This tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.

Another method of creating a password list that is to be used for brute force is by using CeWL. This tool will take the words used in a site and append them into a list.

To start, type:

$ cewl -w passwords.txt -d1 -m5 target_url

–w passwords.txt will create the passwords.txt file that will consists of the list of words obtained from the site

–d1 defines the depth in which CeWL will crawl the website. 1 indicates that it will stay on this exact site and not open any links on it.

–m5 defines the minimum length of the word that will be put in the list. In this case the minimum length is 5.

Below is the passwords.txt generated

This tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.

As mentioned before on a previous post, to brute force an access to an account, we must gain the username and a password list. By using Common User Passwords Profiler we could create a password list by entering information we have on the target, such as their first name, last name, birthday, spouse, children, pets, etc. Using the information that we get, this tool will generate a password list out of them.

Firstly, we need to clone the repository first from github by typing:

$ git clone https://github.com/Mebus/cupp.git

After the repository is cloned, change your current directory into the cloned repository by typing:

$ cd cupp

Then, we can finally run the tool by typing:

$ python3 cupp.py -i

CUPP will then ask us to input information about the target. It will ask for first name, surname, nickname, birthdate, partner, children, pets, and company. If we do not have any knowledge about a particular information we can press “enter” to skip it.

Below shows the password list generated by CUPP

After using this tool, we should realize that the security of our password is important as easy and common passwords that includes our name and or birthday are easy to crack if we just obtain some personal information about the user.

This tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.

By using WPScan is one of the methods of gaining access to an account by brute force usernames and password. But in order for us to initiate the brute force method, we have to first obtain a valid username, and then brute force it with a password list. But in this post, we will focus on the enumeration of usernames.

To enumerate the users, type:

$ wpscan –url target –enumerate u

In this case, our target is https://pentest.id

After the scan is done, we could see a list of usernames that the wpscan obtained. From the result above, a valid username seems to be apietz.