Using the CUPP Tool to Generate Powerful Password Lists
What is CUPP, exactly? CUPP is powerful tool that creates a wordlist, specifically for a person. CUPP is cross platform and written in Python. CUPP asks you questions about the target (name, wife's name, pet's name, phone number...) and then creates a password based on the keywords you entered.But, how exactly does CUPP work?Humans, no matter how much we think we're unique, show the same patterns when it comes to passwords. We usually pick passwords that are easy to remember, so we include personal things into our passwords. For example, someone could easily remember a password that contains his birthday and the name of his wife. If they have a wife named Lucy and who was born on 05/07/1978, they could have password like "Lucy05071978".CUPP uses these "algorithms," which are hardwired in humans and exploits them, to generate a very effective wordlist.
STEP 1: Fire Up Kali and Git CUPP
Our first step is, of course, is to fire up Kali, our beloved hacking system. Once we have Kali up and running, we need to make a directory to store our CUPP files in our home directory. Enter this command:
mkdir CUPPThen, navigate to that directory
cd CUPPOnce inside the CUPP directory, go ahead and enter the following line into your terminal:
git clone https://github.com/Mebus/cupp.gitIf git doesn't work, you probably don't have it installed. if so, enter this command:
apt-get update && apt-get install gitIf everything goes alright, you should receive an output like this:
STEP 2: The Configuration File
Like a lot of hacking tools, CUPP also has a configuration file. Let's explore and manipulate it's options.When we use the ls command after gitting CUPP, we can see that a new folder named "cupp" is created. When we navigate in that folder, we see the following items:
cupp.pycupp.cfgdocs which is a directory
README.md (you can read this if you're bored).
leafpad cupp.cfgYou will see a screen with many options. For now, we want to focus on the "1337 mode" and special chars settings.What 1337 mode does is simply go through all the passwords CUPP generated and will replace, for example, "a" with 4 in that password, and add the new password to the wordlist. This mode makes your wordlist larger, but it increases your chances of success BY TONS. However, we want a to be equal to "@" as well. To that, simply add this line under "leet".
a=@Special characters will also be added randomly at the end of the passwords generated by CUPP. I will not edit these, but if you want to, you can simply add a character to it. The other settings are quite self explanatory.
STEP 3 : Using CUPP
We'll finally begin using CUPP. Start CUPP in interactive mode by invoking this command:
python cupp.py -iYou'll need to enter all the info of your target. You can get this info by "doxing" your target. But, as an example, my "target" will be John Smith:
- He's an electrician
- He was born on 05/10/1987
- He goes by the nickname "Tirrian"
- He has a wife named Barbara, but we don't know her nickname.
- We know know his wife is born on 14/07/1989.
- He also has a son named Alex, we also don't know his nickname, but we know his son was born on 19/03/2005.
- We also know he has a dog named Laika
- He owns a company named ElectricFab. (no copyright infringement intended, if this fictional company actually exists.)
- We know he's a huge soccer fan and supporter of Real Madrid
Search John.txt for the PasswordSimply, open john.txt
Once it's, click "search" and click on "find". Then, enter John's password. Guess what? CUPP successfully guessed John's password!
How can I protect myself?
Simply don't use a password associated with you or your life. I personally make difficult passwords using "password" sentences. They're extremely difficult to crack, but really easy for you to remember.
Try it: Take a random sentence you can remember. For example: "My girlfriend is ten times more attractive than my Religion teacher!" can be translated to "Mgi10XmatmRt!". That there, is a really good password. if you ask me.
Finally! I found this information useful, so I shared this with you. I hope you enjoyed this article. And, I'm sorry if I missed something. It's my first time typing an article.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!