How to automate a custom password dictionary for your pen test
When doing penetration testing, security professionals regularly have to deal with words that are specific to the task at hand, and many are not found in common wordlists. Another problem comes from popular tools, many of which are challenging to customize.
The OWASP Basic Expression & Lexicon Variation Algorithms Project (pyOwaspBELVA) is a custom dictionary builder that enables the user to import data from proxies such as ZAP and Burp, substitute letters/numbers/special characters, apply policies to select and remove words, as well as write plugins for extendability. The app also allows the pen tester to create a custom username-based on policy.
“While some basic wordlists are supplied with the tool, you can use any pre-existing wordlist, and the tool can handle large wordlists such a Rockyou. At 14.34 million passwords, it’s best to first run the app to select the Rockyou passwords that meet the criteria needed rather than generating variations against such a large list. We found that there were less than 70,000 words that were between 6 and 15 in length, contained a capital letter, a number and a special character. That’s less than half of a percent that were strong passwords, and met most US corporate standards,” Kenneth F. Belva, author of pyOwaspBELVA (dedicated to his father), told Help Net Security.
What makes the tool unique is that the rules that enable word transformation are intuitive and highly customizable. In fact, even with basic Python knowledge it’s easy to write custom plugins.
“Organizations may want to run passwords audits against the hashes in their domain controller. This is an easy way to create a specialized dictionary for that purpose,” Belva added.
pyOwaspBELVA can be extended past passwords to generate custom usernames when given a list of first and last names. Future plans include plugins to generate other essential lists such as email addresses.