Jump to content

Web Application Testing: Password Lists


loftrat
 Share

Recommended Posts

Evening All :)

I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;)

One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem.

For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well.

Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one?

I don't need any hashes or anything, just plain text passwords.

Cheers all :)

Link to comment
Share on other sites

Backtrack always has a password list in each distro. I forget the path to the folder, but its under /pentesting.

Link to comment
Share on other sites

Did consider that (thanks :) ), but I don't think it's a particularly large list.

It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random.

Link to comment
Share on other sites

Just saying, for the wordlist you talked about, assuming my calculations are correct, there are approximately 1.496x10^26 combinations of strings for every character on a normal keyboard (I count 74) with a length of 1 to 14. if one does only the 36 letters and numbers that goes down to 6.316x10^21

That could translate to a file of:

176498198800000002031616 bytes or

172361522265625001984 kilobytes or

168321799087524416 megabytes or

164376756921410.56 gigabytes or

160524176681.065002 terabytes or

156761891.2901025 petabytes or

153087.78446299 exabytes

sorry about the useless reply, I couldn't help it

Link to comment
Share on other sites

Don't know how long it will be till I get things posted but I just did a rainbow table and password list swapshop at Shmoocon so I've now got a large collection of both. Some time in the next week I'll try to go through them all and get them listed and available for download.

I'll try to remember to post to here when I do but I'll definitely be posting it to my twitter list, @digininja

Link to comment
Share on other sites

  • 2 weeks later...
Link to comment
Share on other sites

  • 1 month later...

That's what I've been looking for. Thanks for posting that up.

Edited by Infiltrator
Link to comment
Share on other sites

i have a 25 or something gb word list if you are still needing one

Hell yeah, if you could that will be much appreciated.

Link to comment
Share on other sites

Hell yeah, if you could that will be much appreciated.

alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done

also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb

is rapidshare good?

Link to comment
Share on other sites

alright, total size is 80mb so will take a while as my upload speed is horrible, ill pm you if you wish and post it in this topic when its done

also size=26.7gb when looking at the compressed file in archive, and 28gb it is titled, also total size of rar is 74.4mb

is rapidshare good?

As long as I can download it, it's good enough for me. Again, thank you very much.

Link to comment
Share on other sites

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

Link to comment
Share on other sites

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

err tbh im actually not sure, as the only time i unrar'ed it was on windows and i was unable to open the file through standard notepad, and ive never needed to use it as i have smaller files that i update with any new passwords i find or use

Link to comment
Share on other sites

That isn't the one that is just the equivalent of a brute force list starting at a and ending at zzzzzz is it? A friend came to me with an amazing huge word list around the same size and it turned out to be just that and so was pretty useless in the end.

Dictionary attacks are not as efficient as brute force attack is, in the end no matter how large the password list is it will never be that efficient.

But yes you are right.

Link to comment
Share on other sites

alright, uploading now

So how are you doing with that large password list? Finished uploading it yet or gave up.

Link to comment
Share on other sites

shit i fell asleep and laptop went to standby. will do tommorow at work

No dramas. Whenever you can.

Link to comment
Share on other sites

lol @burningaces

I am also intrestted in this file ;)

That's not just a file, it could be multiple large files. But it should make my password cracking job easy.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...