Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio demonstrates Cupp (Common User Password Profiler), which is an information gathering tool that you can get from GitHub.com. Enter CUPP into the site's search feature and choose MEBUS/Cupp from the choices returned. This tool allows you to generate a list of possible passwords to use in the Dictionary file. The Dictionary file(s) can be expanded as more information is gathered. In this Part of Module 4, SME Pompilio demonstrates using Cupp to generate password word lists for a Cupp Dictionary. You will learn to:

  • open the command shell USER SHARE
  • work in interactive mode
  • improve an existing Dictionary
  • download a Dictionary
  • generate a password word list for a Dictionary by answering questions about the target
  • understand the various modes in Cupp
  • evaluate the password word list generated by Cupp
  • use another tool to save your output as a Rainbow Table

SME Pompilio reviews the config file and discusses the various modes, parameters, repositories, and default settings you can use.

Video Transcription

00:05
Hello, everyone.
00:06
This is Dean Pompilio
00:09
on your subject matter expert for social engineering,
00:12
and we're still doing demos.
00:14
Four
00:16
information gathering tools
00:19
and this demo. We're gonna look a tool called Cup,
00:23
and this is a tool you can get from Get Hub,
00:29
so go to get help dot com.
00:31
Typing cup with two p's
00:34
and the one you want is right here. Common User Passwords profiler
00:42
so you can check out the Read Me file. There's also a config file.
00:47
We'll take a look at that in a moment.
00:48
And then there's the Python script.
00:53
And so what this tool does is allows you to
00:57
answer a bunch of questions to generate
01:00
a list of possible passwords to use in the dictionary file.
01:04
And you can also download
01:07
other dictionaries for different languages or different topics like religion or science
01:11
or computers
01:15
so you can. You can expand
01:18
and improve upon those dictionaries as well.
01:21
So after some use of the tool,
01:23
you could generate quite a few large dictionaries that are
01:27
going to give you some great input files. Dictionary files
01:32
to use for dictionary based password cracking
01:34
or if, if you want, you can always hash those dictionary files for Rainbow Tax.
01:41
The Rainbow Attack is using a pre hashed password file, so it's a lot faster.
01:47
Anyway. That's a topic for another video.
01:51
So the interactive mode is what we'll be looking at,
01:57
and the
01:57
the, uh, Dash W option
02:00
helps you to improve
02:02
an existing dictionary,
02:05
and Daschle helps you to download those. So we'll look at the download menu
02:08
and then will
02:10
go ahead and run the interactive mode.
02:15
All right, so let's open up our command shell.
02:17
Like most Lennox Callie tools,
02:21
they are located and user share,
02:23
so we'll go ahead and run cup
02:27
help screens. We can see what that looks like
02:29
again. It's the common user passwords profile.
02:34
So if I run the
02:38
the word lists you see I have a nice man. You here
02:40
I can download the American wordless I'll pick Number three
02:46
downloads a zipped tar archive.
02:54
Take a couple seconds there.
03:00
Then I will. I think I want to get the science
03:05
dictionary word list as well,
03:09
so I've got algae, bacteria, fungi,
03:13
microalgae, viruses, asteroids and looks like asteroids. Air it out. That's fine. Still have some other choices available?
03:22
Let's get the random dictionary word list.
03:28
How I typed it out instead of typing the number. That's funny.
03:32
No, it doesn't like it.
03:38
I think that's supposed to be 29. Looks like a type on the menu.
03:40
There we go.
03:45
Dogs,
03:46
drugs, junk numbers, phrases, sports.
03:50
That's a good topics there.
03:52
Okay, so now I've got some dictionary files that I can use.
03:58
But right now I'm more interested in generating a wordless based on.
04:02
Basically, this is the rule based attack for passwords.
04:06
Rule based attack means that you are
04:10
answering questions about the top, the target
04:13
and generating
04:14
a list of words for a dictionary file from that.
04:18
So what is the Target's first name?
04:21
We'll say it's
04:24
Jim
04:26
Uppercase. Lower case
04:29
may matter a little bit, so we'll just stay a lower case for right now.
04:31
It'll try both Jim Smith,
04:35
his nickname. That's what we'll call him Jimmy.
04:40
And we'll say he was born on
04:43
Fourth of July
04:46
1970.
04:49
What is Jim's partner?
04:51
Jim's partner is probably named Sue
04:57
nickname of Susie,
05:00
and she was born on Christmas
05:04
of
05:06
1980.
05:11
They have a child
05:13
named Bill,
05:15
his nickname's Billy,
05:17
and he was born on New Year's Day
05:23
2000.
05:28
All right. So does Jim have any pets? I believe he has a dog named Boomer.
05:34
And due to other social engineering reconnaissance, we know that
05:40
this target works for
05:43
Wal Mart
05:46
so we can add keywords about the victim's. I'll say yes to that.
05:51
And now I can
05:53
think of some other
05:55
adjectives, basically that describe Jim things that that he might incorporate into a password.
06:02
Uh,
06:04
so let's see. Jim
06:06
doesn't like to spend money, so we'll say one of the world's gonna be cheapskate.
06:13
However, Jim is very religious,
06:15
so we'll put that
06:23
as a word. We can also add
06:27
Hunter. Maybe he likes to hunt,
06:30
and we also know that he likes to play poker.
06:34
This is all
06:35
information discovered
06:39
during the information gathering stage. Reconnaissance and foot printing type information.
06:45
All right, we want special characters at the end of words.
06:47
Well, say yes. We get more passwords that way.
06:51
Random numbers of the underworld will also say yes for this.
06:57
That's a good idea, since sometimes you try to create an account,
07:01
and maybe you can't get the one you want, so you take one that has the next number in line that could be
07:05
effective for passwords as well.
07:11
And then lead mode means that we're going to substitute letters and characters,
07:16
our numbers and characters for
07:18
letters of the alphabet. So we'll say yes for that as well.
07:24
So based on those simple questions that I answered over the course of about two minutes, I just generated
07:30
78,000 words.
07:32
That's pretty impressive.
07:34
So now let's just have a peak of these.
07:43
A lot of these are going to the passwords that air date based, of course, because we gave some birthdates.
07:47
Sometimes people use these four passwords. It's a terrible idea what it happens
07:53
now. We've got some
07:55
random combinations of certain special characters. It looks like
08:03
more passwords, and you get the basic idea
08:09
so we can scroll through and see if he's got a little bit more interesting.
08:15
So there's some that relate to his dog. I saw Boomer go by
08:18
there. It goes to some boomer variations,
08:24
so this is very easy to use, very simple, to generate a huge list,
08:33
and
08:35
another thing to consider here is
08:39
saving
08:39
or this output as a
08:41
greenbow table. So you have to use a different tool
08:46
in order to convert that.
08:58
Okay, so we've looked at some of the passwords.
09:01
Now, let's have a quick review of the config. File
09:07
Nutshell. Just
09:09
display it like this.
09:13
So for leap mode,
09:15
we can see the character Substitution is here.
09:18
Number four for letter A zero for a No. Nine Fergie. And of course, you can add alternate ones
09:26
if you if you wish.
09:28
The special characters are listed here so we can control that list.
09:33
They're random years you can set.
09:39
And then lastly, we have some parameters
09:41
for the range of random numbers.
09:43
So if you're gonna use random numbers,
09:46
those will be generated from this range of numbers
09:52
and then we also have the length.
09:54
So from a 5 to 12 character
09:58
password
10:03
and then lastly, there's a threshold
10:07
for how many words you want Thio parts from an existing word list.
10:11
If you have a lot of memory under system, you can make this number a little bit Hiler higher if you wish.
10:16
And lastly, we have the repositories where you can get those dictionary files so you can specify new ones if you wish.
10:26
Okay, so the default settings for cup are are fine, just as they are. As you could see, I only answered
10:33
seven or eight questions, and I got 78,000 words to work with
10:37
two.
10:39
Do some social engineering on this particular target.
10:43
All right. I hope you enjoyed the demo.
10:45
Good luck on your password.
10:46
A wordless generation.
10:48
Thank you.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor