<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tAJa4MDz_Co/YUuoLt01PoI/AAAAAAAAvSU/CkAAccSSGBI6r6apc9d3cLcmRkAjTTyCgCNcBGAsYHQ/s702/some_words.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="408" data-original-width="702" height="373" src="https://1.bp.blogspot.com/-tAJa4MDz_Co/YUuoLt01PoI/AAAAAAAAvSU/CkAAccSSGBI6r6apc9d3cLcmRkAjTTyCgCNcBGAsYHQ/w640-h373/some_words.png" width="640" /></a></div> Turns any junk text into a usable wordlist for brute-forcing.<a name='more'></a><div> </div>Installation <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="go install github.com/hakluke/haklistgen@latest "><pre><code>go install github.com/hakluke/haklistgen@latest </code></pre></div> Usage Examples Scrape all words out of an HTTP response to build a directory <a href="https://www.kitploit.com/search/label/Bruteforce" target="_blank" title="bruteforce">bruteforce</a> wordlist: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="curl https://wikipedia.org | haklistgen "><pre><code>curl https://wikipedia.org | haklistgen </code></pre></div> Pipe a list of <a href="https://www.kitploit.com/search/label/Subdomains" target="_blank" title="subdomains">subdomains</a> to it to generate a wordlist for <a href="https://www.kitploit.com/search/label/Bruteforcing" target="_blank" title="bruteforcing">bruteforcing</a> more subdomains: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="subfinder -silent -d example.com | haklistgen "><pre><code>subfinder -silent -d example.com | haklistgen </code></pre></div> Piping in a custom JavaScript file could yield some interesting results: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="curl https://example.com/app.js | haklistgen "><pre><code>curl https://example.com/app.js | haklistgen </code></pre></div> You could create a great <a href="https://www.kitploit.com/search/label/Custom%20Wordlist" target="_blank" title="custom wordlist">custom wordlist</a> for a large-scope target doing something like this: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="subfinder -silent -d hakluke.com | anew subdomains.txt | httpx -silent | anew urls.txt | &lt;a title=" hakrawler="" href="https://www.kitploit.com/search/label/Hakrawler">hakrawler | anew endpoints.txt | while read url; do curl $url --insecure | haklistgen | anew wordlist.txt; done cat subdomains.txt urls.txt endpoints.txt | haklistgen | anew wordlist.txt; "&gt;<pre><code>subfinder -silent -d hakluke.com | anew subdomains.txt | httpx -silent | anew urls.txt | hakrawler | anew endpoints.txt | while read url; do curl $url --insecure | haklistgen | anew wordlist.txt; done cat subdomains.txt urls.txt endpoints.txt | haklistgen | anew wordlist.txt; </code></pre></div> This would save subdomains to <code>subdomains.txt</code>, then save httpx output to <code>urls.txt</code>, then crawl each url and save the hakrawler output to <code>endpoints.txt</code>, then fetch every URL in <code>endpoints.txt</code> and make a wordlist out of it, concatenating all of the wordlists to <code>wordlist.txt</code>. Then it takes all of the subdomains and urls, and adds words out of the words in those too. <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/hakluke/haklistgen" rel="nofollow" target="_blank" title="Download Haklistgen">Download Haklistgen</a></div>

Haklistgen - Turns Any Junk Text Into A Usable Wordlist For Brute-Forcing

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/s1851/weakpass_1_sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="939" data-original-width="1851" height="324" src="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/w640-h324/weakpass_1_sample.png" width="640" /></a></div> The tool generates a <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> based on a set of words entered by the user.<a name='more'></a> For example, during penetration testing, you need to gain access to some service, device, account, or Wi-Fi network that is password protected. For example, let it be the Wi-Fi network of EvilCorp. Sometimes, a password is a combination of device/network/organization name with some date, special character, etc. Therefore, it is simpler and easier to test some combinations before launching more complex and time-consuming checks. For example, <a href="https://www.kitploit.com/search/label/Cracking" target="_blank" title="cracking">cracking</a> a Wi-Fi password with a wordlist can take several hours and can fail, even if you choose a <a href="https://weakpass.com/wordlist/1950" rel="nofollow" target="_blank" title="great wordlist">great wordlist</a> because there was no such password in it like Evilcorp2019.Therefore, using the generated wordlist, it is possible to organize a targeted and effective online password check.Link: <a href="https://zzzteph.github.io/weakpass/" rel="nofollow" target="_blank" title="https://zzzteph.github.io/weakpass/">https://zzzteph.github.io/weakpass/</a>Secondary: <a href="https://weakpass.com/generate" rel="nofollow" target="_blank" title="https://weakpass.com/generate">https://weakpass.com/generate</a> Features The <a href="https://www.kitploit.com/search/label/Hashcat" target="_blank" title="hashcat">hashcat</a> rule syntax is used to generate the wordlist. By default, the <a href="https://www.kitploit.com/search/label/Generator" target="_blank" title="generator">generator</a> uses a set of rules "online.rule", which performs the following mutations:<ol><li>Adding special characters and popular endings to the end of the word - !,!@, !@#, 123! etc. evilcorp!, evilcorp!123</li><li>Adding digits from 1 to 31, from 01 to 12 - evilcorp01, evilcorp12.</li><li>Adding the date 2018-2023 - evilcorp2018, evilcorp2019</li><li>Various combinations of 1-3 - evilcorp2018!</li><li>Capitalize the first letter and lower the rest, apply 1-4. Evilcorp!2021</li></ol>As a result, for the word evilcorp, the following <a href="https://www.kitploit.com/search/label/Passwords" target="_blank" title="passwords">passwords</a> will be generated (216 in total):<ul><li>evilcorp</li><li>Evilcorp</li><li>EVILCORP</li><li>evilcorp123456</li><li>evilcorp2018</li><li>Evilcorp!2021</li><li>Evilcorp!2022</li><li>Evilcorp2018!@#</li></ul>You can use your own hashcat rules, just click "Show rules" and put in the "Rules" textarea them with the list of rules you like best. Rules that are supported (source <a href="https://hashcat.net/wiki/doku.php?id=rule_based_attack" rel="nofollow" target="_blank" title="https://hashcat.net/wiki/doku.php?id=rule_based_attack">https://hashcat.net/wiki/doku.php?id=rule_based_attack</a>):<table><tr><th>Name</th><th>Function</th><th>Description</th><th>Example Rule</th><th>Input Word</th><th>Output Word</th></tr><tr><td>Nothing</td><td>:</td><td>Do nothing (passthrough)</td><td>:</td><td>p@ssW0rd</td><td>p@ssW0rd</td></tr><tr><td>Lowercase</td><td>l</td><td>Lowercase all letters</td><td>l</td><td>p@ssW0rd</td><td>p@ssw0rd</td></tr><tr><td>Uppercase</td><td>u</td><td>Uppercase all letters</td><td>u</td><td>p@ssW0rd</td><td>P@SSW0RD</td></tr><tr><td>Capitalize</td><td>c</td><td>Capitalize the first letter and lower the rest</td><td>c</td><td>p@ssW0rd</td><td>P@ssw0rd</td></tr><tr><td>Invert Capitalize</td><td>C</td><td>Lowercase first found character, uppercase the rest</td><td>C</td><td>p@ssW0rd</td><td>p@SSW0RD</td></tr><tr><td>Toggle Case</td><td>t</td><td>Toggle the case of all characters in word.</td><td>t</td><td>p@ssW0rd</td><td>P@SSw0RD</td></tr><tr><td>Toggle @</td><td>TN</td><td>Toggle the case of characters at position N</td><td>T3</td><td>p@ssW0rd</td><td>p@sSW0rd</td></tr><tr><td>Reverse</td><td>r</td><td>Reverse the entire word</td><td>r</td><td>p@ssW0rd</td><td>dr0Wss@p</td></tr><tr><td>Duplicate</td><td>d</td><td>Duplicate entire word</td><td>d</td><td>p@ssW0rd</td><td>p@ssW0rdp@ssW0rd</td></tr><tr><td>Duplicate N</td><td>pN</td><td>Append duplicated word N times</td><td>p2</td><td>p@ssW0rd</td><td>p@ssW0rdp@ssW0rdp@ssW0rd</td></tr><tr><td>Reflect</td><td>f</td><td>Duplicate word reversed</td><td>f</td><td>p@ssW0rd</td><td>p@ssW0rddr0Wss@p</td></tr><tr><td>Rotate Left</td><td>{</td><td>Rotate the word left.</td><td>{</td><td>p@ssW0rd</td><td>@ssW0rdp</td></tr><tr><td>Rotate Right</td><td>}</td><td>Rotate the word right</td><td>}</td><td>p@ssW0rd</td><td>dp@ssW0r</td></tr><tr><td>Append Character</td><td>$X</td><td>Append character X to end</td><td>$1</td><td>p@ssW0rd</td><td>p@ssW0rd1</td></tr><tr><td>Prepend Character</td><td>^X</td><td>Prepend character X to front</td><td>^1</td><td>p@ssW0rd</td><td>1p@ssW0rd</td></tr><tr><td>Truncate left</td><td>[</td><td>Delete first character</td><td>[</td><td>p@ssW0rd</td><td>@ssW0rd</td></tr><tr><td>Trucate right</td><td>]</td><td>Delete last character</td><td>]</td><td>p@ssW0rd</td><td>p@assW0r</td></tr><tr><td>Delete @ N</td><td>DN</td><td>Delete character at position N</td><td>D3</td><td>p@ssW0rd</td><td>p@sW0rd</td></tr><tr><td>Extract range</td><td>xNM</td><td>Extract M characters, starting at position N</td><td>x04</td><td>p@ssW0rd</td><td>p@ss</td></tr><tr><td>Omit range</td><td>ONM</td><td>Delete M characters, starting at position N</td><td>O12</td><td>p@ssW0rd</td><td>psW0rd</td></tr><tr><td>Insert @ N</td><td>iNX</td><td>Insert character X at position N</td><td>i4!</td><td>p@ssW0rd</td><td>p@ss!W0rd</td></tr><tr><td>Overwrite @ N</td><td>oNX</td><td>Overwrite character at position N with X</td><td>o3$</td><td>p@ssW0rd</td><td>p@s$W0rd</td></tr><tr><td>Truncate @ N</td><td>'N</td><td>Truncate word at position N</td><td>'6</td><td>p@ssW0rd</td><td>p@ssW0</td></tr><tr><td>Replace</td><td>sXY</td><td>Replace all instances of X with Y</td><td>ss$</td><td>p@ssW0rd</td><td>p@$$W0rd</td></tr><tr><td>Purge</td><td>@X</td><td>Purge all instances of X</td><td>@s</td><td>p@ssW0rd</td><td>p@W0rd</td></tr><tr><td>Duplicate first N</td><td>zN</td><td>Duplicate first character N times</td><td>z2</td><td>p@ssW0rd</td><td>ppp@ssW0rd</td></tr><tr><td>Duplicate last N</td><td>ZN</td><td>Duplicate last character N times</td><td>Z2</td><td>p@ssW0rd</td><td>p@ssW0rddd</td></tr><tr><td>Duplicate all</td><td>q</td><td>Duplicate every character</td><td>q</td><td>p@ssW0rd</td><td>pp@@ssssWW00rrdd</td></tr></table>The generator automatically removes duplicate passwords.By pressing the Wi-Fi, all passwords less than 8 characters long will be automatically deleted.All data is generated using Javascript so that you can use the generator without internet access. How-to <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-w9y2vqXLp8A/YUqNb3lBxWI/AAAAAAAAvRc/r_B4UpLWJecsL3g9LifEwJBvOf3qrGMQgCNcBGAsYHQ/s334/weakpass_2_howto.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="334" src="https://1.bp.blogspot.com/-w9y2vqXLp8A/YUqNb3lBxWI/AAAAAAAAvRc/r_B4UpLWJecsL3g9LifEwJBvOf3qrGMQgCNcBGAsYHQ/s16000/weakpass_2_howto.gif" /></a></div> <ol><li>To generate a wordlist, enter in the Words field, words that can be used as part of the password.</li><li>Click on the Generate button</li><li>Copy the received content or click on the Copy to clipboard button for automatic copying.</li><li>...</li><li>Profit!</li></ol> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/zzzteph/weakpass" rel="nofollow" target="_blank" title="Download Weakpass">Download Weakpass</a></div>

Weakpass - Rule-Based Online Generator To Create A Wordlist Based On A Set Of Words

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/s800/graphql.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="800" height="224" src="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/w640-h224/graphql.png" width="640" /></a></div> BatchQL is a GraphQL security <a href="https://www.kitploit.com/search/label/Auditing" target="_blank" title="auditing">auditing</a> script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements. When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks. GraphQL batching attacks can be quite serious depending on the functionalities implemented. For example, imagine a password reset functionality which expects a 4 digit pin that was sent to your email. With this tool, you could attempt all 10k pin attempts in a single GraphQL query. This may bypass any rate limiting or account lockouts depending on the implementation details of the password reset flow.<a name='more'></a><div> </div>Detections This tool is capable of detecting the following: <ul> <li>Introspection query support</li> <li>Schema suggestions detection</li> <li>Potential CSRF detection</li> <li>Query name based batching</li> <li>Query JSON list based batching</li> </ul> Attacks Currently, this tool only supports sending JSON list based queries for batching attacks. It supports scenarios where the variables are <a href="https://www.kitploit.com/search/label/Embedded" target="_blank" title="embedded">embedded</a> in the query, or where they are provided in the JSON input. Usage Enumeration <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="❯ python batch.py -e http://re.local:5000/graphiql -p localhost:8080 Schema suggestions enabled. Use Clairvoyance to recover schema: https://github.com/nikitastupin/clairvoyance CSRF GET based successful. Please confirm that this is a valid issue. CSRF POST based successful. Please confirm that this is a valid issue. Query name based batching: GraphQL batching is possible... preflight request was successful. Query JSON list based batching: GraphQL batching is possible... preflight request was successful. Most provide query, wordlist, and size to perform batching attack. "><pre><code>❯ python batch.py -e http://re.local:5000/graphiql -p localhost:8080 Schema suggestions enabled. Use Clairvoyance to recover schema: https://github.com/nikitastupin/clairvoyance CSRF GET based successful. Please confirm that this is a valid issue. CSRF POST based successful. Please confirm that this is a valid issue. Query name based batching: GraphQL batching is possible... preflight request was successful. Query JSON list based batching: GraphQL batching is possible... preflight request was successful. Most provide query, wordlist, and size to perform batching attack. </code></pre></div> Batching Attacks <ol> <li>Save a file that contains your GraphQL query i.e. <code>acc-login.txt</code>:</li> </ol> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="mutation emailLoginRemembered($loginInput: InputRememberedEmailLogin!) { emailLoginRemembered(loginInput: $loginInput) { authToken { accessToken __typename } userSessionResponse { userToken userIdentity { userId identityType verified onboardingStatus registrationReferralCode userReferralInfo { referralCode { code valid __typename } __typename } __typename } __typename } __typename } } "><pre><code>mutation emailLoginRemembered($loginInput: InputRememberedEmailLogin!) { emailLoginRemembered(loginInput: $loginInput) { authToken { accessToken __typename } userSessionResponse { userToken userIdentity { userId identityType verified onboardingStatus registrationReferralCode userReferralInfo { referralCode { code valid __typename } __typename } __typename } __typename } __typename } } </code></pre></div> <ol start="2"> <li>Run the following command to run a GraphQL batching attack:</li> </ol> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="❯ python batch.py --query acc-login.txt --wordlist passwords.txt -v '{&quot;loginInput&quot;:{&quot;email&quot;:&quot;admin@example.com&quot;,&quot;password&quot;:&quot;#VARIABLE#&quot;,&quot;rememberMe&quot;:false}}' --size 100 -e http://re.local:5000/graphiql -p localhost:8080 "><pre><code>❯ python batch.py --query acc-login.txt --wordlist passwords.txt -v '{"loginInput":{"email":"admin@example.com","password":"#VARIABLE#","rememberMe":false}}' --size 100 -e http://re.local:5000/graphiql -p localhost:8080 </code></pre></div> The above command does the following: <ul> <li>Specifies a query from a local file <code>--query acc-login.txt</code>.</li> <li>Specifies a <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> <code>--wordlist passwords.txt</code></li> <li>Specifies the variable input with the replacement <a href="https://www.kitploit.com/search/label/Identifier" target="_blank" title="identifier">identifier</a> <code>-v {"loginInput":{"email":"admin@example.com","password":"#VARIABLE#","rememberMe":false}}</code></li> <li>Specifies the batch size <code>--size 100</code></li> <li>Specifies the endpoint <code>-e http://re.local:5000/graphiql</code></li> <li>Specifies a proxy <code>-p localhost:8080</code></li> </ul> References <ul> <li><a href="https://blog.assetnote.io/2021/08/29/exploiting-graphql/" rel="nofollow" target="_blank" title="Exploiting GraphQL">Exploiting GraphQL</a></li> <li><a href="https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application" rel="nofollow" target="_blank" title="Damn">Damn </a><a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="Vulnerable">Vulnerable</a> GraphQL Application</li> <li><a href="https://lab.wallarm.com/graphql-batching-attack/" rel="nofollow" target="_blank" title="GraphQL Batching Attack - Wallarm">GraphQL Batching Attack - Wallarm</a></li> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#mitigating-batching-attacks" rel="nofollow" target="_blank" title="Mitigating Batching Attacks">Mitigating Batching Attacks</a></li> </ul> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/assetnote/batchql" rel="nofollow" target="_blank" title="Download Batchql">Download Batchql</a></div>

Tag

#Wordlist