.s.u.john.s.u.200.part01.rar</a><br> <a href="http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar">word.lst.s.u.john.s.u.200.part02.rar</a><br> <a href="http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar">word.lst.s.u.john.s.u.200.part03.rar</a> http://trac.kismac-ng.org/wiki/wordlists Quote Link to comment Share on other sites More sharing options...
mubix Posted February 21, 2010 Share Posted February 21, 2010 <snip> http://trac.kismac-ng.org/wiki/wordlists Thats an awesome source of lists. Thanks! Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 3, 2010 Share Posted April 3, 2010 (edited) My personal wordlist :) ADDED 2.3GIG wordlist * theargonlistver2_wordlist.zip (83meg) > .rar(154meg) > .lst ( plan text 1.9gigs) * ran john on it and sort and uniq * results in 2.3G wordlist no dupes * DOWNLOAD: <a href="http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar">word.lst.s.u.john.s.u.200.part01.rar</a><br> <a href="http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar">word.lst.s.u.john.s.u.200.part02.rar</a><br> <a href="http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar">word.lst.s.u.john.s.u.200.part03.rar</a> http://trac.kismac-ng.org/wiki/wordlists That's what I've been looking for. Thanks for posting that up. Edited April 3, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 3, 2010 Share Posted April 3, 2010 i have a 25 or something gb word list if you are still needing one Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 4, 2010 Share Posted April 4, 2010 i have a 25 or something gb word list if you are still needing one Hell yeah, if you could that will be much appreciated. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 4, 2010 Share Posted April 4, 2010 Hell yeah, if you could that will be much appreciated. alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb is rapidshare good? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 4, 2010 Share Posted April 4, 2010 alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb is rapidshare good? As long as I can download it, it's good enough for me. Again, thank you very much. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 4, 2010 Share Posted April 4, 2010 As long as I can download it, it's good enough for me. Again, thank you very much. alright, uploading now Quote Link to comment Share on other sites More sharing options...
digininja Posted April 4, 2010 Share Posted April 4, 2010 That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 4, 2010 Share Posted April 4, 2010 That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end. err tbh im actually not sure, as the only time i unrar'ed it was on windows and i was unable to open the file through standard notepad, and ive never needed to use it as i have smaller files that i update with any new passwords i find or use Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 4, 2010 Share Posted April 4, 2010 That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end. Dictionary attacks are not as efficient as brute force attack is, in the end no matter how large the password list is it will never be that efficient. But yes you are right. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 4, 2010 Share Posted April 4, 2010 If you want to check it unrar it in linux then use head to check the start and tail to check the end, if it looks like sequential chars then you've got the brute force dictionary Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 4, 2010 Share Posted April 4, 2010 If you want to check it unrar it in linux then use head to check the start and tail to check the end, if it looks like sequential chars then you've got the brute force dictionary ugh ill leave it extracting over night, and post here tommorow Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 6, 2010 Share Posted April 6, 2010 alright, uploading now So how are you doing with that large password list? Finished uploading it yet or gave up. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 6, 2010 Share Posted April 6, 2010 So how are you doing with that large password list? Finished uploading it yet or gave up. shit i fell asleep and laptop went to standby. will do tommorow at work Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 7, 2010 Share Posted April 7, 2010 shit i fell asleep and laptop went to standby. will do tommorow at work No dramas. Whenever you can. Quote Link to comment Share on other sites More sharing options...
wqevwevqwevqwrevwfd Posted April 10, 2010 Share Posted April 10, 2010 lol @burningaces I am also intrestted in this file ;) Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 11, 2010 Share Posted April 11, 2010 lol @burningaces I am also intrestted in this file ;) That's not just a file, it could be multiple large files. But it should make my password cracking job easy. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted April 11, 2010 Share Posted April 11, 2010 That's not just a file, it could be multiple large files. But it should make my password cracking job easy. its one really large file, uploading to my rapidshare account tommorow..lol Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.