Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio demonstrates Cewl, a simple and useful tool for generating word lists for use with a password cracking tool. Cewl is built into Kali, or it can be downloaded and run from other UNIX systems. SME Pompilio gives an example of how a Social Engineer would use Cewl's spidering process to generate a word list for password cracking and how the output is evaluated. You will learn to

  • run the program
  • examine the Help function
  • understand the various options in Cewl
  • specify the spidering depth
  • specify word length
  • specify an output file
  • specify a proxy
  • determine whether to use the offsite parameter
  • search for metadata and save to a file
  • search for email addresses and save to a file

The large number of words (13,325) and email addresses (82) discovered by the process run in the example can be used with a password cracking tool, and those results will be used in your Social Engineering audit.

Video Transcription

00:05
Hello, everyone. This is Dean Pompilio
00:09
and this demo we're going to be looking at a tool called Cool
00:15
Cools. Very useful.
00:17
What you can do with this tool is actually
00:21
generate word lists. Four
00:24
possible usage with a password cracking tool.
00:29
So on the tools dot Kelly data work website, you can go ahead and find this
00:35
tool called Cool.
00:38
It's built into Callie already. But of course, you can download it and run it from other,
00:43
huh?
00:45
UNIX systems.
00:49
We've got an example here of a sample command.
00:54
But instead of looking at this,
00:57
why don't we actually look at the help
00:59
display from the command line?
01:02
So I'll go ahead and run. Cool.
01:11
Sorry. I have to specify the
01:12
extension. All right, there again,
01:19
you can specify the depth for the spider ring. This defaults to two layers.
01:25
Also a minimum word length.
01:29
This defaults to three.
01:30
You may want to choose something a little bit larger in order to make the process run faster.
01:38
So it will, uh,
01:40
be a little bit quicker if if you choose larger words and those larger words are more likely to be
01:46
uses a password anyway, so it makes sense to to do that,
01:51
we can also
01:53
specified this offsite parameter
01:56
When you if you don't use the, uh, the dash dash off site,
02:00
then the spider ring will stay within this the girl that you designate.
02:07
So, depending on your goals during your pen test audit,
02:10
that may be something you want Thio to explore.
02:14
If you do allow the off site
02:16
command to be used, obviously the spider ring will take much longer
02:22
because of the visiting of other other websites and, you know, foreign links. Basically,
02:29
we can specify an output file
02:31
to save this information that that gets generated.
02:37
We can also search for metadata and save that tune output file.
02:42
And the metadata may be useful for password clues. There could be some comments or some other
02:50
information in the metadata that is useful, but
02:53
for the example, we're just going to it.
02:55
Explore the regular content for the Web site.
03:00
We can also search for email addresses
03:04
and then specifying output file for saving those
03:10
other options that might be useful. You may want to count
03:14
the number of instances of a given word that gets discovered on a website.
03:19
Keep in mind, though,
03:20
if you specify the count option on the command line. When you look at your output file,
03:27
you'll see the word that was discovered and then a comma and then the number of instances,
03:34
so that might be useful for certain reasons. But if you're going to to take the output
03:38
from a spider ring of a website and use it as a dictionary file, you don't want that comma and the other word or the number of words discovered
03:50
that that would confuse the tools like John the Ripper or Loft Crack,
03:54
or Cain and Abel, for instance.
03:58
There's also some options to use authentication
04:01
for user names and passwords. Depending on the kind of environment that you're functioning in, you may need to specify
04:09
some of this data.
04:11
Also, you can specify a proxy if that's needed,
04:15
we will use the verbose option because that gives a nice
04:19
output to to follow as the process is running.
04:26
So I'm going to use the default depth. I won't have to specify that
04:36
I'm going to tell you that I want to use an output file
04:43
so I'll use the right option.
04:46
You call this out file of that text
04:51
I'm not going to use metadata, uh,
04:55
for this example, but I am interested in email addresses, so I will specify the email option.
05:00
I will also specify
05:02
the E mail file,
05:04
so I'll call that email dot text.
05:09
And I'm not going to use the,
05:14
uh,
05:15
count option either because the output from this process
05:18
well, just produce a simple list of words. One line on one word per line, simple text file,
05:28
perfect kind of format to use as a input to for a dictionary attack
05:35
and for the website.
05:38
I'm gonna pick a website that I know
05:43
I should have
05:45
a lot of
05:46
content as well as a lot of
05:48
email addresses.
05:50
So we're gonna go ahead and specify tools dot callie dot or ge
06:00
Each of the tools have some content related to that tool and also has the email address of the developer.
06:05
So this is a great great website to use as an example.
06:11
Hope I forgot to specify verbose.
06:15
Let's do that real quick.
06:16
Otherwise it just runs and we have to wait for that to finish.
06:20
So when it's verbose, we can see all of the content as it's being called.
06:26
Occasionally We'll see
06:28
information here off site link, not following. So it found some links,
06:31
as we can tell.
06:32
But there's not being followed because we didn't use that offsite option.
06:36
It's also findings and email addresses. We can see those scrolling up on the screen related tow wire shark. It looks like
06:46
so for a website such as tools that Callie that orc this process
06:50
could take 15 20 minutes or more.
06:55
It's not. It's not very fast
06:58
for sites that have a lot of content.
07:01
So I'm gonna go ahead and pause the video, and then we will resume. When it's completed, we'll look at the output.
07:12
Okay, the spider in process has completed,
07:16
and as we can tell from looking at the output, there's quite a bit of information here
07:21
that gets generated during the process. But we're most interested in is the actual
07:29
upward files that we generated. So
07:32
what I'm gonna first look at is the out filed, not text,
07:38
and this is going to show me all of the the words that were at least three characters because I did not modify the minimum size.
07:46
And these are all these are all words that are in the content of the website.
07:49
Any one of these could be possible clues for a password
07:54
to use again. For tools like John the Ripper loft crack can enable and such
08:00
for your dictionary attacks,
08:03
social engineer may need to
08:05
to get into a website
08:07
off of their target and be able to impersonate them for
08:11
for various reasons.
08:13
So if we look through this list,
08:16
you can see quite a bit of information.
08:20
It's a really long list of words. In fact,
08:24
let's do this really quick. Will do a word count dash l
08:28
and see how many words were actually found, so 13,325 words
08:33
were generated from tools dot callie dot org's.
08:37
Now we'll have a look at the email
08:41
addresses that were discovered,
08:46
so that's about half of them right there.
08:48
And then there's the other half,
08:52
so looks like we discover 82 e mail addresses.
08:56
This is
08:58
a really useful tool. It's a simple ruby script,
09:01
and, as you can tell, depending on the target website and the parameters that you choose, you can generate.
09:07
So some really interesting word lists for your password cracking.
09:13
And then, uh, you know. Take that. A cz part of your
09:18
pennant penetration. Testing
09:20
social engineering audit for your next possible steps.
09:24
All right. Hope you enjoyed the demo.
09:26
So you are next time.
09:28
Thank you.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor