Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] (Web-Derived Custom Dictionary Creation Tools)
From: "Bobby, Paul" <paul.bobby () LMCO COM>
Date: Fri, 22 Sep 2000 08:56:50 -0400

Yeah it's all to do with the dictionary rules employed by your password
cracker.

I wrote a paper on this for my giac level1.....
http://www.sans.org/infosecFAQ/cracking.htm


-----Original Message-----
From: Mike Ahern [mailto:mc_ahern () YAHOO COM]
Sent: Thursday, September 21, 2000 10:34 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] (Web-Derived Custom Dictionary Creation Tools)


I think an excellent set of tools for sucking down the
contents of entire web sites and converting them to
text files (or one large text file) are two products
from Tennyson Maxwell. "Teleport Pro" does an
excellent job of sucking down a web sites file
contents, and can do so to a single directory if you
like. "HTML2TEXT" converts the web content to text
files - or to a single text file (removing all HTML
tags). All that needs to be done to create a
dictionary is to replace spaces and punctuation with
CR-LF's, and then sort. You can go to the extra
trouble of then removing duplicate words easily with
std UNIX tools/scripts.

The great thing is that you get a dictionary of
company or industry specific names/words/acronyms. The
downside is many times two or sometimes three
names/words have special significance together (i.e.,
"Tiger Woods", as opposed to "Tiger" and "Woods"; or
"Los Angeles" as opposed to "Los" and "Angeles". It is
harder to pull these associations from an automated
process (without getting alot of word associations
that don't make sense together in with the ones that
do).


- mch





On Wed, 20 Sep 2000, Loschiavo, Dave wrote:
With checking out the website being a first step...
Does anyone know if there is a tool that will comb
through a website to pull nouns down into a dictionary
file that you use for a customized dictionary attack
specific to that company?

I've been doing this, creating custom attack
dictionaries for each
penetration test, for several years.  Nothing complex
- just spidering all
html and sorting all found strings (sans html markup,
although those
strings are already in my base dictionary).  I use
proprietary tools, but
you could just as well use wget|find|strings|sort...


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/



  By Date           By Thread  

Current thread:
  • Re: [PEN-TEST] (Web-Derived Custom Dictionary Creation Tools) Bobby, Paul (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]