Wednesday, September 28, 2016

A Pretty Cewl Post

Hello everyone,

I have been MIA for quite awhile so as a welcome back post, let's talk about a CEWL tool. Cewl is a custom wordlist generator that comes standard with Kali. The idea is to use this tool to create a wordlist from a website that could be used for cracking passwords. In addition, this tool can also grab email addresses to be used as usernames. So, let's walk through this tool!

Before we start, this post is for educational purposes only and I, as the author, do not condone the usage of this tool for any malicious purposes. In addition, this post does not reflect the views of any of the author's past, present, or future employers. 

The basic usage of Cewl looks like this:
Just from typing in www.google.com, cewl produced a list of interesting words that could be used as passwords. So what else can we do? We could rank the most commonly found words.
Let's see what cewl can really do...let's see the counts of words, let's write the results to a file, let's find any emails lying around, and let's parse any metadata for www.sans.org (Google didn't return any interesting results...lame).
As you can see I had to try a couple times to get a good example to show you guys but, from this information we can see some keywords usable for passwords (although not very good in my opinion but, there are better ones further down in the list). We also got some emails; we can use these to seed reconnaissance searches, or use as 'from' addresses for a phishing campaign. Lastly, we know someone named 'Lynn' worked with some of the documents Cewl was able to find.

Reconnaissance is not a sexy part of hacking but, the more information we can gather the better campaign we will have. When gathering information make sure you are professional; some information when gathered and put together can be quite sensitive to people, companies, or other concerned parties.