Using the CUPP Tool to Generate Powerful Password Lists

July 21, 2016 | Views: 10980

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Welcome, CYBRARIES!
We’re going to look at a very nice tool called CUPP (The Common User Password Profiler).

step 1

 

What is CUPP, exactly?

CUPP is powerful tool that creates a wordlist, specifically for a person. CUPP is cross platform and written in Python. CUPP asks you questions about the target (name, wife’s name, pet’s name, phone number…) and then creates a password based on the keywords you entered.

But, how exactly does CUPP work?

Humans, no matter how much we think we’re unique, show the same patterns when it comes to passwords. We usually pick passwords that are easy to remember, so we include personal things into our passwords. For example, someone could easily remember a password that contains his birthday and the name of his wife. If they have a wife named Lucy and who was born on 05/07/1978, they could have password like “Lucy05071978”.

CUPP uses these “algorithms,” which are hardwired in humans and exploits them, to generate a very effective wordlist.

 

STEP 1:  Fire Up Kali and Git CUPP

Out first step is, of course, is to fire up Kali, our beloved hacking system. Once we have Kali up and running, we need to make a directory to store our CUPP files in our home directory. Enter this command:

mkdir CUPP

Then, navigate to that directory

cd CUPP

Once inside the CUPP directory, go ahead and enter the following line into your terminal:

git clone https://github.com/Mebus/cupp.git

If git doesn’t work, you probably don’t have it installed. if so, enter this command:

apt-get update && apt-get install git

 

If everything goes alright, you should receive an output like this:s<img src=Step 4:

 

STEP 2:  The Configuration File

Like a lot of hacking tools, CUPP also has a configuration file. Let’s explore and manipulate it’s options.

When we use the ls command after gitting CUPP, we can see that a new folder named “cupp” is created. When we navigate in that folder, we see the following items:

cupp.py
cupp.cfg
docs which is a directory
README.md (you can read this if you’re bored).

Let’s open the configuration with leafpad:

leafpad cupp.cfg

You will see a screen with many options. For now, we want to focus on the “1337 mode” and special chars settings.

What 1337 mode does is simply go through all the passwords CUPP generated and will replace, for example, “a” with 4 in that password, and add the new password to the wordlist. This mode makes your wordlist larger, but it increases your chances of success BY TONS. However, we want a to be equal to “@” as well. To that, simply add this line under “leet”.

a=@

Special characters will also be added randomly at the end of the passwords generated by CUPP. I will not edit these, but if you want to, you can simply add a character to it. The other settings are quite self explanatory.

 

STEP 3 : Using CUPP

We’ll finally begin using CUPP. Start CUPP in interactive mode by invoking this command:

python cupp.py -i

You’ll need to enter all the info of your target. You can get this info by “doxing” your target. But, as an example, my “target” will be John Smith:

  • He’s an electrician
  • He was born on 05/10/1987
  • He goes by the nickname “Tirrian”
  • He has a wife named Barbara, but we don’t know her nickname.
  • We know know his wife is born on 14/07/1989.
  • He also has a son named Alex, we also don’t know his nickname, but we know his son was born on 19/03/2005.
  • We also know he has a dog named Laika
  • He owns a company named ElectricFab. (no copyright infringement intended, if this fictional company actually exists.)
  • We know he’s a huge soccer fan and supporter of Real Madrid

John had to remember his password easily, so he made his password barbara, but replaced the a’s with @’s to make it more secure. He also added the birthday of his wife, which is 14/07, but without the dashes. so his password is:

B@rb@r@1407

Note: This password contains at least one capital letter, is 8 characters long, has a number in it, and has a special character, which are the minimum norms for passwords on most sites.

(ALSO, take note that JOHN SMITH IS NOT A REAL PERSON! Well,,ok, maybe there is a John Smith, but this one is completely out of my imagination and doesn’t exist in real life!)

When checking if CUPP can guess it, we CUPP generated a dictionary of 37 thousand possible passwords of John, called John.txt. Let’s see if we can find his password in the text file.

 

STEP 4: Search John.txt for the Password

Simply, open john.txt

leafpad john.txt

Once it’s, click “search” and click on “find”. Then, enter John’s password.

Guess what? CUPP successfully guessed John’s password!

 

How can I protect myself?

Simple don’t use a password associated with you or your life. I personally make difficult passwords using “password” sentences. They’re extremely difficult to crack, but really easy for you to remember.

Try it: Take a random sentence you can remember. For example: “My girlfriend is ten times more attractive than my Religion teacher!” can be translated to “Mgi10XmatmRt!”. That there, is a really good password. if you ask me.

 


Finally! I found this information useful, so I shared this with you. I hope you enjoyed this article. And, I’m sorry if I missed something. It’s my first time typing an article.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
21 Comments
  1. Very nice man!

    Thanks

  2. Good info. Thanx

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel