Using CeWL in a CTF

Tools Used – Kali, Cewl, hashcat, Combinator (a hashcat util)

I recently did a CTF that was nice enough to give me the constraints of some user passwords.

We have obtained password dumps storing hacker passwords. They appear to be default passwords to IoT devices. We know these default passwords follow a pattern: a color + a noun + 2 digits and have found a list of nouns used. Can you figure the passwords out?

I was also provided a generated list of nouns to help with the time it takes to crack since the CTF was only 2 days. We know we need colors, a noun list, and numbers ; armed with this we can approach it with a combinator attack. So lets go through the steps I took to make this happen.

For those that want to try this at home here is the nouns list we were provided.

Here are the hashes for the users in question –

Nan – 9b4f53e8aeb97b107cb38c7bc19aa3ed

Jenny – 2136a29faa2ff47ffde92198ba020c12

Elyse – 401321a0fa3cc45c6602cdc0a2ddc9dd

So lets start with the reason we are here, CeWL. We know that want colors, so I looked for a site that had a decent text based color list. I ended up here – https://www.colorhexa.com/color-names

Not the best list, spaces in color names, however the list is extensive and could have what we need.

We now will scrape this site to make a word list, for this we use the following command –

root@kali:~# cewl -d 0 -m 3 -w colors2.txt https://www.colorhexa.com/color-names

And in less than a second I had a wordlist that was 767 words long and contains a whole host of colors. Lets talk about the arguments in the command line -d means depth, this is the ability to follow links, how many deep it should follow. In this case we only want the list of colors on the page, not everything that links to it – so we set it to 0 (zero). The -m is the minimum word length to search for. I figured there are no 1 or 2 letter words that are colors. I know 3 is red, so I set it to 3. This will help eliminate the non-color words and make the list more targeted.

Now that we have the list of colors and the list of nouns, we have to combine them. Luckily hashcat has utility tools shipped with it. Combinator is a tool that will combine two word lists and do all possible permutations.
Example (right from the hashcat tool page linked above) –

pass
12345
omg
Test

Becomes

passpass
pass12345
passomg
passTest
12345pass
1234512345
12345omg
12345Test
omgpass
omg12345
omgomg
omgTest
Testpass
Test12345
Testomg
TestTest

Since I am running a VM and do not have access to a GPU for the built-in combinator attack, I have to use the tool to create a wordlist instead. This action is performed by taking the two lists and outputting that variation to a file –

root@kali:~# /usr/share/hashcat-utils/combinator.bin colors2.txt nouns.txt > nouncolorwordlist.txt

So now we all the combinations we need to run hashcat against our password hashes and see what we get –

root@kali:~# hashcat --status -m 0 -a 6 colorhash.txt nouncolorwordlist.txt ?d?d

In in a matter of seconds we get the output –

Host memory required for this attack: 65 MB

Dictionary cache hit:

  • Filename..: nouncolorwordlist.txt
  • Passwords.: 59059
  • Bytes…..: 852462
  • Keyspace..: 5905900

9b4f53e8aeb97b107cb38c7bc19aa3ed:greenmixture44
2136a29faa2ff47ffde92198ba020c12:indigodifference22
Approaching final keyspace - workload adjusted.

Look at that 2 passwords, but we had 3 hashes, what happened. Lets breakdown the success first, before we look at the missing hash. Hashcat requires you to define your hash, that is the -m argument. 0 is MD5, a list 0f them are here. The second one is -a, which is the attack mode. In this case we chose 6, which is word list + mask. The world list is nouncolorwordlist.txt and the mask is ?d?d. This means take the wordlist and append all permutations of 2 digit numbers to the end. So now lets address the missing password. A quick look at the password file and we see there are a whole bunch of words with some capitalization. So maybe that last password has some random capital letter. So now we need to use a different attack mode and maybe apply some rules. We unfortunately cannot mix dictionary attacks + masks + rules in one crack super easy. So first, lets make the all the numbers from 00 to 99.

root@kali:~# seq 00 99 > numbers.txt

This creates a list 1 – 99, so we need to edit it real quick, we remove the single digits and add a 00 to numbers.txt. Now we need to combine numbers and words. There is a downside to this, but the speed of hashcat does not hurt it, that is we will have ##wordword and wordword##, when we know we only need the last one.

root@kali:~# /usr/share/hashcat-utils/combinator.bin nouncolorwordlist.txt numbers.txt > fullwordlist.txt

Now we have a full word list, but we need to toggle characters. Luckily hashcat has a solution for us -toggle rules. They have prebuilt 5 of them, they toggle anywhere from 1 to 5 letters per guess. The more toggles, the longer the guessing goes. You can see the rules here. The one we will be using is toggle1.rule, but look at all of them, they may have some future use. We will grab the rule –

root@kali:~# wget https://raw.githubusercontent.com/hashcat/hashcat/master/rules/toggles1.rule

We then use a different attack mode and the rule modifier on our hashcat command-

root@kali:~# hashcat --status -m 0 -a 0 colorhash.txt fullwordlist.txt -r toggles1.rule

The only major change was -a 6, changed to the straight attack mode 0, and the -r which invokes the toggle1.rule. And in 6 seconds later we have our answer –

Host memory required for this attack: 65 MB

Dictionary cache hit:

  • Filename..: fullwordlist.txt
  • Passwords.: 5905900
  • Bytes…..: 96467410
  • Keyspace..: 88588500

9b4f53e8aeb97b107cb38c7bc19aa3ed:greenmixture44
2136a29faa2ff47ffde92198ba020c12:indigodifference22
401321a0fa3cc45c6602cdc0a2ddc9dd:pumpkinoffice99
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: MD5

I did clear out my potfile before I started, hence why it cracked the 2 other passwords again, but it made quick work of the variations of case.

After going back, I could have just ran any number of commands to just convert the password file to lowercase, however I thought the exercise of going through and breaking down each of the steps would make myself stronger learning different extensions of the tool. I will note, that I did try toggle5.rule on the file first and it took 20 minutes to run all the variations, I chose toggle1.rule here to save sometime and still demonstrate the pivot you have to make. I am sure there are rules that can be written to handle most of this in one pass; however, I worked with the knowledge and time constraints I had. Most of the time that is what hacking is, get to work, build out that toolset, and use those tools first in the future, it may cut out steps and save some time.