Crackstation wordlist is one of the most (if not the most) comprehensive wordlist which can be used for the purpose of dictionary -attack on passwords.
The wordlist comes in two flavors:
- Full wordlist (GZIP-compressed (level 9). 4.2 GiB compressed. 15 GiB uncompressed)
- Human-password only wordlist (GZIP-compressed. 247 MiB compressed. 684 MiB uncompressed)
Personally, I’ve already downloaded the full wordlist via torrent, and tested it against few PDF files (using pdfcrack) and UNIX password cracking (using John), all my test cases were successful. In my opinion, the wordlist is comprehensive for my need.
Since it looked like it took a significant effort to compile this wordlist, I rather advocate those who are interested to donate/buy the wordlist from: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
I’ve come across an PDF which was sent to my email from an automated banking system. Unfortunately, the PDF file is encrypted and I’ve no way of knowing the password (or actually I’ve forgotten the password).
Fortunately, my Ubuntu box comes with application which allows me to crack the PDF file within a reasonable time.
Using ‘pdfcrack’ to crack PDF file
You need to install pdfcrack to crack pdf file. In Ubuntu/Debian system, you simply need to run
sudo apt-get -y install pdfcrack
Then for actual cracking, you can run
pdfcrack -n5 -m10 encrypted.pdf
Where -n [minimum length] to brute-force, and -m [maximum length] to brute-force.
pdfcrack can also accept a file input containing list of words (dictionary attack). For dictionary-attack just run
pdfcrack --wordlist=dictionary.txt encrypted.pdf
For those into stealing SSH passwords and username: http://pentestmonkey.net/blog/sshd-snooping
Secured Shell or SSH is a service to enable users to access remote system securely. However, SSH servers depending on password-based authentication might be vulnerable to dictionary-based (or brute-force) attacks by crackers.
Luckily iptables can be used with ‘–limit-burst‘ and ‘–limit’ option to reduce the number of attempts and connection that a cracking tool can make in a period of time.
For example, in order to limit an IP address to making only 5 connections per minute in burst of 2 connections, you can use this iptables rules:
iptables -A INPUT -p tcp --dport ssh -m limit --limit 5/minute --limit-burst 2 -j ACCEPT
This will result in the iptables will only allow up to 5 connections per minute with 2 maximum initial number of connections, which will make any brute-force or dictionary-based attack uneconomical/unfeasible for the server.
Read more about iptables –limit and –limit-burst in Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks