Re: [PEN-TEST] (Web-Derived Custom Dictionary Creation Tools)

[Mike Ahern <mc_ahern () YAHOO COM>]

I think an excellent set of tools for sucking down the
contents of entire web sites and converting them to
text files (or one large text file) are two products
from Tennyson Maxwell. "Teleport Pro" does an
excellent job of sucking down a web sites file
contents, and can do so to a single directory if you
like. "HTML2TEXT" converts the web content to text
files - or to a single text file (removing all HTML
tags). All that needs to be done to create a
dictionary is to replace spaces and punctuation with
CR-LF's, and then sort. You can go to the extra
trouble of then removing duplicate words easily with
std UNIX tools/scripts.

The great thing is that you get a dictionary of
company or industry specific names/words/acronyms. The
downside is many times two or sometimes three
names/words have special significance together (i.e.,
"Tiger Woods", as opposed to "Tiger" and "Woods"; or
"Los Angeles" as opposed to "Los" and "Angeles". It is
harder to pull these associations from an automated
process (without getting alot of word associations
that don't make sense together in with the ones that
do).


- mch





On Wed, 20 Sep 2000, Loschiavo, Dave wrote:
With checking out the website being a first step...
Does anyone know if there is a tool that will comb
through a website to pull nouns down into a dictionary
file that you use for a customized dictionary attack
specific to that company?

I've been doing this, creating custom attack
dictionaries for each
penetration test, for several years.  Nothing complex
- just spidering all
html and sorting all found strings (sans html markup,
although those
strings are already in my base dictionary).  I use
proprietary tools, but
you could just as well use wget|find|strings|sort...


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/