Creating dictionaries based on information from OSINT

I decided to write a small guide on creating effective and personalized dictionaries for cracking passwords based on data from "white intelligence" and knowledge about human nature (called social engineering;)) I think that creating dictionaries is crucial for the effectiveness of password cracking attacks and many people approach this topic with incorrect assumptions, which directly translates into their effectiveness in action. Based on the examples, I will try to show the basic assumptions in creating such lists that, in my opinion, increase our chances and save a lot of time during work. Although this guide will be very theoretical, I will try to put here links to sources / pages that in my opinion may be useful. As usual, if I made a mistake, let me know;) and now we are flying with it.

As I mentioned earlier, generating effective (not effective :)) dictionaries is crucial for success in the process of breaking passwords. But just having a huge dictionary containing all possible combinations of characters does not provide us with efficiency when breaking a password (an attempt to crack a well-chosen and complex password is quite strongly limited by the capabilities of our equipment and if we do not have a super-computer on our services, such a password cracking can really take a lot of time and sometimes it will be unreachable even if the huge dictionary will contain the password we are looking for). It is known that in the internet age we can use specially dedicated online services for cracking passwords (which I use with the rest), but they sometimes fail even though in many cases their effectiveness is quite good. However, I have convinced myself that a well-constructed dictionary will be ten times better than many powerful online services. I will compare it to a shot from a sniper rifle and a shot from a children's slingshot, we know what is more laughable: P

To better illustrate this, I will use the first better from the edge example. You want to hack into a wifi router, at the very beginning you only know the ssid network. You are intercepting a handshake and trying to crack a password. You start aircrack (or hashcat, it all depends on which program you prefer) in combination with several different dictionaries (let's say you used the dictionary with default passwords in succession, then you started the numeric dictionary (from 8-15 digits) and at the end you used a password built of leaked to the internet) but unfortunately you didn't break it. What will you do next? do you launch a dictionary with all possible password combinations? How long will it take you to crack a password with this technique?

And this is where white intelligence techniques come to the rescue. Thanks to the reconnaissance we are able to get some information about our goal and try to narrow down the area of our search in terms of a potential password. Returning to our example, instead of senselessly and laboriously breaking the password by the method of brute force, it would be better, for example, to check the geolocation of our network using Wigle (internet map of wifi network) and find out whether the network we are dealing with belongs to a company or rather a private person (if the network is located in a large block of flats, we can certainly assume that it is a private network, and companies are trying to "mark" their headquarters in services such as google to help potential customers reach them, so quick patting the coordinates to google maps will dispel your doubts: D). If it turned out that I have to deal with the company, the first place I would go is the company's website, which many times turns out to be a treasury of knowledge about its employees. Secondly, I would visit the social media of the goal itself, but also of their employees (and here I point out that for me the most "valuable" employees are, of course, those from the IT department. For known purposes, errors made on their part are critical and many times it happens that it is on their part, the easiest way to get information is It is quite often that small businesses simply cannot afford to hire a company specializing in Internet services security that could watch over the security of the company 24/7 so they burden their technical employees to such an extent that it is very easy to make a mistake. I have often been a world of situations in which when searching Google Groups I came across otware of a group of employees of a company where they exchanged information about security or put on them various sensitive information from the point of business. You probably wonder what exactly it has is the connection with the creation of dictionaries? Hold on for a while and I'll give you a concrete example of how I would use it). After obtaining basic information such as names and telephone numbers of employees, working hours, distribution of departments in the company and the like I could try to learn a bit about politics of company passwords (if it exists at all, sometimes it happens). Let social engineering help us again :) it would look something like this: I would call an IT employee on Friday at 14.45 (Sounds strange but think about it so that everyone is tired after a hard week of work and when people realize that in a few minutes they end their heavy drudgery, many of them "turn off" logical thinking while enjoying the upcoming weekend) claiming to be an employee of one of the departments and pretending to be a completely "unknowing guest" I would sell him such a story "Here NAME SURNAME from such and such department. I have very serious problem. Yesterday someone broke into my private computer and stole all my bank passwords, data from various websites etc. The worst thing is that I had the same password everywhere. I reported it and told the police to change all my passwords. to do on my company computer but one of my colleagues from my department told me to at the beginning he contacted you because our company has some rules regarding passwords. Could you help me and tell me how to create the correct password? "I know that now people who are familiar with the topic will speak and say that nowadays administrators will not be fooled by this type of number just because they can change passwords" remotely "for all domain users. Yes it is true and in such a case such an attack will prove to be ineffective. But believe me or not that many small companies in Poland (in which I live ^^) can be caught. I used this attack several times myself and I received information about the complexity of passwords, which was enough to generate the right dictionary and reduce the time needed to complete the task. As you can see, a set of several seemingly innocent information combined with a good "played" phone (social engineering attack) acts like a deadly sniper shot: P I am aware of the fact that the examples I use are trivial ale it seems to me that they clearly show the value of reconnaissance and that every time spent on white intelligence will double pay.
Returning to the starting point. What if the network turns out to be a private network? At first it may seem that reconnaissance in this case is pointless but this is a very wrong assumption. In fact, in this situation, we can consider two probable cases: either the owner changed the default password or did not. In the latter case, the matter is much easier because it is enough to check the router model (look at the ssid network. I am sure that if a person has not changed the ssid network, then the default password has not been changed. Now just "Google" this equipment to learn the rules creating passwords by the producer (I wrote about it in another tutorial). But let's consider an example where the ssid and password were changed. How can we narrow down the space for potential passwords ?. First of all, I would try to determine who exactly this network belongs to (this is a specific person). The easiest way will be to visit the place (its location is determined using Wigle) then we can based on information from mailboxes (or intercoms if we have to deal with a block of flats, in which case we will also need a phone application capable of analyzing the strength of the wifi signal ( e.g. Wifi Analyzer) and based on the signal strength, we are able to determine the apartment from which the network comes from. Now just look at the name plate on the front door to find out the personal details of the owner). If, however, it turned out that it is impossible to determine the data in this way, we can use the so-called "subscriber lists" available on the internet (this is a digital telephone directory). Just enter the desired address there and thanks to that we will get to know the data of the person living at the given address (provided that such a person has agreed to enter it in such a book early and I am honest to say that in my country it is rare that people do not agree to it). For the purposes of our example, however, let us recognize that we have learned the name of the owner. The next step to take would be to check the social media of such a person (facebook, twitter and thousands of other portals) to determine their interests, workplace, hobbies, pages and things he likes, posts he publishes, etc. Any such information is invaluable. Why? Because each of them can be a potential password. People are very lazy beings by nature and strive for "simplifications" in every possible situation and thus become very predictable. There is only a percentage of people who follow the basic safety rules, e.g. when creating secure passwords, all the rest is based on simplifications, patterns that are easy to remember (e.g., cat's name + current year or your favorite football team + your child's date of birth). In many, many cases such people nunknowingly publish "hints" to their passwords in posts on social networks (let's assume that someone posts a lot about their favorite football team, try to match the team name or name of the top player of this team with the current year. I guarantee you that at 65% it will be the password to his email inbox, wifi or other service. Variations of this pattern may be different, experiment, you'll see it works: D) Based on the information we have, we are able to generate a dictionary modified with specific patterns (such as current year, members' birth dates) families, names of favorite things, etc.) There are really many such examples and all in this field you are limited only by your own imagination and set of information. Of course, I would be ignorant if I said that it is a reliable method, it can always happen that it will not be possible to obtain a password in this way because, for example: the password will be randomly generated and will not be associated with any information shared by the owner of the network. However, I think that this technique is very effective and not only when cracking passwords (repeatedly finding a credit card I was able to set a pin to it within 15 minutes (you do not even realize how many people set the date of birth as a pin) and I have often called shock and disbelief on the owner's face. All in all it is an effective way to pick up XD). It is also worth mentioning here another important thing which is checking for password leaks from various websites. There are many different services such as haveibeenpwned.com where you just need to tap the email address and we can easily find out if the password for the email has leaked. With such a password, we are able to generate thousands of other passwords based on it, which may prove effective in our attack.

And that would be enough when it comes to generating dictionaries. I am aware that what he describes is an iceberg tower and one could write a lot about it, but the assumption was about the basics. Below are links to pages that can be useful when creating dictionaries:


WEBSITES WITH DATABASE LEAKS:


- haveibeenpwned.com
- Vigilante.pw
- https://down.tencent.pp.ua - this server contains several hundred GB of various database leaks, personal data, credit card numbers from various services such as Amazon, Xaomi, Gmail as well as many Asian services. However, I warn you against downloading any software, scripts or similar stuff from there. This site does not belong to me and I am not responsible for the software there (I downloaded several GB of various leaks from it myself and they are cool but as I said before, do not download anything else from there !!! You have been warned: D).