Penetration Testing mailing list archives

Re: Password lists

From: "Michael Wood" <mike () itnetsec com>
Date: Tue, 23 Aug 2005 18:09:44 -0400 (EDT)

Here is another site that contains a large variety of wordlists:
http://theargon.com/archives/wordlists/

Here are some pretty good word lists:
http://www.packetstormsecurity.org/Crackers/wordlists/

Also, I know that programs exist out there that are able to generate
password lists, even though I'm skeptical of the usefulness of such a
program... just keep looking!

On 04/08/05, Andrew Meyers <AMeyers () msolgroup com> wrote:

Here is a link (its cached from google) that a trainer from Foundstone
showed me (his website) of the 51 most common passwords that worked 80%
of the time to penetrate a network

http://66.102.7.104/search?q=cache:N60gEe8eS8UJ:hig.beesecure.org/r005_password_guessing_works.html+51+common+passwords+beesecure&hl=en&client=firefox-a


if the link doesn't work here is the article itself:



There are many  "Default Password Lists" on the internet that are fairly
comprehensive. Many of them are too big. Over the past few years, I've
compiled a personal list of passwords that I've run across. When doing
internal assessments against NT environments, one of these 51 passwords
get me in 80% of the time. I'm interested in adding to this list. Please
send me any common passwords (for Domain Admin's) you may have run into.

Begin list:

123456
1234567
12345678
123asdf
Admin
admin
administrator
asdf123
backup
backupexec
changeme
clustadm
cluster
compaq
default
dell
dmz
domino
exchadm
exchange
ftp
gateway
guest
lotus
money
notes
office
oracle
pass
password
password!
password1
print
qwerty
replicate
seagate
secret
sql
sqlexec
temp
temp!
temp123
test
test!
test123
tivoli
veritas
virus
web
www
KKKKKKK

End List.

When I brutre force, I use username:username first, then this list. Do
*not* forget to include a blank line in the above password list. Many
accounts have blank passwords. That's it.

--Aaron Higbee, CISSP aaron () beesecure org

Andy Meyers
Systems Engineer
Managed Solution
ameyers () mssandiego com

-----Original Message-----
From: dareios [mailto:dareios () gmx at]
Sent: Thursday, August 04, 2005 2:53 AM
To: pen-test () securityfocus com
Subject: Password lists

Hi!

I am searching for "good" lists of common passwords. The definiton of
good
in this context is that the passwords in the list are different from the
"aaaaa aaaab ... zzzzz" approach and contain also special characters (eg
not
only words from a dictionary).
I want to use them with bruteforcers like "hydra". Does anybody know
some
pointers where to find (or generate?) such lists?

Several pentesting live-distros like Auditor contain such lists. How
useful
are they?

-dareios

--
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse für Mail, Message, More +++

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

Current thread:

RE: Password lists, (continued)
- RE: Password lists Prashant Meswani (Aug 04)
- Re: Password lists Illuminatus Master (Aug 04)
- Re: Password lists J. Theriault (Aug 04)
- Re: Password lists Isaias Calderon (Aug 04)
- Re: Password lists A. Ramos (Aug 05)
- Re: Password lists xyberpix (Aug 06)
- Fwd: RE: Password lists Greg (Aug 10)
- RE: Password lists Andrew Meyers (Aug 22)
  - Re: Password lists Jeffrey Denton (Aug 23)
  - Re: Password lists James Leighe (Aug 23)
    - Re: Password lists Michael Wood (Aug 23)