Author Topic: [Tut] Create a wordlist generator (i.e. for bruteforcing)  (Read 10378 times)

0 Members and 1 Guest are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
[Tut] Create a wordlist generator (i.e. for bruteforcing)
« on: November 01, 2012, 02:08:05 pm »
Hello EZ.

This is a little guide for making a wordlist generator. It will give you some programming practice as well as some understanding in combinatorics. I will use Java, but the way should be understandable for coders who don't know Java. But I take as a given that you understand numeral systems (at least the binary one).

The wordlist generator shall be fast and generate all possible words for a given alphabet and a wordlength. So we can begin with defining them. We keep it simple, so we can easily prove the results later. We generate words with a length of 3 and the alphabet will contain only 0 and 1. It is important to prepare it in a way that we can change these later without any problems.

The sceleton of our generator with the first local variables defined looks like this:

Code: (Java) [Select]
public class WordListGen {

    public static void main(String[] args) {
        generate();
    }

    private static void generate() {
        int wordlength = 3;
        char[] alphabet = { '1', '0' };
    }
}

Before we really start with programming let's make sure you understand what the result has to be in the end.
A wordlength of three means we have three positions for a word to fill with characters: _ _ _
The alphabet says which characters can fill the positions. Doing this manually we have the following possibilities to arrange the characters:

000
001
010
011
100
101
110
111

Those are eight possible words. As I said you should have an understanding of numeral systems. If so, you can easily see that the results are the numbers from 0 to 7 (decimal) in the binary system. Getting all results for this particular generation just needs us to count from 0 to 7 and translate this to binary.

But we want to make the generator flexible so the alphabet can be easily changed. So we need a solution that works for everything.
How do we get the number of results?
Now we dive into combinatorics. We can compare this situation to an urn that contains the characters '1' and '0'. We have three turns and every single turn we take a character, write it on a paper and put it back to the urn. The order of the results is important, because "001" is another word than "100". That means our case is a variation with repetition (<- because we put the characters back every turn). We can get the number of results by using the formula for variation with repetition: N^k

k is the number of positions or the wordlength.
N is the number of characters in the alphabet.

Applied to our current situation we have characters^wordlength = 2^3 = 8 results and that is correct.
Let's compute this number in our program. For Java there is Math.pow to do exponentiation.

Code: (Java) [Select]
final long MAX_WORDS = (long) Math.pow(alphabet.length,
                wordlength);

What we do next is just counting from 0 to (MAX_WORDS - 1) which is 0 to 7. This produces our words as decimal numbers:

Code: (Java) [Select]
for (long i = 0; i < MAX_WORDS; i++) {
}

But we don't want the decimals. We want the numbers in our numeral system. The radix of the numeral system is the number of characters, our case 2 which is the binary system. We compute the radix like that:

Code: (Java) [Select]
final int RADIX = alphabet.length;
Most languages provide out-of-the-box functions to translate numbers to a given numeral system. However, we only need integer representations and no letters. I.e. the hexadecimal system (radix 16) uses 0-9 and the letters A-F. We use 0-15 instead for this example. This way we make sure that we can use every radix and thus large alphabets that may contain more than 35 characters. Also making our own method for that is much more efficient.

Code: (Java) [Select]
private static int[] convertToRadix(int radix, long number, int wordlength) {
    int[] result = new int[wordlength];
    for (int i = wordlength - 1; i >= 0; i--) {
        if (number > 0) {
            int rest = (int) (number % radix);
            number /= radix;
            result[i] = rest;
        } else {
            result[i] = 0;
        }

    }
    return result;
}

To explain how this conversion method works I use an example: number = 5, radix = 2, wordlength = 3
First we create our array of the length 3. So we provide three places to put numbers in: _ _ _
We run through this array backwards. Our number is not 0, so we divide the number by the radix. We put the rest of this operation (computed via the modul operator %) into the array:
number / radix = 5 / 2 = 2 rest 1
Our array: _ _ 1
The new number is the result of the division = 2

Now we repeat that:
number / radix = 2 / 2 = 1 rest 0
Our array: _ 0 1
The new number is the result of the division = 1

Last turn:
number / radix = 1 / 2 = 0 rest 1
Our array: 1 0 1

And this is the correct result for our decimal to binary conversion.

The whole code by now:

Code: (Java) [Select]
private static void generate() {
    int wordlength = 3;
    char[] alphabet = { '0', '1' };
    final long MAX_WORDS = (long) Math.pow(alphabet.length, wordlength);
    final int RADIX = alphabet.length;

    for (long i = 0; i < MAX_WORDS; i++) {
        int[] indices = convertToRadix(RADIX, i, wordlength);
        for(int index : indices){
            System.out.print(index);
        }
        System.out.println();
    }
}

Our output looks promising:
000
001
010
011
100
101
110
111

Now let's alter the alphabet. We choose the characters a and b:

Code: (Java) [Select]
char[] alphabet = { 'a', 'b' };
If you have understood the code you will know that the output remains the same (the binaries above). The characters of the alphabet are never used. What we print out are the indices of the characters. We can easily change that by getting the characters of the alphabet and saving them into a char-array named word:

Code: (Java) [Select]
char[] word = new char[wordlength];
for (int k = 0; k < wordlength; k++) {
    word[k] = alphabet[indices[k]];
}
System.out.println(word);

This is the whole program:

Code: (Java) [Select]
public class WordListGen {

    public static void main(String[] args) {
            generate();
    }

    private static void generate() {
        int wordlength = 3;
        char[] alphabet = { 'a', 'b' };
        final long MAX_WORDS = (long) Math.pow(alphabet.length, wordlength);
        final int RADIX = alphabet.length;
   
        for (long i = 0; i < MAX_WORDS; i++) {
            int[] indices = convertToRadix(RADIX, i, wordlength);
            char[] word = new char[wordlength];
            for (int k = 0; k < wordlength; k++) {
                word[k] = alphabet[indices[k]];
            }
            System.out.println(word);
        }
    }

    private static int[] convertToRadix(int radix, long number, int wordlength) {
        int[] indices = new int[wordlength];
        for (int i = wordlength - 1; i >= 0; i--) {
            if (number > 0) {
                int rest = (int) (number % radix);
                number /= radix;
                indices[i] = rest;
            } else {
                indices[i] = 0;
            }
   
        }
        return indices;
    }
}

And this our output:
aaa
aab
aba
abb
baa
bab
bba
bbb

That is it. You may test this further with other wordlengths and alphabets. Whatever you do: Happy coding.

Deque
« Last Edit: November 02, 2012, 08:37:12 pm by Deque »

th3g00n

  • Guest
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #1 on: November 02, 2012, 12:47:04 am »
You mind removing the text colors? My eye hurts when I look at 'em. Nice tutorial btw. +1

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #2 on: November 02, 2012, 10:14:41 am »
Nice tutorial.

Just for the heck of it I thought about doing the same with a  8 character wordlist.
It flooded my memory :P

My java skills are non existant.

But would nesting a bunch of for loops not be faster?

like;

alfa = ["a","b","c"]

for letter1 in alfa:
     for letter2 in alfa:
           for letter3 in alfa:
                 print letter1+letter2+letter3

(I understand this is less dynamic)
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline silenthunder

  • Royal Highness
  • ****
  • Posts: 700
  • Cookies: 23
  • Anpan.
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #3 on: November 02, 2012, 04:16:48 pm »
Don't have enough time to really dig into it right now, but it looks like a good tutorial..I'll bookmark it for later


"Hacking is a lifestyle, a specific mindset, and it really is a lot of work." - Daemon

"Just wanted to state that this is just wicked social engineering at its best." - proxx

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #4 on: November 02, 2012, 08:46:26 pm »
You mind removing the text colors? My eye hurts when I look at 'em. Nice tutorial btw. +1

Done. Thanks.

But would nesting a bunch of for loops not be faster?

Probably, but nesting 8 loops is a pain and imho not worth the little time advantage you get from it.
Also, how do you bruteforce, if you need different wordlenghts? You would have to create a method for each length or something like that.

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #5 on: November 03, 2012, 02:30:11 am »
http://evilzone.org/tutorials/wpa-cracking-with-backtrack-5/msg32730/#msg32730

Quote from: TRAiN3R
In this example I was attacking a 2WIREXXX network that in most cases uses a default 10 digit passcode. You can run this command to create a wordlist file for you in backtrack (for that specific wordlist)

Code: [Select]
/pentest/passwords/crunch/./crunch 10 10 0123456789 -o /pentest/passwords/wordlists/2wirewl.txt
IF YOU RUN THAT CRUNCH COMMAND, BE PREPARED ITS A 35.7GB FILE!
After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor. for aircrack-ng run the following command:
 
Code: [Select]
aircrack-ng {CAPTUREFILE}-01.cap -w /pentest/passwords/wordlists/2wirewl.txt

Creates wordlists with tons of options, letters, numbers, special chars, etc. You can build templates and split the output files, etc. Check it out ;)
« Last Edit: November 03, 2012, 02:30:57 am by skidiot.h »
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #6 on: November 04, 2012, 10:44:43 am »
http://evilzone.org/tutorials/wpa-cracking-with-backtrack-5/msg32730/#msg32730

Creates wordlists with tons of options, letters, numbers, special chars, etc. You can build templates and split the output files, etc. Check it out ;)

Why do people save wordlists that can be generated so easily? If you want to bruteforce by using every possible combination of a given alphabet, just generate it when you need it.

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #7 on: November 04, 2012, 11:25:37 am »
Yes and no.
I dont know if your a linux user but you can just pipe the results from say crunch or any other tools to the input of a cracker.

Eventhough coding your own is way cooler these tools have there use as they can be applied onthefly.
« Last Edit: November 04, 2012, 11:27:27 am by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #8 on: November 04, 2012, 07:32:54 pm »
Yes and no.
I dont know if your a linux user but you can just pipe the results from say crunch or any other tools to the input of a cracker.

Eventhough coding your own is way cooler these tools have there use as they can be applied onthefly.

I was about to mention that. with crunch you can pipe it through aircrack-ng, pyrit, etc
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline Daemon

  • VIP
  • Baron
  • *
  • Posts: 845
  • Cookies: 153
  • A wise man fears a gentle mans anger
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #9 on: November 04, 2012, 07:59:12 pm »
Guys, just wwanna say lets let the man be. Yes tbeir may be easier ways of doing things, but if yhere ever comes a day when you need to make a bruteforce wordlist generator then you now have something to reference. Not to mention he broke it down and explained the logic behind.it as well which is kind of a neat look for those who are new to the computer world. We may know all this, but nevertheless its a good tutorial IMO

Thank you for making this Deque :)
This lifestyle is strictly DIY or GTFO - lucid

Because sexploits are for h0edays - noncetonic


Xires burns the souls of HF skids as a power supply

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #10 on: November 04, 2012, 08:16:41 pm »
Oh don't get me wrong I'm not discouraging him. I'm just stating there are other alternatives. I think its great! I just don't see this as a tutorial, instead more of a breakdown of a java wordlist generator. The good thing this offers over crunch is the fact that its java and it can become a jar and be used on any system with JRE installed (nix, mac, win)
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #11 on: November 05, 2012, 12:10:08 pm »
I asked, because I indeed know people who save gigabytes of generated words.
I don't feel discouraged or something. Alternatives are always nice to know.

Offline r23k

  • NULL
  • Posts: 3
  • Cookies: 0
  • After all, we're all alike.
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #12 on: September 05, 2013, 02:34:46 am »
I built a simple php


Code: [Select]
<?php
################################################## ###
Wordlist simple php
r23k
################################################## ###

//The getRandomword = 7 is the number of characters

function getRandomWord($len 7) {

//O array_merge = this case will be a combination of the z

$word array_merge(range('a''z'), range('A''Z'));
shuffle($word);
return 
substr(implode($word), 0$len);
}

//O 1000 = this case is the number of repetitions, here we have to make some calculations combinatorics not to repeat combinations. Eg you put $ len = 2 and 'a', 'c' is the number of repetitions equal to "6" = ab, ba, ca, ac, cb, bc or 2 * 3 = 6

for ($i 0$i 1000$i++) {
echo 
getRandomWord()."<p>";



}

?>


Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tut] Create a wordlist generator (i.e. for bruteforcing)
« Reply #13 on: September 05, 2013, 02:50:28 pm »
Alright, but that's not a generator. You couldn't really get i.e. a list of all possible words for a 3 digit word in range a-z.
Giving randomized words like you do serves a different purpose (i.e. create a new random password) and can definetely not be used for bruteforcing.

So: wrong thread for your snippet.
« Last Edit: September 05, 2013, 02:52:00 pm by Deque »