Create Custom Wordlists for Password Cracking Using the Mentalist

Beginners learning brute-forcing attacks against WPA handshakes are often let down by the limitations of default wordlists like RockYou based on stolen passwords. The science of brute-forcing goes beyond using these default lists, allowing us to be more efficient by making customized wordlists. Using the Mentalist, we can generate millions of likely passwords based on details about the target.

Password cracking is a long-established art, relying on a combination of brute-force processing power and the ability to refine your list down to likely options based on what you know about a target. Many security protocols are vulnerable to brute-forcing attacks, which at its core relies on a few key principals.

First, you must be allowed to try different passwords many times very quickly. Second, you need to be able to determine the difference between a password success and failure. Third, you need a list of passwords to automatically try very quickly. And finally, the password must be present in the list in order for the attack to succeed. As password lists get bigger, CPU and GPU performance becomes more important as the rate at which passwords can be attempted is sped up.

Brute-Forcing WPA, SSH, FTP & Other Passwords

Most wireless networks are secured by WPA or WPA2 encryption, which is able to be cracked by capturing a network handshake and using your computer's CPU to brute-force the password. Beside WPA, protocols like SSH and FTP are also vulnerable to brute-forcing, although the methods of brute-forcing can be differentiated between online and offline type attacks.

In an online attack, we connect directly to a service and send password attempts in a way that can be logged. An example of this would be Reaver or SSHtrix, which need to be connected to the network the host is on in order to send password guesses. In these attacks, the limiting factor is often how many incoming connections the FTP or SSH server can accept and the amount of time you must spend connected to the host while cracking.

In an offline attack, the major limiting factor is your CPU or GPU's ability to try different passwords quickly. Examples of this can be brute-forcing a WPA handshake, a WPS-Pixie dust attack after collecting the necessary information, or cracking password hashes from a stolen database. In general, this is the only time you need to be worried about your GPU or CPU performance while brute-forcing.

Options to Start With — Default Lists

Rather than simply start with a dictionary-style attack, a smart attacker will often first look for lists that contain real passwords. These lists are generally regarded as the starting point for these sorts of techniques, as they will work against anyone with a truly awful or common password. In the wild, you can expect success rates of around 15% for these sorts of password audits. Obviously, if you are targeting a specific account or network, this is a pretty small chance of success.

That being said, you can still use these lists as a seed for a more refined attack based on information you know about the target. The reason these lists are effective is that you can think of them as a statistical survey of the most common passwords people use in the wild. Since the average user will reuse these passwords in multiple accounts, we can use the most common passwords as a seed to change small things, like adding or removing numbers, in a program called a word mangler.