Pages

Saturday, December 29, 2012

Gamja : Web vulnerability scanner



Gamja will find XSS(Cross site scripting) & SQL Injection weak point also URL parameter validation error. Who knows that which parameter is weak parameter? Gamja will be helpful for finding vulnerability[ XSS , Validation Error , SQL Injection].

Supported platform:
Windows ,Linux,Mac 

download:

http://sourceforge.net/projects/gamja/
credit: DeCrew

CK Hash Cracker



CK_HASH_CRACKER VERSION 3.0 Download Link: Click Here

__Change Log__
Hash Identifier Modified
Online Database Checker Bug Fixed And Works Faster
Offline Database Search Engine Modified
Rainbow Table Algorithm Added

How To Add Additional Database Release?After Installation with the Default Settings, A Folder Named CK_Hash_Cracker Verion 3.0 will be Created in Root Directory/Program Files, which is mostly C: Drive, So that path will Be C:\Program Files\CK_Hash_Cracker-Version 3.0; under This Folder There Are Two Folders Named "Brute" And "DatabaseConnector"

Files Under "Brute" Folder Is Used For BruteForcing, Make Sure If You Place Additional WordList, You Do Not Have Duplicate Words, Otherwise It will just increase the Time. You Can Place Files With Any Name Under This Folder, It Will Work Fine, until the Files Are in Readable Format

Files Under "DatabaseConnector" Are The Offline Database, So For Any Database Releases, After Downloading Databases, Put The Files Under "DatabaseConnector" Folder And Thats It, The Tool Will Automatically Upgrade The Database.

Its Has A Self-Installer, So To Install, Just Run The Setup file. To Uninstall, You Can Remove It From Control Panel Or From The Self Uninstaller.

If You Get Error At Run-Time, Probably You Do Not Have The Microsoft Visual C++ 2008 Installed, The Application doesn't need Python To Run, But It Needs The Run-Time Components. You Get The Download Packages From Here:

For Windows 32 bit: Click Here

For Windows 64 bit: Click Here

And Then Try Running The Application.CK_Hash_Cracker (Version 3.0) Download Link: Click Here


credit: binhduong-ug

Tuesday, December 25, 2012

Best SQL Injection Tools


Havij SQL Injection

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
havij Best SQL Injection Tools

Download


Pangolin – Automated SQL Injection Test Tool

Pangolin is a penetration testing, SQL Injection test tool on database security. It finds SQL Injection vulnerabitlities.Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. 
Pangolin+sql+injection Best SQL Injection Tools

Download


The Mole

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
the+mole Best SQL Injection Tools

Download


SQLNinja

Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network.
sql+ninja Best SQL Injection Tools

Download


Safe3SI

Safe3SI is one of the most powerful and easy usage penetration tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
safe3 Best SQL Injection Tools

Download


BSQL Hacker

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
bsql+hacker Best SQL Injection Tools

Download


FatCat Automatic SQL Injectionhttp://code.google.com/p/fatcat-sql-injector/
SQL Maphttp://sqlmap.sourceforge.net/
SQL Pozionhttp://www.4shared.com/rar/kUtKKQxy/sql_poizon_v11_-_the_exploit_s.html?
Sqlsushttp://sqlsus.sourceforge.net/download.html
Dark Jumperhttp://mac.softpedia.com/get/Security/Darkjumper.shtml
source : http://www.hackingarticles.in

Monday, December 24, 2012

IRC BOT SOURCE CODES (Written in C++, C# & PYTHON)


Lately I have found myself with a lot of  free time on my hands. My mom always said “THE DEVIL FIND WORK FOR IDLE HANDS”, so i decided to use this time to refresh my programming skills  mainly c++ and python.  During this time someone asked me if i knew of any good irc bots, my answer was “not really” because  they all get detected by antivirus software.
Thats when i got the idea to try and build a good irc bot which i did, I actually built three in three different languages. The one written in c++ got detected by most antivirus software (33 out of 40),  the one  written in c# doesn’t get detected if i remove the keylogger module which is still fairly good because it still as video recording, audio recording and screenshot capability. The one written in python is my “PICASO”  it only got detected by one antivirus (kaspersky) and it wasn’t detected as a virus,  it was detected for having a low reputation (WS.Reputation.1) which means it wasn’t well known as a legit software by the AV company. Kaspersky antivirus still allowed it to be installed  So that really wasn’t a problem.

http://darksidegeeks.com/irc-bot-source…des-c-c-python/
The only negative thing about writing an irc bot in python is the file size. Due to the fact that python is not a compiled language  like C++  or C,  even if the source code is only a few kilobytes the finish product will be a few megabytes because the interpreter is packaged as a dependency with the exe file. This could also be a good thing since most people are very suspicious of  very small files This also kills the need for a exe packer.
DOWNLOAD  C# SOURCE CODEyou only need to configure the “config.cs” file.
DOWNLOAD  PYTHON SOURCE CODEyou only need to configure the config.py“ file.
NB: if you want a compiled version of the python irc bot its only $ 20 but the source code is completely free.
To see the python irc bot in action please watch the video below.
[youtube]http://www.youtube.com/watch?v=KwoV_d56uj4[/youtube]
[youtube]http://www.youtube.com/watch?v=WOEa7RSA60s[/youtube]
source: http://darksidegeeks.com

Sunday, December 23, 2012

Finding Admin page [90% guarantte]

Hey everyone. There are so many people wondering how to find an admin page. I myself when I was just beginning web-hacking, started with SQL Injection. As many of you would've done as well. The problem is, you can barely ever find the proper admin page. Either you can't find it, or it won't work.

First of all, I'd like to get this through EVERYONE's head. There is a difference between a CPANEL Login, and a ADMIN Login. The cpanel login is to manage EVERYTHING on the site. You have access to FTP and everything. Unless the admin is VERY VERY VERY stupid (Which is probably likely, but still this is rare) you will not have the same credentials as the CPanel. So don't even both trying that login.
In a website, the webmaster will usually create a standard admin page, for the admins to manage everything easier.
Now. Let's start listing our possibilities.
 
GUESSING
This is by far the most popular way of finding an admin page. A lot of people just guess what the admin page is. Most of the time, there will either be a directory OR a file. Here is an example of a directory, and then a file:
DirectoryCode:http://www.site.com/admin/

FileCode:http://www.site.com/admin.php

A directory can contain other files, but a file is just one thing.
A lot of the time, the admin page is simply just "Admin". So you can try adding: /admin to the end of site's URL. If you get a 404 Error (Which usually means the files does not exist) then that's not right. After I try "admin", I usually try a different method. This one is probably my favorite.
 
ROBOTS.TXT
What is Robots.txt? Robots.txt is a file that makes sure scanners will not be able to scan certain pages. Usually, if they don't want a scanner to find something, it's for a certain reason right? Obviously it's an important file. So sometimes they will have the admin page listed in there. This is what a Robots.txt page looks like:
 
Code:User-Agent: *Disallow: /moderation.phpDisallow: /ratethread.phpDisallow: /report.phpDisallow: /reputation.phpDisallow: /sendthread.phpDisallow: /usercp.phpDisallow: /usercp2.phpDisallow: /newreply.phpDisallow: /newthread.phpDisallow: /editpost.phpDisallow: /private.phpDisallow: /search.phpDisallow: /refer.phpDisallow: /myawards.phpDisallow: /stats.phpDisallow: /member.phpDisallow: /memberlist.phpDisallow: /showteam.phpDisallow: /upgrade.phpDisallow: /showratings.php User-agent: dotbotDisallow: / User-agent: 008Disallow: /

Even if it says "Disallow" we can usually still access the files. So go ahead and add /robots.txt to your target, and see what you find!
 
WEB-CRAWLER
Web crawlers are, and always will be, a hackers best friend. A web-crawler will crawl a website, and list certain directories and files. I DEFINITELY recommend Acunetix. Acunetix is definitely one of the best Web-Crawlers out there, don't even bother trying to say different.
Even Robots.txt won't stop Acunetix's web-crawler (Which is very important if we actually want to get at useful files).
 
SUBDOMAINS
If the webmaster is smart, they will sometimes use sub-domains to hide certain admin-pages, or even files. You can tell what they may, or may not have open if you scan the ports with Nmap. Nmap will list the open ports of the website. If it has an SMTP port open, that may mean you can access an email login. Which may or may not contain valuable information.
Again, you can use Acunetix to check for subdomains. I don't have any cracks for acunetix (That I've posted) but I have seen some here on HF. I might (at some point) post a crack, and an easy one so you don't have to replace files and shit.
 
FTPWhat is FTP? FTP stands for "File Transfer Protocol". If you have access to FTP, you can do absolutely anything you want. Unfortunately, you will not have permissions, unless you supply a username and password. But sometimes the FTP will be WIDE open for you to see. Sometimes they'll list the admin page in there. To gain access to the FTP, you can either do: 
Code:ftp.site.comor
Code:http://www.site.com:21

Why did I just add a ":21" to the end of the site? Because 21 is the port for FTP. If I do :21, it'll connect to the port I have put after the ":". This is a very useful method, and I definitely recommend it.
 
SCANNER
Scanners are programs that will connect to the internet, and test certain pages of your website.
If you're looking for another program that will scan, and you're looking for a very simple to use one, you can check out "Havij". I do not support the SQL Injection methods with it, because it's pretty "nooby". But using it to find Admin Pages is completely acceptable.
 
GOOGLE DORKS
Google dorks are keywords you can use to search for exact things. Like this:
Code:inurl:admin.phpThat will look for any site that has admin.php in it. I usually use these dorks if I'm looking for an admin page.
 
Code:
site:site.com inurl:adminsite:site.com intext:loginsite:site.com intext:adminsite:site.com intitle:loginsite:site.com intitle:admin 
Those should help! Well, that's pretty much it. Thanks for reading the tutorial, and I hope this helps you out! These methods are extremely useful, I find admin pages A LOT with these methods, don't doubt them until you try them.Thanks! 
 
credit:Zer0Pwn

Wednesday, December 19, 2012

SynScan


A fast half-open portscanner. This tool will send TCP packets with the SYN flag set at the destination address. SynScan will send traffic as fast as the host network interface can support.
Based on SynScan version 1.6 by psychoid/tCl (http://www.psychoid.lam3rz.de) with the following changes:
  • Fixes for several format string overflows and other bugs
  • Split into multiple programs for sending and receiving of SYN packets
  • Added a seperate "sslog" tool which only logs open ports and doesn't perform further checks
  • Support for identifying samba servers in synscand
  • Support for querying the Server: header on HTTP servers
  • Support for Open X11 server scanning
  • Ported to Solaris and IRIX operating systems
  • Adjusted scan timing to provide for much faster network scanning
  • Added support for IPv6 (currently in beta)

Screen Shots

Versions

SynScan 3.1

This is the current stable version, and should compile on modern versions of Linux, Solaris and IRIX. This is the currently recommended version.

SynScan 3.9

SynScan 3.9 is an early development version of the forthcoming SynScan 4.0. It is currently able to scan IPv6 networks and detect open ports, however there are many limitations in the current beta version. As far as i know, SynScan 3.9 is the first IPv6 half-open scanning tool.
  • No support for IPv4 (future versions will let you switch between v4/v6)
  • No support for synscand (only sslog is functional sofar)
  • Tested on Linux and MacOS

SynScan 3.9b3

  • The sslog tool now supports IPv4 and IPv6 in the same binary
  • Minor bugfixes and updates, mostly in the sslog tool

SynScan 3.9b4

  • Now includes seperate synscan and synscan6 binaries for IPv4/IPv6 respectively
This version should be fully functional, supporting everything supported by the previous 3.1 version, while also allowing IPv6 port scanning. It has only been tested on Linux.

SynScan 3.9b5

  • Now includes a port to MacOSX, supporting both IPv4 and IPv6 and has been tested on OSX 10.4.x (Tiger) on PPC
  • Fixed a divide by zero error when scanning a small number of hosts/ports such that the scan took less than 1 second.

SynScan 3.9b6

  • Fixed two minor bugs, ipv6 output wasn't being written to the output file, and ipv4 output wasn't being flushed to the output file (and so would only be written periodically)

SynScan 3.9b7

  • Now correctly working on MacOSX/Intel

Developer

Download


 source : http://www.bindshell.net/

Friday, December 14, 2012

Dictionaries & Wordlists


In general, it's said that using a GOOD 'dictionary' or 'wordlist' (as far as I know, they're the same!) is 'key'. But what makes them GOOD? Most people will say 'the bigger, the better'; however, this isn't always the case... (for the record this isn't my opinion on the matter - more on this later). 


Other than a mass of download links it contains pretty pictures and confusing numbers which shows the break down of statistics regarding 17 wordlists. These wordlists, which the original source(s) can be found online, have been 'analysed', 'cleaned' and then 'sorted', for example:

  • Merged each 'collection' into one file (minus the 'readmes' files)
  • Removed leading & trailing spaces & tabs
  • Converted all 'new lines' to 'Unix' format
  • Removed non-printable characters
  • Removed HTML tags (Complete and common incomplete tags)
  • Removed (common domains) email addresses
  • Removed duplicate entries 
  • How much would be used if they were for 'cracking WPA(Between 8-63 characters)
It may not sound a lot - but after the process, the size of most wordlists are considerably smaller!


Before getting the the results, each wordlist has been sorted differently rather than 'case sensitive A-Z'.
Each wordlist was:

  • Split into two parts - 'Single or two words' and 'multiple spaces'.
  • Sorted by the amount of times the word was duplicated - Therefore higher up the list, the more common the word is.
  • Sorted again by 'in-case sensitive A-Z'.
  • Joined back together - Single or two words at the start.
The reason for splitting into two parts  was that  'most' passwords are either one or two words (containing one space in them). Words which have multiple spaces are mainly due to 'mistakes' with when/how the wordlists was created. So having them lower down, should increases the speed the password is discovered, without losing any possibility.

The justification of sorting by duplicated amount was the more common the word is, the higher the chance the word would be used! If you don't like this method, you can sort it yourself back to case sensitive A-Z, however it can't be sorted how it was - due to the lists not having (hopefully) any duplicates in them!

When removing HTML tags and/or email addresses, it doesn't mean that it wasn't effective. If the word has contained some HTML tags and it was still unique afterwords, it wouldn't change the line numbers, it would improve the wordlist & it still could be unique It is also worth mentioning, due to a general rule of 'search & replace', it COULD of removed a few false positives. It is believed that the amount removed to the predicted estimated amount is worth it. For example instead of having three passwords like below, it would be more worth while to have just the two passwords:

  •  user1@company.com:password1
  •  user2@company.com:password1
  •  user3@company.com:password2


Download links for each collection which has been 'cleaned' is in the table below along with the results found and graphs. '17-in-1' is the combination of the results produced from each of the 17 collections. The extra addition afterwords (18-in-1), is a mixture of random wordlists (Languages (AIO), Random & WPA) which I have accumulated. You can view & download them here (along with all the others!). '18-in-1 [WPA]', is a 'smaller' version of 18-in-1, with JUST words between 8-63 characters. 

Collection Name
(Original Source)
Lines & Size
(Extracted/ Compressed)
DownloadMD5
Collection of Wordlist v.2374806023
(3.9GB / 539MB)
Part 1Part 2Part 35510122c3c27c97b2243208ec580cc67
HuegelCDC53059218
(508MB / 64MB)
Part 152f42b3088fcb508ddbe4427e8015be6
Naxxatoe-Dict-Total-New4239459985
(25GB / 1.1GB)
Part 1Part 2Part 3
Part 4Part 5Part 6
e52d0651d742a7d8eafdb66283b75e12
Purehates Word list165824917
(1.7GB / 250MB)
Part 1Part 2c5dd37f2b3993df0b56a0d0eba5fd948
theargonlistver14865840
(52MB / 15MB)
Part 1b156e46eab541ee296d1be3206b0918d
theargonlistver246428068
(297MB / 32MB)
Part 141227b1698770ea95e96b15fd9b7fc6a
theargonlistver2-v2 (word.lst.s.u.john.s.u.200)244752784
(2.2GB / 219MB)
Part 1Part 236f47a35dd0d995c8703199a09513259
WordList Collection472603140
(4.9GB / 1.4GB)
Part 1Part 2Part 3,Part 4Part 5Part 6,Part 7a76e7b1d80ae47909b5a0baa4c414194
wordlist-final8287890
(80MB / 19MB)
Part 1db2de90185af33b017b00424aaf85f77
wordlists-sorted65581967
(687MB / 168MB)
Part 12537a72f729e660d87b4765621b8c4bc
wpalist37520637
(422MB / 66MB)
Part 19cb032c0efc41f2b377147bf53745fd5
WPA-PSK WORDLIST (40 MB)2829412
(32MB / 8.7MB)
Part 1de45bf21e85b7175cabb6e41c509a787
WPA-PSK WORDLIST 2 (107 MB)5062241
(55MB / 15MB)
Part 1684c5552b307b4c9e4f6eed86208c991
WPA-PSK WORDLIST 3 Final (13 GB)611419293
(6.8GB / 1.4GB)
Part 1Part 2Part 3,Part 4Part 5Part 6,Part 758747c6dea104a48016a1fbc97942c14
-=Xploitz=- Vol 1 - PASSWORD DVD100944487
(906MB / 109MB)
Part 138eae1054a07cb894ca5587b279e39e4
-=Xploitz=- Vol 2 - Master Password Collection87565344
(1.1GB / 158MB)
Part 153f0546151fc2c74c8f19a54f9c17099
-=Xploitz Pirates=- Masters Password Collection #1! -- Optimized79523622
(937MB / 134MB)
Part 16dd2c32321161739563d0e428f5362f4
17-in-15341231112
(37GB / 4.5GB)
Part 1 - Part 24d1f8abd4cb16d2280efb34998d41f604
18-in-15343814622
(37GB / 4.5GB)
Part 1 - Part 24aee6d1a230fdad3b514a02eb07a95226
18-in-1 [WPA Edition]1130701596
(12.6GB / 2.9GB)
Part 1 - Part 15425d47c549232b62dbb0e71b8394e9d9
Table 1 - raw data
Table 2 - Calculated Differences
Table 3 - Summary
Graph 1 - Number of lines in a collection
Graph 2 - Percentage of unique words in a collection
Graph 3 - Number of lines removed during claning
Graph 4 - Percentage of content removed
Graph 5 - Percentage of words between 8-63 characters (WPA) *Red means it is MEANT for WPA*
A few notes about the results:
  • In the tables - 'Purehates' wordlist is corrupt and towards the end, it contains 'rubbish' (non-printable characters). Which is why it is highlighted red, as it isn't complete. I was unable to find the original. 
  • Table 3 which summarizes the results - shows that 57% of the 17 collections are unique. Therefore 43% of it would be wasted due to duplication if it was tested - that's a large amount of extra un-needed attempts!
  • In graph 2 - Only one collection was 100% 'unique', which means most of the collections sizes have been reduced.
  • In graph 5 - which is for showing how effective it would be towards cracking WPA. The four wordlists which were 'meant' for WPA, are in red.
In a few of the 'readme' file (which wasn't included when merging), several of them claimed to of have duplicates removed. However, unless the list is sorted, the bash program 'uniq', wouldn't remove the duplicates. By piping the output of 'sort', uniq should then remove the duplicates. However, using sort takes time, and with a bit of 'awk fu', awk '!x[$0]++ [filename], removes the need to sort. For example:
Valueuniqsort | uniq
or awk '!x[$0]++'
word1,word2,word2,word3word1,word2,word3word1,word2,word3
word1,word2,word2,word3,word1word1,word2,word3,word1word1,word2,word3
word1,word2,word1,word1,word2,word3,word1word1,word2,word1,word2,word3,word1word1,word2,word3


The commands used were:
Step By Step 

# Merging
rm -vf CREADME CHANGELOG* readme* README* stage*
echo "Number of files:" `find . -type f | wc -l`cat * > /tmp/aio-"${PWD##*/}".lst && rm * && mv /tmp/aio-"${PWD##*/}".lst ./ && wc -l aio-"${PWD##*/}".lst
file -k aio-"${PWD##*/}".lst

# Uniq Lines
cat aio-"${PWD##*/}".lst | sort -b -f -i -T "$(pwd)/" | uniq > stage1 && wc -l stage1

# "Clean" Lines
tr '\r' '\n' < stage1 > stage2-tmp && rm stage1 && tr '\0' ' ' < stage2-tmp > stage2-tmp1 && rm stage2-tmp && tr -cd '\11\12\15\40-\176' < stage2-tmp1 > stage2-tmp && rm stage2-tmp1
cat stage2-tmp | sed "s/ */ /gI;s/^[ \t]*//;s/[ \t]*$//" | sort -b -f -i -T "$(pwd)/" | uniq > stage2 && rm stage2-* && wc -l stage2

# Remove HTML Tags
htmlTags="a|b|big|blockquote|body|br|center|code|del|div|em|font|h[1-9]|head|hr|html|i|img|ins|item|li|ol|option|p|pre|s|small|span|strong|sub|sup|table|td|th|title|tr|tt|u|ul"
cat stage2 | sed -r "s/<[^>]*>//g;s/^\w.*=\"\w.*\">//;s/^($htmlTags)>//I;s/<\/*($htmlTags)$//I;s/&*/&/gI;s/"/\"/gI;s/'/'/gI;s/'/'/gI;s/</ stage3 && wc -l stage3 && rm stage2

# Remove Email addresses
cat stage3 | sed -r "s/\w.*\@.*\.(ac|ag|as|at|au|be|bg|bill|bm|bs|c|ca|cc|ch|cm|co|com|cs|de|dk|edu|es|fi|fm|fr|gov|gr|hr|hu|ic|ie|il|info|it|jo|jp|kr|lk|lu|lv|me|mil|mu|net|nil|nl|no|nt|org|pk|pl|pt|ru|se|si|tc|tk|to|tv|tw|uk|us|ws|yu):*//gI" | sort -b -f -i -T "$(pwd)/" | uniq > stage4 && wc -l stage4 && rm stage3

# Misc
pw-inspector -i aio-"${PWD##*/}".lst -o aio-"${PWD##*/}"-wpa.lst -m 8 -M 63 ; wc -l aio-"${PWD##*/}"-wpa.lst && rm aio-"${PWD##*/}"-wpa.lst
pw-inspector -i stage4 -o stage5 -m 8 -M 63 ; wc -l stage5
7za a -t7z -mx9 -v200m stage4.7z stage4
du -sh *

AIO + Sort

cat * > /tmp/aio-"${PWD##*/}".lst && rm * && mv /tmp/aio-"${PWD##*/}".lst ./

tr '\r' '\n' < aio-"${PWD##*/}".lst > stage1-tmp && tr '\0' ' ' < stage1-tmp > stage1-tmp1 && tr -cd '\11\12\15\40-\176' < stage1-tmp1 > stage1-tmp && mv stage1-tmp stage1 && rm stage1-*

htmlTags="a|b|big|blockquote|body|br|center|code|del|div|em|font|h[1-9]|head|hr|html|i|img|ins|item|li|ol|option|p|pre|s|small|span|strong|sub|sup|table|td|th|title|tr|tt|u|ul"
cat stage1 | sed -r "s/ */ /gI;s/^[ \t]*//;s/[ \t]*$//;s/<[^>]*>//g;s/^\w.*=\"\w.*\">//;s/^($htmlTags)>//I;s/<\/*($htmlTags)$//I;s/&*/&/gI;s/"/\"/gI;s/'/'/gI;s/'/'/gI;s/</ stage2 && rm stage1

sort -b -f -i -T "$(pwd)/" stage2 > stage3 && rm stage2
grep -v " * .* " stage3 > stage3.1
grep " * .* " stage3 > stage3.4
rm stage3
for fileIn in stage3.*; do
   cat "$fileIn" | uniq -c -d > stage3.0
   sort -b -f -i -T "$(pwd)/" -k1,1r -k2 stage3.0 > stage3 && rm stage3.0
   sed 's/^ *//;s/^[0-9]* //' stage3 >> "${PWD##*/}"-clean.lst && rm stage3
   cat "$fileIn" | uniq -u >> "${PWD##*/}"-clean.lst
   rm "$fileIn"
done
rm -f stage* #aio-"${PWD##*/}".lst

wc -l "${PWD##*/}"-clean.lst
md5sum "${PWD##*/}"-clean.lst


If you're wanting to try this all out for your self, you can find some more wordlists here:



As mentioned at the start, whilst having gigabytes worth of wordlists may be good and all... having a personalised/specific/targeted wordlist is great. PaulDotCom (great show by the way), did just that a while back.

As the password has to be in the wordlist, and if it doesn't have the correct password you could try crunch (orL517 for windows) to generate your own. For a few good tutorials on how to use crunch, check here and here (I highly recommend ADayWithTape's blog).

As waiting for a mass of words to be tried takes some time - it could be sped up by 'pre-hashing'. For example this WPA-PSK is vulnerable, however WPA-PSK is 'Salted' (By using the SSID as the salt). This means that eachpre-hashes table is only valid for THAT salt/SSID. This isn't going to turn into another 'How to crack WPA', as its already been done. It was just mentioned due to this and this could help speed up the process.


Instead of brute forcing your way in, by 'playing it smart', it could be possible to generate/discover the password instead. This works if the algorithm has a weakness, for example here, or if the system is poor, for example here.However, finding a weakness might take longer than trying a wordlist (or three!).


When compiling all of this, I came across this, Most 'professional password guessers' known:

  • There is a 50 percent chance that a user's password will contain one or more vowels
  • If it contains a number, it will usually be a 1 or 2, and it will be at the end
  • If it contains a capital letter, it will be at the beginningfollowed by a vowel
  • The average person has a working vocabulary of 50,000 to 150,000 words, and they are likely to be used in the password. 
  • Women are famous for using personal names in their passwords, and men opt for their hobbies
  • "Tigergolf" is not as unique as CEOs think. 
  • Even if you use a symbol, an attacker knows which are most likely to appear: ~!@#$%&, and ?.


When your password has to be 'least 8 characters long and include at least one capital' it doesn't mean: 'MickeyMinniePlutoHueyLouieDeweyDonaldGoofyLondon'. And for the people that made it this far down, here is a 'riddle' on the the subject of passwords.

I would like to thank 'connection' for a helping hand with the bash commands =).

credit to ~g0tmi1k (http://g0tmi1k.blogspot.com)