Here are some pretty good word lists:
http://www.packetstormsecurity.org/Crackers/wordlists/
Also, I know that programs exist out there that are able to generate
password lists, even though I'm skeptical of the usefulness of such a
program... just keep looking!
On 04/08/05, Andrew Meyers <AMeyers@msolgroup.com> wrote:
Here is a link (its cached from google) that a trainer from Foundstone showed
me (his website) of the 51 most common passwords that worked 80% of the time
to penetrate a network
http://66.102.7.104/search?q=cache:N60gEe8eS8UJ:hig.beesecure.org/r005_password_guessing_works.html+51+common+passwords+beesecure&hl=en&client=firefox-a
if the link doesn't work here is the article itself:
There are many "Default Password Lists" on the internet that are fairly
comprehensive. Many of them are too big. Over the past few years, I've
compiled a personal list of passwords that I've run across. When doing
internal assessments against NT environments, one of these 51 passwords get
me in 80% of the time. I'm interested in adding to this list. Please send me
any common passwords (for Domain Admin's) you may have run into.
Begin list:
123456
1234567
12345678
123asdf
Admin
admin
administrator
asdf123
backup
backupexec
changeme
clustadm
cluster
compaq
default
dell
dmz
domino
exchadm
exchange
ftp
gateway
guest
lotus
money
notes
office
oracle
pass
password
password!
password1
print
qwerty
replicate
seagate
secret
sql
sqlexec
temp
temp!
temp123
test
test!
test123
tivoli
veritas
virus
web
www
KKKKKKK
End List.
When I brutre force, I use username:username first, then this list. Do *not*
forget to include a blank line in the above password list. Many accounts have
blank passwords. That's it.
--Aaron Higbee, CISSP aaron@beesecure.org
Andy Meyers
Systems Engineer
Managed Solution
ameyers@mssandiego.com
-----Original Message-----
From: dareios [mailto:dareios@gmx.at]
Sent: Thursday, August 04, 2005 2:53 AM
To: pen-test@securityfocus.com
Subject: Password lists
Hi!
I am searching for "good" lists of common passwords. The definiton of good
in this context is that the passwords in the list are different from the
"aaaaa aaaab ... zzzzz" approach and contain also special characters (eg not
only words from a dictionary).
I want to use them with bruteforcers like "hydra". Does anybody know some
pointers where to find (or generate?) such lists?
Several pentesting live-distros like Auditor contain such lists. How useful
are they?
-dareios
--
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse für Mail, Message, More +++
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
