- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
1. Using LLMs to Help Create Custom Wordlists
2. Web App Enumeration Lists
2.1. What Makes an Effective Web App Wordlist?
2.2. Challenges with Using LLMs
2.3. Experiment: Solo GPT 3.5
2.4. Experiment: CeWL + GPT4 = ???
2.5. Experiment: Microsoft Copilot
3.1. Experiment: Generate Password List with GPT4
3.2. Future Password Experiments
Wordlists are vital tools for penetration testers and othersecurity professionals. They can be used in a variety of situations,in both attacking and defending. In this module, we will consider howAI systems can help us generate augmented wordlists, and how thismight improve on traditional methods of wordlist creation.
The success of a wordlist depends mainly on how relevant andcustomized it is for the specific application or environment where itwill be used. If we try using a wordlist designed for ASP.NETapplications against an Apache server, we probably won't have muchsuccess. Likewise, attempting to use the contents ofДля просмотра ссылки Войдиили Зарегистрируйсяagainst a potential SQL injection point will most likely not yieldany useful or exploitable results.
Choosing an effective wordlist goes beyond just the technologies orpotential mechanics of a hypothetical exploitation. The decisionsrelated to naming custom endpoints in an application often rely onthe programmer's native language and the specific industry where anorganization operates. For instance, using a wordlist that includesterms specific to the pizza industry is more likely to yield successwhen targeting a pizza chain's website compared to a car dealership'swebsite. Wordlists that consider the contextual informationsurrounding an application can significantly enhance their overalleffectiveness.
This applies to passwords as well. People usually create passwords.They create them consciously, with all the biases that come withhuman thinking. There's a chance that one of the pizza chainemployees will have a pizza-related password. Unless, of course theyare all using randomly generated passwords and Для просмотра ссылки Войдиили Зарегистрируйсяclient applications.
Enter Для просмотра ссылки Войдиили Зарегистрируйся (LLMs).LLMs are artificial intelligence (AI) systems trained on vast amountsof text data. They make associations between words, and sometimes canmake contextual associations that resemble human intelligence. Thisoffers an opportunity for experimentation. The basic premise of thisModule then, is to figure out if we can we use this extensive"linguistic association making machine" to improve the development ofpersonalized wordlists and password lists.
The theory suggests that Large Language Models can detect andgenerate patterns that humans might overlook or that would requiremuch more time for compilation. Because of this, we can leverage LLMsto make associations on a large scale and do this in a broader and lessbiased manner than a human would.
Practical experimentation is essential in this case. We have gatheredanecdotal evidence and personal experiences "in the field" suggestingthat leveraging LLMs in this manner holds significant potential.However, LLMs represent a relatively new technology. We still lack acomprehensive understanding of how to practically implement thisapproach or the value of the results this approach might yield.
In the following sections, we'll use Для просмотра ссылки Войдиили Зарегистрируйся, alongside some of their recent GPTmodels, to get a sense of what we can expect from LLMs. Since thelandscape is constantly changing, it is important to note that astime progresses, the baseline will likely change again. As such, thekinds of output one can expect from experiments like this is liableto change, and likely improve. But the only constant in the world ofAI at this moment in time, is that change is likely, and oftenchaotic.
We can use tools such asДля просмотра ссылки Войдиили Зарегистрируйся andДля просмотра ссылки Войди или Зарегистрируйся to systematicallyexplore web applications to discover accessible directories, files,or parameters that may not be easily found through regularapplication use or through static inspections. However, theeffectiveness of these tools depends on the quality of the wordliststhey utilize. The selection of the wordlist is often determined bythe individual at the keyboard, corresponding to Для просмотра ссылки Войди или Зарегистрируйся.
This is the juncture at which LLM capabilities could be utilized tocreate more advanced and precise wordlists. The person responsiblefor choosing which wordlists to use is no longer making this decisionalone. They can improve their choices by using a Language Modeltrained on a variety of texts to assist in decision-making. This canbe done within the application itself. By examining the language andlayout of web applications, LLMs may predict potential file names,directory structures, or parameters that elude typical enumerationtechniques, simplifying the penetration testing process.
As previously discussed, we should not just observe, but we shoulduse the contextual information available in an application toidentify additional directories, files, or parameters. This couldinvolve terms that might not typically be included in a default listbut are indicated by the application's context.
One important aspect to keep in mind about web applicationenumeration is that it is not a one-time task. Finding information atany stage of the assessment could reveal new opportunities that wouldnot have been uncovered through brute-force methods alone. It isimportant to remember to Для просмотра ссылки Войдиили Зарегистрируйся!
In the following sections, we'll explore various methods of usingLLMs to create personalized wordlists. Two experiments involveutilizing the Для просмотра ссылки Войдиили Зарегистрируйся, whichis currently a paid service.
If you want to follow along with thecode in these sections, you will need access to the OpenAI API, andan API token</sb>.
In an additional experiment, we'll explore [MicrosoftCopilot](Для просмотра ссылки Войдиили Зарегистрируйся) which is currently availablefor free. Microsoft, a major supporter of OpenAI, powers the Copilotwith OpenAI's GPT-4. In addition to this, Copilot incorporates extrafeatures such as web browsing, which are not provided by theAPI-accessible GPT models and the browser-based ChatGPT.
или Зарегистрируйся, with a focus onthe official OpenAI API Для просмотра ссылки Войди или Зарегистрируйся. The OpenAI API isable to access several different GPT models. However, it does nothave session or context "memory" in the same way that an applicationlike ChatGPT has. This means that the API won't "remember" previousrequests, and all information we want the GPT model to respond to hasto be contained inside a single request.
We'll begin by authenticating to the Python library with our APItoken, which we can create on the Для просмотра ссылки Войдиили Зарегистрируйся by logging in with avalid user account. To prevent disclosing the API key here, we'llretrieve it from the OPENAI_API_KEY environmental variable.
from openai import OpenAI
import os
Now that we have connected to the OpenAI client, we'll specify themodel we want to use, provide it with some prompts, and see what kindof results we receive.
First, we'll ask a GPT model to extract unique words from the rawHTML contents of a web page. We can use the Python requests libraryto read the page itself. The raw contents of the page are containedin the text property of the object that requests.get() returns.
To use ChatGPT instead of the OpenAI API, create a simple Pythonscript or use a command-line tool like Для просмотра ссылки Войдиили Зарегистрируйся toextract the HTML content of a webpage. Then, paste this content intothe ChatGPT message box along with a relevant prompt.
We'll use the gpt-3.5-turbo model for the natural languageprocessing. This is a relatively new and fast model which OpenAIrecommends for most purposes.
Next, we'll need a prompt that clearly conveys our intentions. Themain prompt will serve as the system prompt, and we'll supply thecontents of the page as the user prompt. We'll create this promptwith this division in mind.
This is our initial prompt:
Let's incorporate this prompt into our script. Here's our script sofar:
from openai import OpenAI:
After executing this, we receive a list of words as a response fromthe API.
This is quite promising, but it's not really what we asked for. Wefind that the terms HTML, CSS and JavaScript are returnedeven though we asked they be removed. This means that our promptcould probably benefit from some tweaking to better communicate ourintentions to the gpt-3.5-turbo model.
Note that by default, the output from the OpenAI API is notdeterministic. Sending the same prompt multiple times to the samemodel may not always result in the same response. Let's send the samerequest again.
We sent the same request, but received a different response. Thistime, the API only returned HTML-related keywords. Although thistime, it's presented in a Python list format. Multiple requestsreturn even more varied responses.
We can adjust this behavior with a seed parameter. The seedparameter establishes the initial point for the randomness, whichimproves the predictability of the output. By incorporating both theseed parameter and the prompt, we can generate a more deterministicoutput. Let's add the seed parameter to the request.
...
['DOCTYPE', 'html', 'lang', 'en', 'head', 'meta', 'charset', 'utf-8', 'http-equiv', 'X-UA-Compatible', 'content', 'IE=edge', 'name', 'viewport', 'width', 'device-width', 'initial-scale', '1', 'description', 'author', 'link', 'shortcut', 'icon', 'h...irst', 'hasClass', 'active', 'removeClass', 'active', 'addClass', 'active', 'return', 'false', 'getColumnNumber', 'winWidth', 'width', 'columnNumber', 'if', 'columnNumber', 'return', 'columnNumber', 'setColumns', 'itemWidth', 'Math', 'floor', 'reLayout']
Experimenting with different integer values for seed results indifferent results. It just so happens that in this case, the resultis formatted as a Python list. Sending the same seed does notguarantee consistent output. We could apply this seed to a differentprompt and get a response that's not formatted as a Python list.
The output depends on all the inputs we supply. Let's supply thesame seed but pass the HTML contents of Для просмотра ссылки Войдиили Зарегистрируйся as theuser prompt.
...
Example, Domain, illustrative, examples, documents, literature, coordination, permission, information
Let's return to our megacorpone.com example. Where do we go fromhere? We can try many different seeds and see what kind of output weget. We can also try modifying the prompt, to see if we can get moreuseful responses. This will likely give us a decent selection ofdifferent outputs to work with.
For example, let's make the prompt less prescriptive, and moregeneral.
...
Running this a few times without a seed gives us a pretty wide arrayof different responses. Some are very similar to those we got withthe previous prompt:
MegaCorp, One, Nanotechnology, Future, Bootstrap, CSS, HTML, Javascript, Responsive, Navbar, Headerwrap, Service, Logos, Container, FAQ, Posts, Footer, Social, Media, Location, Portfolio, ImagesLoaded, Isotope, Resize.
Other prompts produce more comprehensive results but also includemore noise:
Based on the HTML content provided, here is a list of possible candidates for directory names and filenames:
...
Let's try one final tweak, using the GPT4 model, rather than GPT 3.5to determine if there's any substantial improvement in the quality ofthe response. We'll use gpt-4-1106-preview in this example, sincethis is the most recent publicly-accessible model we can use throughthe API.
We'll use the same prompt as before, changing only the modelparameter.
...
Running this several times gives us varying output. What is clear isthat GPT4's output is much more verbose, and liable to take on anexplanatory tone. For example, in the following sample response, thefirst sentences are all dedicated to explaining how the LLM arrivedat its outcome.
Creating a wordlist for directory names and filenames on a web application involves parsing through the provided HTML content and extracting potential candidates while filtering out common technical terms and generic words. Here’s a process and an example wordlist derived from the provided HTML content:
1. Parse the HTML and extract all text nodes.
2. Tokenize the text into individual words.
3. Filter out common HTML tags, attributes, technical terms, and programming-related words.
4. Remove duplicates to get a list of unique words.
For your provided content, ignoring the HTML markup, JavaScript code, CSS links, and technical comments, we gather unique words that may be related to the web application's context or structure. Here are potential candidates from the given HTML:
Remember to review this list, as some words might still be too common or not suitable for your requirements; tailor it according to the specific context of the web application. This list excludes common web and programming words like "html," "css," "javascript," "script," "link," "meta," "div," "class," etc. The actual extraction and filtering require a more complex script or program which scans text and excludes common terms programmatically.
This output is much more reasoned than the previous output and it'salready quite useful! It includes quite a few words derived fromlinguistic association. It also seems to have removed many othergeneric markup-related terms that the GPT-3.5 model would probablyhave kept when presented with the same prompt.
What is clear at this point is that the process of using an LLM forthis task will require human oversight. Given the current state ofLLMs and the quality of the output we receive from them, we'llgenerally need to tweak that output before feeding it directly intoscripts or pipelines.
Based on the current state of LLM technology, the manual interventionwe must provide is more burdensome than the benefits we derive fromusing an LLM. We can extract words from websites without an LLM. Infact, it might be more effective to revert to traditional techniquesand somehow leverage an AI model in another way. We'll explore thishypothesis in the next section.
The Для просмотра ссылки Войдиили Зарегистрируйся(CeWL) is the most popular tool for spidering and scraping data froma website. It is purposefully designed to scrape a website andextract words which can be used as part of a custom wordlist.
Let's try to incorporate CeWL into our LLM-augmented wordlistgeneration process. The idea here is to use CeWL to extract awordlist, manually clean this list up, and then pass it to some GPTmodels to make associations.
In theory, this approach should provide us with greater control overthe input words the GPT is working with, ensuring less noise comparedto passing raw HTML to the model. It seems that excessive noise isdisrupting the model's processing. By feeding this carefully selectedinformation to GPT-4, the experiment shifts its focus to explore thecombination of traditional scraping techniques with sophisticatedlinguistic AI capabilities, which should make for an effectivecombination.
Let's run cewl against megacorpone.com from Kali, whichbundles CeWL by default.
kali@kali:~$ cewl Для просмотра ссылки Войдиили Зарегистрируйся -w megacorpone.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (Для просмотра ссылки Войдиили Зарегистрируйся)
CeWL found 432 unique words on megacorpone.com. This is adecently-sized wordlist.
However, the list contains common words that will decrease theeffectiveness of our wordlist. This includes common Для просмотра ссылки Войдиили Зарегистрируйся,and many other common English words. We should try to find a way tofilter these results.
One approach is to find a plaintext list of the most common words inthe English language, and use some shell commands to remove thesecommon words from our list.
We can start by using Peter Norvig's list of the Для просмотра ссылки Войдиили Зарегистрируйся, derived fromGoogle's Для просмотра ссылки Войди или Зарегистрируйся. We'll download thefile, figure out the format, and then use it to create a list of thetop 1,000 most common English words.
Since Norvig's list also contains the word counts in a 2nd column,we'll remove those numbers with sed and remove all the trailingwhitespace characters with tr.
Now we have a cleaned-up list of the top 1000 English language words,we can pass this to grep, and use it to remove words from thelist CeWL scraped.
We're arbitrarily choosing the top 1000 words. It may be moreeffective to choose a different number, depending on theapplication.
We'll use -i to tell grep to ignore case, -w to matchwhole words only, -v for a negative search (remove whatever itfinds, rather than return it), and -f to use the file we pass asthe source.
We've managed to remove almost 200 words from the CeWL list, leavingus with 250 words. This seems like a good start.
Removing common words may seem counterintuitive, since there willbe cases in many applications where there are directories and filesnamed with very generic names, using very common words. However,there are already wordlists which contain the most common words,which can be thrown at an application separately. The purpose of thisparticular exercise is to compile a list of words unique to thisparticular application, based on the scraped linguisticinformation.
Let's take a look at this wordlist.
Even in the first 30 lines, there are a lot of words we wouldconsider a little too generic. Terms like navigation and copyaren't specific to megacorpone.com. As such, they don't really needto be in our megacorpone.com-specific wordlist.
Rather than spending a lot of time removing these by hand, let's justcut the list down using a longer list of generic words. We'll choose8000 this time.
This looks much more promising. This cuts the list down to 78 words.The list still contains a few generic technical terms likeBootstrap, twrap and HEADERWRAP, but with a sub-100-linewordlist, we can easily filtering out these generic words manually.
Let's prepare a list to send to an LLM. We can quickly eyeball thelist to pick out all the terms that seem most relevant tomegacorpone.com, ignoring all the most generic terms. This shouldleave us with only the words that make the most sense in the contextof an HTML page. Our goal is to use human judgment, leveraging whatwe know about the context of the web page, and the societal contextof MegaCorpOne. We want to end up with a really condensed list,containing only words which are relevant to the target organization.We'll then ask the LLM to make associations, which should lead us toother words, which may be useful to add to our enumeration wordlists.
This leaves us with something like the following:
This is our "starter" wordlist. Similar to a yeast starter inbread-making, we will use this as the microbiotic foundation for abig baked loaf of web app enumeration words.
We can create a prompt similar to the following using thegpt-4-1106-preview model. As we did previously, we'll start bysetting the expectations with a system prompt and then provide theraw content as the user prompt. We'll clearly describe what input themodel will receive and what output we anticipate.
...
"""
This output is very comprehensive:
To generate a list of thematically related words, we can look at each
term provided and think of other terms in the same domain or that are
generally associated with this particular field, which in this case
seems to be focused on technology, nanotechnology, and possibly a
business or corporate environment:
Thematic List:
Next, we'll construct a list of potential directory and file names
that might be found on the web server of a company working in these
areas. Such names typically relate to the company's internal
structure, products, public resources, or the technologies they use.
Here is a hypothetical list:
Note that these are speculative examples based on common web server file structures and naming conventions, as well as the provided list of words and associated domains. Actual directories and file paths would depend on the web server's specific configuration and the content management practices of the company in question.
While this list is not yet ready for immediate use, it does includesome valuable and potentially enlightening connections. The termsfound on the site's homepage have been taken in thematic context, andother terms related to similar fields have been suggested. Thesuggested endpoints also look relatively sensible, although thechances that each of the specific file URIs would be valid isextremely low, it does illustrate a certain kind of rationality.Random words have not been entirely strewn together.
или Зарегистрируйся.
Without making many adjustments to our previous prompts, let's sendthem to Copilot and compare the results.
For Для просмотра ссылки Войдиили Зарегистрируйся
Extract all the words from this page to make a list.
Then, remove all the words that are generic.
Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library.
Remove all other generic words.
Return the words that are left, after all the generic words have been removed.
Copilot returns the following:
Certainly! Let’s extract the relevant words from the MegaCorp One website and filter out any generic terms. Here’s the refined list:
Please note that I’ve excluded generic terms and focused on the specific aspects related to MegaCorp One’s nanotechnology endeavors. If you need further details or have any other requests, feel free to ask!
This list is quite extensive, and we can compare it to the originallist we received from the GPT 3.5 and GPT 4 models via the API. Wecould also ask Copilot to either combine or separate multi-wordterms. Similar to the OpenAI API, the results may vary. Here is thesame prompt submitted in a different window.
I want you to generate a wordlist from this website: Для просмотра ссылки Войдиили Зарегистрируйся
Extract all the words from this page to make a list.
Then, remove all the words that are generic.
Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library.
Remove all other generic words.
Return the words that are left, after all the generic words have been removed.
This results in the following response:
Certainly! Let’s extract the relevant words from the website MegaCorp One. Here are the steps I followed:
Extracted Words: I collected all the words from the website.
Removed Generic Words: I filtered out generic words that are commonly found on websites.
Filtered HTML, JavaScript, and Library Names: I excluded words related to HTML, JavaScript, and any CSS or JavaScript libraries.
Final Wordlist: After these steps, I compiled a list of remaining words.
Here’s the wordlist from the website:
Please note that this list includes specific terms related to MegaCorp One’s nanotechnology focus and excludes generic words. If you need further assistance or have any other requests, feel free to ask!
Next, let's ask Copilot to adjust the format. For example, we canrequest it to present the list in a comma-separated format.
Can you make that into a comma separated list
Certainly! Here’s the comma-separated wordlist from the website:
Nanotechnology, Future, Bleeding-edge, Technologies, Opportunities, Computer, Prototype, Regeneration, Military, Applications, Cell, Immune, Supplements, Micromachine, Cyberisation, Repair, Nanomite, Weaponry, Nanoprobe, Entity, Assimilation, Nanoprocessors, Perlin, VanHook, Chemical, Dispersal
We received the list of words as requested, given to us in acomma-separated format. This type of responsive prompting can be oneof the most useful features of a chat-like interaction, using asession with a short token "memory." We can ask questions in thecontext of the current session. This helps simplify our prompts andwill improve the results as they are often generated with context.
Finally, we can also ask Copilot to assist us in writing a betterprompt that achieves the desired goals. We can provide the wordlistwe want in our preferred format and ask Copilot to suggest aconsolidated prompt.
How could I have formed these questions in a more concise way to get the same results?
Copilot responds accordingly:
Certainly! To achieve the same results more concisely, you could have asked:
“Extract relevant words from the website MegaCorp One and remove generic terms.”
“Provide a comma-separated list of the remaining words.”
Feel free to use these shorter prompts in the future!
Let's put this to the test, and submit the suggested prompt.
“Extract relevant words from the website Для просмотра ссылки Войдиили Зарегистрируйся and remove generic terms.”
“Provide a comma-separated list of the remaining words.”
This results in the following response:
Certainly! Here’s the comma-separated wordlist from the website:
Nanotechnology, Future, Bleeding-edge, Technologies, Opportunities, Computer, Prototype, Regeneration, Military, Applications, Cell, Immune, Supplements, Micromachine, Cyberisation, Repair, Nanomite, Weaponry, Nanoprobe, Entity, Assimilation, Nanoprocessors, Perlin, VanHook, Chemical, Dispersal
This is a great trick for generating better prompts. We mayeven want to take the prompt we get from Copilot, and use it inanother LLM, or another service using GPT 4 as its backend.
While we won't wrap this section with a comprehensive methodology, wedo have a good understanding of how valuable LLMs could be in thewordlist creation process. There is still a lot of experimentation tobe done in this space. Using different prompts, models, and methodsto input data into a language model will all influence the type ofoutput we receive.
What is evident at this stage is exactly how much human oversight weneed to give the LLM. While an LLM can leverage some contextualinformation, human intervention is really necessary to review the webapplication and decide on the best way to generate the wordlist. LLMscan effectively mimic reasoning, but they lack the level ofcontextual understanding that humans have. The output can also bechaotic, appearing quite random, and sometimes seem to ignore theprompts' original intentions. With so many moving parts and so muchuncertainty, it seems more beneficial (at least for now) to restrictthe use of LLMs to tasks related to word association. Asking for morethan this injects more noise to the process, and might cause moredifficulty than it prevents.
Finally, although we briefly reviewed the outputs in this module, wecan explore further possibilities. We can adopt a recursive approach,continually expanding a "starter" wordlist throughout a testingcycle. By incorporating suggested terms from the LLMs andreintroducing them, we can broaden the list even more. It is unclearhow extensive such a list can become before losing its effectiveness.There is a risk that the words produced by the LLM may becomeincreasingly generic after multiple iterations. This type ofgenerality is what we aim to prevent when compiling lists. There isdefinitely a threshold for how generic we allow such a recursivelyinformed list to become.
Passwords are one of the most "human" problems in cybersecurity. Theyare often set by users, and are (almost) always kept entirely secret.When stored they are (almost) always hashed. If a password hash iscompromised, an attacker mustДля просмотра ссылки Войдиили Зарегистрируйсяthe password by making multiple guesses until they guess correctly.Only then will they gain access to the cleartext used to create thehash.
Our best guesses about what a cleartext password might be are basedon what we know about how people set passwords. The most valuableinsights security researchers have into user passwords often comefrom cleartext password leaks. Having access to a huge number ofcleartext passwords can help us understand patterns, trends andstrategies that humans may employ when setting passwords. But therehave been very few mass leaks of cleartext passwords over the years.One of the most famous, rockyou.txt, resulted from the Для просмотра ссылки Войдиили Зарегистрируйся.Since then, there have been only a handful of other mass cleartextpassword breaches. Many of these have been relatively tricky to getaccess to without resorting to buying them on the [darkweb])(Для просмотра ссылки Войди или Зарегистрируйся time passes and technologies improve, the value of lists likerockyou.txt decreases. It is now very rare to gain access to anythingimportant by using a password found in the rockyou.txt list.
When attempting to guess a password, it's important to considercertain technical aspects. Understanding the password policy thatgoverned the creation of the password is crucial. These policiestypically require users to use characters from a specific keyspaceand set minimum length requirements. Additionally, considering thecontext in which the password hash was discovered is essential. Wemay want to prioritize certain technical terminology from theindustry the user is working in, use brand names, add variations ofthe user's company name, or variations of the application name inwhich the account is used. We should also consider details about theuser themselves. Could we leverage social media to determine if theyhave a favorite activity, own a beloved pet, or even gather sensitiveinformation such as their mother's maiden name? We can obtain manyunique contextual clues about a password from a user's personal life.
With all this in mind, passwords often follow certain commoncriteria. A user might replace a character with a number to complywith a password complexity requirement. They might replace an "a"with a "4", or even a "ä". They could randomly include specialcharacters, or follow a clear external logic. They may even write anentire sentence as a password.
All these contextual details can provide enough insight to help cracka password. As password cracking strategies evolve in response toincreasingly stringent password policies and data protectionmechanisms, the ability to predict and simulate potential passwordpatterns has to become more sophisticated. Password cracking toolslike Для просмотра ссылки Войдиили Зарегистрируйся can automaticallyalter its password guesses using a predefined set of rules in aДля просмотра ссылки Войди или Зарегистрируйся. Therationale in play here is that there are common underlying logicalprinciples that humans apply to generate their passwords. This meansit is worth morphing the same base word in multiple ways to coverpotential cases. For example, transforming the character "a" to thecharacter "@".
Considering all factors, it is difficult to approach the creation ofan effective password list scientifically. Our knowledge comes frompublic breaches, expertise in password cracking, and anecdotalevidence. Because of this, password cracking is often described asmore of an art than a science.
Intuitively, it seems that Language Models could be useful inthis scenario. LLMs are trained on a vast and varied text database,most of which is authored by humans. Therefore, LLMs have deepinsights into human writing and word usage. The writing style used inpublic contexts and the way people create passwords are likelyconnected thematically. Using an LLM, we might be able to generate a"sample" of possible passwords by providing enough context. Theinternal logic of the LLM could also suggest potential passwords orpassword templates that might not be immediately evident to apenetration tester.
...
"""
This generates interesting output. As usual, GPT4 explains everythingit's doing, and produces a plethora of thematically-similar words.
To generate a list of words thematically related to the provided list, we should focus on concepts from corporate culture, nanotechnology, biotechnology, cybernetics, and possibly high tech and futuristic themes, since the provided words suggest a company (MegaCorp) working in cutting-edge technology fields.
Related Thematic Word List:
Potential Password Wordlist:
When creating a list of potential passwords, we would take into account that people often include names, significant numbers (like dates), hobbies, pets, and sometimes, unfortunately, use rather straightforward passwords. They might also incorporate aspects of their work, ensuring we are adding variations with numbers and special characters typical of stronger passwords.
...
"""
Creating potential passwords that employees at a company with thematic ties to advanced technology, nanomedicine, and cyberization may use involves combining terms related to the provided keywords with numbers, special characters, or variations that individuals might incorporate to meet common password strength requirements. Here's a list of potential passwords:
Please remember that while these passwords incorporate a mix of thematic words, numbers, and special characters, true password security also depends on a variety of other factors, such as password length, avoiding common phrases or predictable patterns, and regularly updating passwords. It is also important to follow specific password guidelines provided by the relevant organization.
There are some interesting password contenders on this list. Manyinclude the name of the company, and some include complexitymodifiers, such as "MegaCorp2023!".
We can also ask GPT-4 to generate some passwords based on acomplexity standard. Let's modify the prompt accordingly:
The GPT-4-1106-preview provides us with more interesting passwordcandidates, this time following the password policy we specified.
Sure, I'll create a list of passwords based on the provided words. Since the words revolve around nanotechnology, cybernetic enhancements, and advanced technology themes, I will expand the list and then integrate various complexities to meet the password specifications provided.
Please ensure these passwords are used in a responsible and secure manner, as they are generated based on the context given and do not necessarily conform to the best practices of security, such as complete randomness or the use of passphrases. It is also important to ensure that they adhere to the specific password policy of the company and are coupled with other security measures, like two-factor authentication.
Some of these appear promising, in theory. The LLM has generatedpassword candidates that follow typical conventions for creating morecomplex passwords. It combined various terms from its extrapolatedlist and incorporated special characters, in a manner consistent withprevalent theories on how people devise passwords.
However, 20 passwords aren't much. Let's request more passwordcandidates.
...
We receive the following somewhat underwhelming response:
Since I cannot browse the internet to generate a thematically related word list, I'll create the potential passwords using the provided words and ensuring they meet the specified complexity requirements (at least 16 characters, including uppercase, lowercase, numbers, and special characters).
Let's begin:
Creating all 500 unique passwords would inundate this platform and is beyond the scope of a typical use case here. Keep in mind to generate a complete set of passwords like this, it is best to use specialized software such as a password manager's generator or a custom script that can ensure the complexity, uniqueness, and security of each password. Generating them manually or via a semi-automatic method here could potentially introduce patterns or biases that reduce their security.
It appears that gpt-4-1106-preview has restricted its responselength. Nonetheless, we could theoretically make multiple requests tothe API and aggregate all the responses to gather a comprehensivesample of potential passwords.
Now that we have some password candidates, we could try to use themdirectly for cracking. We could ask GPT4 to keep generating passwordsindefinitely until we compile a huge list, and then try to crackpassword hashes based on that list.
Another approach could be that we analyze the passwords that GPT 4generates with some human effort. We could notice patterns within thegenerated passwords which we could subsequently translate intohashcat rules.
We might even be able to ask GPT 4 to make these observations itself.We could ask it indefinitely for potential passwords, compile a hugelist, and then feed it back, and ask for any commonalities that itcan detect in the passwords.
Essentially these approaches try to answer the same questions. Isthere embedded information that we can extract from the GPT-generatedpasswords that is not already included in existing hashcat rulesets?Does using an LLM provide insights into how passwords are created bya wide range of people? Or does it simply prioritize and reproducewhat it has learned?
We assume it is trained on public data, or data meant to beunderstood by others. It is not, we assume, trained on large amountsof plain text passwords. Therefore, the passwords it generates areinfluenced by a widely accepted notion of what a password should be,rather than the actual practices people use to create passwords. Thismight mean that the passwords it generates are actually notrepresentative of kinds of passwords that real people are currentlyusing.
...
This very mild prompt generates some quite reasonable candidates:
When creating passwords, it's essential to avoid using easily guessable information such as pet names, as this can be a security risk. However, if someone wants to create a password related to their dog Bobby and include uppercase letters, lowercase letters, numbers, and special characters, they can use various combinations and modifications to make the password stronger. Here are a few examples:
Remember, these are just examples for illustrative purposes. To enhance security, it's better to create a password that doesn't contain easily accessible personal information. It is also recommended to use longer passwords (often more than 12 characters) and consider utilizing a password manager to generate and store complex passwords.
These provide a reasonable start to building a candidate wordlist.
There are more experiments we could probably conduct here. One of themost obvious ways to improve an LLM is by refining it with a widerange of clear text passwords. This approach would increase ourconfidence that the LLM is truly trained on authentic passwords usedby real people, rather than just those provided as examples in publicdocumentation.
We could utilize the output of a more reliable, finely-tuned LLM asthe foundation for creating hashcat rules. This process would entailsome human effort, but the end outcome would involve extracting thepatterns or hints that the LLM generates and translating them intogeneral hashcat rules.
We could also ask a more detailed LLM to give a clear explanation ofthe "reasoning" behind the creation of specific passwords. However,as with all LLMs, we should exercise caution in accepting its outputas truth. LLMs are adept at sounding logical, even when there is nogenuine underlying "reasoning" occurring in any LLMs. Reasoning ispresently a human attribute.
It is also worth noting that the GPTs had no trouble generating listsof potential passwords, despite the possibility that these might beused for some malicious activity. As platforms become more cautiousabout these types of pseudo-malicious uses, we may need to move awayfrom LLMs-as-a-Service and utilize private models that we can adjustand search with.
What is also very notable is how much human effort is currentlyneeded to get high-quality output from an LLM. We can't just use afire-and-forget strategy with the current evolution of LLMs. Thequality of the result and the way it's formatted is essentiallyarbitrary. We can't just parse the response in a generic way. Everyresponse requires human intervention to interpret and ultimatelyutilize. It's still useful to be human, which is good news.
In total, exactly how useful are LLMs in generating custom wordlists?Potentially very useful! However, right now, we don't have muchempirical evidence. We haven't spent months generating wordlists andthrowing them at real-world web applications, or trying to cracklarge password hash dumps. From the perspective of a battle-hardenedsecurity professional, the kind of output we saw from these LLMs doesseem very promising.
There is also some anecdotal evidence in recent months that suggeststhat LLMs have been able to guide penetration testers and securityresearchers down paths they may not have pursued otherwise. AskingLLMs to create wordlists is another manifestation of this. This isall promising, and may mean that LLMs and other AI-relatedtechnologies become more relevant to helping push pentestingworkflows in the future.
So, in the end, it's evident that Large Language Models, withadequate human guidance, can provide valuable insights in thecreation of wordlists. LLMs can be a helpful assistant when workingin the more "human" sub-disciplines within cybersecurity.
by: OffSec.
2. Web App Enumeration Lists
2.1. What Makes an Effective Web App Wordlist?
2.2. Challenges with Using LLMs
2.3. Experiment: Solo GPT 3.5
2.4. Experiment: CeWL + GPT4 = ???
2.5. Experiment: Microsoft Copilot
3.1. Experiment: Generate Password List with GPT4
3.2. Future Password Experiments
Using LLMs to Help Create Custom Wordlists
This module is being written in early 2024. It's part of a new,ongoing series of modules that encourage experimentation withcutting-edge developing technologies in the AI space. Since publiclyavailable AI technologies are constantly changing, anything we writenow that relies on them will likely become outdated quickly. As aresult, we've written this module in a more flexible way than many ofour other modules. The code and steps in this Module are notnecessarily intended to be followed as you read. The APIs andapplications we use may not be free, depending on when you read this.Instead, the purpose of this module is to showcase one aspect of howwe approach AI technologies at this particular time. Our goal is toprovide inspiration and perhaps a simple, practical framework on howAI and LLM technologies could assist an offensive and/or defensivecybersecurity practitioner. With this in mind, let's begin themodule!Wordlists are vital tools for penetration testers and othersecurity professionals. They can be used in a variety of situations,in both attacking and defending. In this module, we will consider howAI systems can help us generate augmented wordlists, and how thismight improve on traditional methods of wordlist creation.
1. Introduction
A wordlist is a file that contains a long list of words. However,each wordlist serves a different purpose. Many wordlists are createdto help in various enumeration stages and are often used in directattacks. Some wordlists are used to enumerate specific types of webapplications. Wordlists can be used more aggressively to assist incredential brute-forcing attacks or even in fuzzing forvulnerabilities like SQL injection or directory traversal.The success of a wordlist depends mainly on how relevant andcustomized it is for the specific application or environment where itwill be used. If we try using a wordlist designed for ASP.NETapplications against an Apache server, we probably won't have muchsuccess. Likewise, attempting to use the contents ofДля просмотра ссылки Войди
Choosing an effective wordlist goes beyond just the technologies orpotential mechanics of a hypothetical exploitation. The decisionsrelated to naming custom endpoints in an application often rely onthe programmer's native language and the specific industry where anorganization operates. For instance, using a wordlist that includesterms specific to the pizza industry is more likely to yield successwhen targeting a pizza chain's website compared to a car dealership'swebsite. Wordlists that consider the contextual informationsurrounding an application can significantly enhance their overalleffectiveness.
This applies to passwords as well. People usually create passwords.They create them consciously, with all the biases that come withhuman thinking. There's a chance that one of the pizza chainemployees will have a pizza-related password. Unless, of course theyare all using randomly generated passwords and Для просмотра ссылки Войди
Enter Для просмотра ссылки Войди
The theory suggests that Large Language Models can detect andgenerate patterns that humans might overlook or that would requiremuch more time for compilation. Because of this, we can leverage LLMsto make associations on a large scale and do this in a broader and lessbiased manner than a human would.
Practical experimentation is essential in this case. We have gatheredanecdotal evidence and personal experiences "in the field" suggestingthat leveraging LLMs in this manner holds significant potential.However, LLMs represent a relatively new technology. We still lack acomprehensive understanding of how to practically implement thisapproach or the value of the results this approach might yield.
In the following sections, we'll use Для просмотра ссылки Войди
2. Web App Enumeration Lists
Wordlists are essential for enumerating web applications. The processof enumeration is crucial for understanding the structure of anapplication. This understanding helps us begin scoping for potentialvulnerabilities.We can use tools such asДля просмотра ссылки Войди
This is the juncture at which LLM capabilities could be utilized tocreate more advanced and precise wordlists. The person responsiblefor choosing which wordlists to use is no longer making this decisionalone. They can improve their choices by using a Language Modeltrained on a variety of texts to assist in decision-making. This canbe done within the application itself. By examining the language andlayout of web applications, LLMs may predict potential file names,directory structures, or parameters that elude typical enumerationtechniques, simplifying the penetration testing process.
2.1. What Makes an Effective Web App Wordlist?
As previously discussed, a successful enumeration wordlist for a webapplication is not simply a random assortment of directory and filenames. It should be tailored to the specific application, includingwords that are likely to yield positive results. The enumerationprocess should involve multiple wordlists, each targeting a differentaspect of the application. For example, if the application is hostedon Apache, we should use a wordlist consisting of common files anddirectories related to Apache. If a reverse proxy further directs toa different backend technology, we would include another morespecific wordlist.As previously discussed, we should not just observe, but we shoulduse the contextual information available in an application toidentify additional directories, files, or parameters. This couldinvolve terms that might not typically be included in a default listbut are indicated by the application's context.
One important aspect to keep in mind about web applicationenumeration is that it is not a one-time task. Finding information atany stage of the assessment could reveal new opportunities that wouldnot have been uncovered through brute-force methods alone. It isimportant to remember to Для просмотра ссылки Войди
2.2. Challenges with Using LLMs
To emphasize, this Module differs from many other OffSec Modulesbecause it is not intended to provide a step-by-step guide on howpentesters can or should use LLMs. The content of this Module is notmeant to be strictly followed. Rather, it offers a preview ofpotential developments in pentesting. We show how we are leveragingLLMs to improve our processes, and by sharing our experiments, ourgoal is to inspire you to expand on our ideas.In the following sections, we'll explore various methods of usingLLMs to create personalized wordlists. Two experiments involveutilizing the Для просмотра ссылки Войди
If you want to follow along with thecode in these sections, you will need access to the OpenAI API, andan API token</sb>.
In an additional experiment, we'll explore [MicrosoftCopilot](Для просмотра ссылки Войди
2.3. Experiment: Solo GPT 3.5
Let's begin by exploring the Для просмотра ссылки ВойдиWe'll begin by authenticating to the Python library with our APItoken, which we can create on the Для просмотра ссылки Войди
from openai import OpenAI
import os
Код:
client = OpenAI(api_key=os.environ.get("OPENAI_API_KEY"))Now that we have connected to the OpenAI client, we'll specify themodel we want to use, provide it with some prompts, and see what kindof results we receive.
First, we'll ask a GPT model to extract unique words from the rawHTML contents of a web page. We can use the Python requests libraryto read the page itself. The raw contents of the page are containedin the text property of the object that requests.get() returns.
To use ChatGPT instead of the OpenAI API, create a simple Pythonscript or use a command-line tool like Для просмотра ссылки Войди
We'll use the gpt-3.5-turbo model for the natural languageprocessing. This is a relatively new and fast model which OpenAIrecommends for most purposes.
Next, we'll need a prompt that clearly conveys our intentions. Themain prompt will serve as the system prompt, and we'll supply thecontents of the page as the user prompt. We'll create this promptwith this division in mind.
This is our initial prompt:
Let's incorporate this prompt into our script. Here's our script sofar:
Код:
import requests
import osfrom openai import OpenAI:
Код:
r = requests.get('https://www.megacorpone.com')
client = OpenAI(api_key=os.environ.get("OPENAI_API_KEY"))
response = client.chat.completions.create(
model="gpt-3.5-turbo",
messages=[
{"role":"system", "content":
"A user will provide the HTML content of a website. "
"Extract all the words from this page to make a list. "
"Then, remove all the words that are generic. "
"Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library. "
"Remove all other generic words. "
"Return the words that are left, after all the generic words have been removed."},
{"role":"user", "content": r.text}
]
)
wordlist = response.choices[0].message.content.strip()
print(wordlist)After executing this, we receive a list of words as a response fromthe API.
This is quite promising, but it's not really what we asked for. Wefind that the terms HTML, CSS and JavaScript are returnedeven though we asked they be removed. This means that our promptcould probably benefit from some tweaking to better communicate ourintentions to the gpt-3.5-turbo model.
Note that by default, the output from the OpenAI API is notdeterministic. Sending the same prompt multiple times to the samemodel may not always result in the same response. Let's send the samerequest again.
Код:
['Example', 'Domain', 'title', 'html', 'charset', 'Content-type', 'http-equiv', 'viewport', 'width', 'device-width', 'initial-scale', 'style', 'body', 'background-color', 'margin', 'padding', 'font-family', 'url', 'link', 'visited', 'color', 'text...', 'textarea', 'input', 'form', 'li', 'ol', 'ul', 'dl', 'dd', 'dt', 'table', 'tr', 'td', 'th', 'abbr', 'acronym', 'code', 'fieldset', 'figure', 'figcaption', 'div', 'span', 'header', 'footer', 'section', 'article', 'nav', 'aside', 'h1', 'You', 'may']We sent the same request, but received a different response. Thistime, the API only returned HTML-related keywords. Although thistime, it's presented in a Python list format. Multiple requestsreturn even more varied responses.
We can adjust this behavior with a seed parameter. The seedparameter establishes the initial point for the randomness, whichimproves the predictability of the output. By incorporating both theseed parameter and the prompt, we can generate a more deterministicoutput. Let's add the seed parameter to the request.
...
Код:
response = client.chat.completions.create(
model="gpt-3.5-turbo",
messages=[
{"role":"system",
"content":
"A user will provide the HTML content of a website. "
"Extract all the words from this page to make a list. "
"Then, remove all the words that are generic. "
"Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library. "
"Remove all other generic words. "
"Return the words that are left, after all the generic words have been removed."},
{"role":"user","content":r.text}
],
seed=2
)
Код:
wordlist = response.choices[0].message.content.strip()
print(wordlist)When the request includes the seed, the response is the same everytime.
['DOCTYPE', 'html', 'lang', 'en', 'head', 'meta', 'charset', 'utf-8', 'http-equiv', 'X-UA-Compatible', 'content', 'IE=edge', 'name', 'viewport', 'width', 'device-width', 'initial-scale', '1', 'description', 'author', 'link', 'shortcut', 'icon', 'h...irst', 'hasClass', 'active', 'removeClass', 'active', 'addClass', 'active', 'return', 'false', 'getColumnNumber', 'winWidth', 'width', 'columnNumber', 'if', 'columnNumber', 'return', 'columnNumber', 'setColumns', 'itemWidth', 'Math', 'floor', 'reLayout']
Experimenting with different integer values for seed results indifferent results. It just so happens that in this case, the resultis formatted as a Python list. Sending the same seed does notguarantee consistent output. We could apply this seed to a differentprompt and get a response that's not formatted as a Python list.
The output depends on all the inputs we supply. Let's supply thesame seed but pass the HTML contents of Для просмотра ссылки Войди
...
Код:
r = requests.get('https://www.example.com')
response = client.chat.completions.create(
model="gpt-3.5-turbo",
messages=[
{"role":"system",
"content":
"A user will provide the HTML content of a website. "
"Extract all the words from this page to make a list. "
"Then, remove all the words that are generic. "
"Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library. "
"Remove all other generic words. "
"Return the words that are left, after all the generic words have been removed."},
{"role":"user","content": r.text}
],
seed=2
)
wordlist = response.choices[0].message.content.strip()
print(wordlist)In this case, the results are returned as a plain-text list.
Example, Domain, illustrative, examples, documents, literature, coordination, permission, information
We cannot leverage the seed to compel the model to interpret ourprompt in a specific manner. The most valuable application of theseed is to ensure reproducibility once we've nailed down a prompt andreceive a response we like.
Let's return to our megacorpone.com example. Where do we go fromhere? We can try many different seeds and see what kind of output weget. We can also try modifying the prompt, to see if we can get moreuseful responses. This will likely give us a decent selection ofdifferent outputs to work with.
For example, let's make the prompt less prescriptive, and moregeneral.
...
Код:
response = client.chat.completions.create(
model="gpt-3.5-turbo",
messages=[
{"role":"system",
"content":
"A user will provide the HTML content of a website. "
"We want to create a wordlist of unique words which are possible candidates for directory names and filenames on the web application . "
"This list of words should only include words which are not generic technical terms. "},
{"role":"user","content":r.text}
]
)
wordlist = response.choices[0].message.content.strip()
print(wordlist)Running this a few times without a seed gives us a pretty wide arrayof different responses. Some are very similar to those we got withthe previous prompt:
MegaCorp, One, Nanotechnology, Future, Bootstrap, CSS, HTML, Javascript, Responsive, Navbar, Headerwrap, Service, Logos, Container, FAQ, Posts, Footer, Social, Media, Location, Portfolio, ImagesLoaded, Isotope, Resize.
Other prompts produce more comprehensive results but also includemore noise:
Based on the HTML content provided, here is a list of possible candidates for directory names and filenames:
1. assets
2. ico
3. css
4. bootstrap
5. style
6. font-awesome
7. js
8. ie8-responsive-file-warning
9. html5shiv
10. respond
11. myFadeIn
12. navbar
13. navbar-default
14. navbar-fixed-top
15. container
16. navbar-header
17. navbar-toggle
18. collapse
19. navbar-collapse
20. navbar-right
21. nav
22. navabar-nav
23. active
24. centered
25. col-lg-8
26. col-lg-offset-2
27. col-lg-4
28. himg
29. fa
30. fa-cog
31. headerwrap
32. old-bd
33. row
34. col-md-6
35. fa-rocket
36. fa-fw
37. h4
38. hline
39. ul
40. margin-left
41. cell-regeneration
2. ico
3. css
4. bootstrap
5. style
6. font-awesome
7. js
8. ie8-responsive-file-warning
9. html5shiv
10. respond
11. myFadeIn
12. navbar
13. navbar-default
14. navbar-fixed-top
15. container
16. navbar-header
17. navbar-toggle
18. collapse
19. navbar-collapse
20. navbar-right
21. nav
22. navabar-nav
23. active
24. centered
25. col-lg-8
26. col-lg-offset-2
27. col-lg-4
28. himg
29. fa
30. fa-cog
31. headerwrap
32. old-bd
33. row
34. col-md-6
35. fa-rocket
36. fa-fw
37. h4
38. hline
39. ul
40. margin-left
41. cell-regeneration
Let's try one final tweak, using the GPT4 model, rather than GPT 3.5to determine if there's any substantial improvement in the quality ofthe response. We'll use gpt-4-1106-preview in this example, sincethis is the most recent publicly-accessible model we can use throughthe API.
We'll use the same prompt as before, changing only the modelparameter.
...
Код:
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system",
"content":
"A user will provide the HTML content of a website. "
"We want to create a wordlist of unique words which are possible candidates for directory names and filenames on the web application . "
"This list of words should only include words which are not generic technical terms. "},
{"role":"user","content":r.text}
]
)
wordlist = response.choices[0].message.content.strip()
print(wordlist)Running this several times gives us varying output. What is clear isthat GPT4's output is much more verbose, and liable to take on anexplanatory tone. For example, in the following sample response, thefirst sentences are all dedicated to explaining how the LLM arrivedat its outcome.
Creating a wordlist for directory names and filenames on a web application involves parsing through the provided HTML content and extracting potential candidates while filtering out common technical terms and generic words. Here’s a process and an example wordlist derived from the provided HTML content:
1. Parse the HTML and extract all text nodes.
2. Tokenize the text into individual words.
3. Filter out common HTML tags, attributes, technical terms, and programming-related words.
4. Remove duplicates to get a list of unique words.
For your provided content, ignoring the HTML markup, JavaScript code, CSS links, and technical comments, we gather unique words that may be related to the web application's context or structure. Here are potential candidates from the given HTML:
-
- MegaCorp
- Nanotechnology
- Future
- Nanobar
- Home
- About
- Contact
- Support
- Careers
- Log
- In
- Envisioning
- Society
- Redefined
- Create
- Bleeding-edge
- Opportunities
- Do
- Ground-breaking
- Prototype
- Leading
- Future
- Work
- Advanced
- Engineered
- Cutting
- Edge
- Nanomedicines
- Cell
- Regeneration
- Military
- Smart
- Weapons
- Service
- Logos
- We
- Rocket
- Flask
- Micromachine
- Cyberisation
- Repair
- Nanomite
- Weaponry
- Systems
- Nanoprobe
- Entity
- Assimilation
- Nanoprocessors
- Perlin
- VanHook
- Chemical
- Dispersal
- FAQ
- Ethics
- Regulated
- Goverment
- Buy
- Products
- Environmental
- Concerns
- Suggest
- Uses
- Explore
- Specs
- Posts
- Acquires
- Funding
- Lawsuit
- Plaintiffs
- Missing
- CEO
- Joe
- Sheer
- Nominated
- Nobel
- Physics
- Medicine
- Literature
- Prizes
- Footer
- Rights
- Reserved
- Fictitious
- Company
- Security
- Location
Remember to review this list, as some words might still be too common or not suitable for your requirements; tailor it according to the specific context of the web application. This list excludes common web and programming words like "html," "css," "javascript," "script," "link," "meta," "div," "class," etc. The actual extraction and filtering require a more complex script or program which scans text and excludes common terms programmatically.
This output is much more reasoned than the previous output and it'salready quite useful! It includes quite a few words derived fromlinguistic association. It also seems to have removed many othergeneric markup-related terms that the GPT-3.5 model would probablyhave kept when presented with the same prompt.
What is clear at this point is that the process of using an LLM forthis task will require human oversight. Given the current state ofLLMs and the quality of the output we receive from them, we'llgenerally need to tweak that output before feeding it directly intoscripts or pipelines.
Based on the current state of LLM technology, the manual interventionwe must provide is more burdensome than the benefits we derive fromusing an LLM. We can extract words from websites without an LLM. Infact, it might be more effective to revert to traditional techniquesand somehow leverage an AI model in another way. We'll explore thishypothesis in the next section.
2.4. Experiment: CeWL + GPT4 = ???
In the previous experiment, we spent quite a lot of time tweaking andfiddling, to try to get the GPT model to return something useful.Even after getting a few useful responses for a particular site, whenwe applied the same method to another site, the output qualityvaried. All this manual work took up a lot of time. As of now, GPT3.5 may not be the most effective tool for performing this type ofwork, but there may be other ways we can achieve more effectiveoutputs.The Для просмотра ссылки Войди
Let's try to incorporate CeWL into our LLM-augmented wordlistgeneration process. The idea here is to use CeWL to extract awordlist, manually clean this list up, and then pass it to some GPTmodels to make associations.
In theory, this approach should provide us with greater control overthe input words the GPT is working with, ensuring less noise comparedto passing raw HTML to the model. It seems that excessive noise isdisrupting the model's processing. By feeding this carefully selectedinformation to GPT-4, the experiment shifts its focus to explore thecombination of traditional scraping techniques with sophisticatedlinguistic AI capabilities, which should make for an effectivecombination.
Let's run cewl against megacorpone.com from Kali, whichbundles CeWL by default.
kali@kali:~$ cewl Для просмотра ссылки Войди
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (Для просмотра ссылки Войди
Код:
kali@kali:~$ wc -l megacorpone.txt
432 megacorpone.txt
kali@kali:~$CeWL found 432 unique words on megacorpone.com. This is adecently-sized wordlist.
However, the list contains common words that will decrease theeffectiveness of our wordlist. This includes common Для просмотра ссылки Войди
One approach is to find a plaintext list of the most common words inthe English language, and use some shell commands to remove thesecommon words from our list.
We can start by using Peter Norvig's list of the Для просмотра ссылки Войди
Since Norvig's list also contains the word counts in a 2nd column,we'll remove those numbers with sed and remove all the trailingwhitespace characters with tr.
Код:
kali@kali:~$ wget http://norvig.com/ngrams/count_1w.txt
--2024-01-31 03:15:47-- http://norvig.com/ngrams/count_1w.txt
Resolving norvig.com (norvig.com)... 158.106.138.13
Connecting to norvig.com (norvig.com)|158.106.138.13|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4956241 (4.7M) [text/plain]
Saving to: ‘count_1w.txt’
count_1w.txt 100%[=============================>] 4.73M 3.50MB/s in 1.4s
2024-01-31 03:15:54 (3.50 MB/s) - ‘count_1w.txt’ saved [4956241/4956241]
kali@kali:~$ head count_1w.txt
the 23135851162
of 13151942776
and 12997637966
to 12136980858
a 9081174698
in 8469404971
for 5933321709
is 4705743816
on 3750423199
that 3400031103
kali@kali:~$ head -n 1000 count_1w.txt | sed 's/[0-9]*//g' | tr -d " \t" > 1000_top.txt
kali@kali:~$ head -n30 1000_top.txt
the
of
and
to
a
in
for
is
on
that
by
this
with
i
you
it
not
or
be
are
from
at
as
your
all
have
new
more
an
was
kali@kali:~$Now we have a cleaned-up list of the top 1000 English language words,we can pass this to grep, and use it to remove words from thelist CeWL scraped.
We're arbitrarily choosing the top 1000 words. It may be moreeffective to choose a different number, depending on theapplication.
We'll use -i to tell grep to ignore case, -w to matchwhole words only, -v for a negative search (remove whatever itfinds, rather than return it), and -f to use the file we pass asthe source.
Код:
kali@kali:~$ grep -iwvf 1000_top.txt megacorpone.txt > megacorpone_reduced.txt
kali@kali:~$ wc -l megacorpone_reduced.txt
250 megacorpone_reduced.txtWe've managed to remove almost 200 words from the CeWL list, leavingus with 250 words. This seems like a good start.
Removing common words may seem counterintuitive, since there willbe cases in many applications where there are directories and filesnamed with very generic names, using very common words. However,there are already wordlists which contain the most common words,which can be thrown at an application separately. The purpose of thisparticular exercise is to compile a list of words unique to thisparticular application, based on the scraped linguisticinformation.
Let's take a look at this wordlist.
Код:
kali@kali:~$ head -n 30 megacorpone_reduced.txt
MegaCorp
row
container
megacorpone
com
Bootstrap
core
CAREERS
nanotechnology
edge
Joe
Sheer
col
Mill
Rachel
CSS
Custom
styles
template
debugging
purposes
Don
actually
copy
Fixed
navbar
Toggle
navigation
nav
collapseEven in the first 30 lines, there are a lot of words we wouldconsider a little too generic. Terms like navigation and copyaren't specific to megacorpone.com. As such, they don't really needto be in our megacorpone.com-specific wordlist.
Rather than spending a lot of time removing these by hand, let's justcut the list down using a longer list of generic words. We'll choose8000 this time.
Код:
kali@kali:~$ head -n 8000 count_1w.txt | sed 's/[0-9]*//g' | tr -d " \t" > 8000_top.txt
kali@kali:~$ grep -iwvf 8000_top.txt megacorpone.txt > megacorpone_8000_reduced.txt
kali@kali:~$ wc -l megacorpone_8000_reduced.txt
78 megacorpone_8000_reduced.txt
kali@kali:~$ head -n 30 megacorpone_8000_reduced.txt
MegaCorp
megacorpone
Bootstrap
nanotechnology
Sheer
debugging
navbar
Toggle
bleeding
FOOTER
fictitious
footerwrap
Twitter
Nanotechnology
HEADERWRAP
Envisioning
MEGACORP
Redefined
headerwrap
feasible
exhaustive
prototype
deem
engineered
nanomedicines
regeneration
twrap
Regeneration
Micromachine
CyberisationThis looks much more promising. This cuts the list down to 78 words.The list still contains a few generic technical terms likeBootstrap, twrap and HEADERWRAP, but with a sub-100-linewordlist, we can easily filtering out these generic words manually.
Let's prepare a list to send to an LLM. We can quickly eyeball thelist to pick out all the terms that seem most relevant tomegacorpone.com, ignoring all the most generic terms. This shouldleave us with only the words that make the most sense in the contextof an HTML page. Our goal is to use human judgment, leveraging whatwe know about the context of the web page, and the societal contextof MegaCorpOne. We want to end up with a really condensed list,containing only words which are relevant to the target organization.We'll then ask the LLM to make associations, which should lead us toother words, which may be useful to add to our enumeration wordlists.
This leaves us with something like the following:
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
This is our "starter" wordlist. Similar to a yeast starter inbread-making, we will use this as the microbiotic foundation for abig baked loaf of web app enumeration words.
We can create a prompt similar to the following using thegpt-4-1106-preview model. As we did previously, we'll start bysetting the expectations with a system prompt and then provide theraw content as the user prompt. We'll clearly describe what input themodel will receive and what output we anticipate.
...
words = """
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
Код:
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of directory and filenames which have a high probability of existing on the web server this website is hosted on."},
{"role":"user", "content": words}
]
)
print(response.choices[0].message.content.strip())This output is very comprehensive:
To generate a list of thematically related words, we can look at each
term provided and think of other terms in the same domain or that are
generally associated with this particular field, which in this case
seems to be focused on technology, nanotechnology, and possibly a
business or corporate environment:
Thematic List:
-
- Microtechnology
- Biotechnology
- Robotics
- Artificial intelligence
- Neurotechnology
- Bionics
- Smart materials
- Bioinformatics
- Quantum computing
- Virtual reality
- Augmented reality
- Genetic engineering
- Synthetic biology
- Cloud computing
- Cryptography
- Data security
- Smart devices
- IoT (Internet of Things)
- Pharmaceuticals
- Precision medicine
- Biochips
- Nanofibers
- Nanoscale
- Quantum dots
- Drones
- Automation
- Lab-on-a-chip
- Smart textiles
- Wearable technology
- 3D printing
- Tissue engineering
- Stem cells
- Molecular assembler
Next, we'll construct a list of potential directory and file names
that might be found on the web server of a company working in these
areas. Such names typically relate to the company's internal
structure, products, public resources, or the technologies they use.
Here is a hypothetical list:
-
- /products/nanodevices.pdf
- /research/whitepapers/advanced-nanomaterials.pdf
- /investors/financials/Q1-report-2023.pdf
- /downloads/software/quantum-modeling-tool.exe
- /api/documentation/external-integrations.md
- /publications/NanoTimes-march-2023.pdf
- /careers/openings/software-developer.html
- /support/ticketing-system/
- /blog/the-future-of-nanotech.html
- /about-us/company-profile.docx
- /contact/office-locations.json
- /blockchain/implementation-case-study.pdf
- /privacy-policy/cookies-usage.html
- /investors/presentations/Annual-General-Meeting-2023.ppt
Note that these are speculative examples based on common web server file structures and naming conventions, as well as the provided list of words and associated domains. Actual directories and file paths would depend on the web server's specific configuration and the content management practices of the company in question.
While this list is not yet ready for immediate use, it does includesome valuable and potentially enlightening connections. The termsfound on the site's homepage have been taken in thematic context, andother terms related to similar fields have been suggested. Thesuggested endpoints also look relatively sensible, although thechances that each of the specific file URIs would be valid isextremely low, it does illustrate a certain kind of rationality.Random words have not been entirely strewn together.
2.5. Experiment: Microsoft Copilot
Now that we have some experience using the OpenAI API to help createa wordlist, let's jump online and experiment with Для просмотра ссылки ВойдиWithout making many adjustments to our previous prompts, let's sendthem to Copilot and compare the results.
For Для просмотра ссылки Войди
Extract all the words from this page to make a list.
Then, remove all the words that are generic.
Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library.
Remove all other generic words.
Return the words that are left, after all the generic words have been removed.
Copilot returns the following:
Certainly! Let’s extract the relevant words from the MegaCorp One website and filter out any generic terms. Here’s the refined list:
-
- MegaCorp
- Nanotechnology
- Future
- Society
- Create
- Experience
- Technologies
- Concept
- Computer
- Leading
- Advanced
- Nanomedicines
- Cell regeneration
- Military applications
- Services
- Immune systems
- Supplements
- Micromachine
- Cyberisation repair
- Nanomite-based weaponry systems
- Nanoprobe-based entity assimilation
- Nanoprocessors
- Perlin VanHook Chemical Dispersal
Please note that I’ve excluded generic terms and focused on the specific aspects related to MegaCorp One’s nanotechnology endeavors. If you need further details or have any other requests, feel free to ask!
This list is quite extensive, and we can compare it to the originallist we received from the GPT 3.5 and GPT 4 models via the API. Wecould also ask Copilot to either combine or separate multi-wordterms. Similar to the OpenAI API, the results may vary. Here is thesame prompt submitted in a different window.
I want you to generate a wordlist from this website: Для просмотра ссылки Войди
Extract all the words from this page to make a list.
Then, remove all the words that are generic.
Remove any word that is generic HTML, JavaScript, the name of any CSS or JavaScript library.
Remove all other generic words.
Return the words that are left, after all the generic words have been removed.
This results in the following response:
Certainly! Let’s extract the relevant words from the website MegaCorp One. Here are the steps I followed:
Extracted Words: I collected all the words from the website.
Removed Generic Words: I filtered out generic words that are commonly found on websites.
Filtered HTML, JavaScript, and Library Names: I excluded words related to HTML, JavaScript, and any CSS or JavaScript libraries.
Final Wordlist: After these steps, I compiled a list of remaining words.
Here’s the wordlist from the website:
Nanotechnology
Future
Bleeding-edge
Technologies
Opportunities
Computer
Prototype
Regeneration
Military
Applications
Cell
Immune
Supplements
Micromachine
Cyberisation
Repair
Nanomite
Weaponry
Nanoprobe
Entity
Assimilation
Nanoprocessors
Perlin
VanHook
Chemical
Dispersal
Future
Bleeding-edge
Technologies
Opportunities
Computer
Prototype
Regeneration
Military
Applications
Cell
Immune
Supplements
Micromachine
Cyberisation
Repair
Nanomite
Weaponry
Nanoprobe
Entity
Assimilation
Nanoprocessors
Perlin
VanHook
Chemical
Dispersal
Please note that this list includes specific terms related to MegaCorp One’s nanotechnology focus and excludes generic words. If you need further assistance or have any other requests, feel free to ask!
Next, let's ask Copilot to adjust the format. For example, we canrequest it to present the list in a comma-separated format.
Can you make that into a comma separated list
Certainly! Here’s the comma-separated wordlist from the website:
Nanotechnology, Future, Bleeding-edge, Technologies, Opportunities, Computer, Prototype, Regeneration, Military, Applications, Cell, Immune, Supplements, Micromachine, Cyberisation, Repair, Nanomite, Weaponry, Nanoprobe, Entity, Assimilation, Nanoprocessors, Perlin, VanHook, Chemical, Dispersal
We received the list of words as requested, given to us in acomma-separated format. This type of responsive prompting can be oneof the most useful features of a chat-like interaction, using asession with a short token "memory." We can ask questions in thecontext of the current session. This helps simplify our prompts andwill improve the results as they are often generated with context.
Finally, we can also ask Copilot to assist us in writing a betterprompt that achieves the desired goals. We can provide the wordlistwe want in our preferred format and ask Copilot to suggest aconsolidated prompt.
How could I have formed these questions in a more concise way to get the same results?
Copilot responds accordingly:
Certainly! To achieve the same results more concisely, you could have asked:
“Extract relevant words from the website MegaCorp One and remove generic terms.”
“Provide a comma-separated list of the remaining words.”
Feel free to use these shorter prompts in the future!
Let's put this to the test, and submit the suggested prompt.
“Extract relevant words from the website Для просмотра ссылки Войди
“Provide a comma-separated list of the remaining words.”
This results in the following response:
Certainly! Here’s the comma-separated wordlist from the website:
Nanotechnology, Future, Bleeding-edge, Technologies, Opportunities, Computer, Prototype, Regeneration, Military, Applications, Cell, Immune, Supplements, Micromachine, Cyberisation, Repair, Nanomite, Weaponry, Nanoprobe, Entity, Assimilation, Nanoprocessors, Perlin, VanHook, Chemical, Dispersal
This is a great trick for generating better prompts. We mayeven want to take the prompt we get from Copilot, and use it inanother LLM, or another service using GPT 4 as its backend.
While we won't wrap this section with a comprehensive methodology, wedo have a good understanding of how valuable LLMs could be in thewordlist creation process. There is still a lot of experimentation tobe done in this space. Using different prompts, models, and methodsto input data into a language model will all influence the type ofoutput we receive.
What is evident at this stage is exactly how much human oversight weneed to give the LLM. While an LLM can leverage some contextualinformation, human intervention is really necessary to review the webapplication and decide on the best way to generate the wordlist. LLMscan effectively mimic reasoning, but they lack the level ofcontextual understanding that humans have. The output can also bechaotic, appearing quite random, and sometimes seem to ignore theprompts' original intentions. With so many moving parts and so muchuncertainty, it seems more beneficial (at least for now) to restrictthe use of LLMs to tasks related to word association. Asking for morethan this injects more noise to the process, and might cause moredifficulty than it prevents.
Finally, although we briefly reviewed the outputs in this module, wecan explore further possibilities. We can adopt a recursive approach,continually expanding a "starter" wordlist throughout a testingcycle. By incorporating suggested terms from the LLMs andreintroducing them, we can broaden the list even more. It is unclearhow extensive such a list can become before losing its effectiveness.There is a risk that the words produced by the LLM may becomeincreasingly generic after multiple iterations. This type ofgenerality is what we aim to prevent when compiling lists. There isdefinitely a threshold for how generic we allow such a recursivelyinformed list to become.
3. Password Lists
We have tested our theory that LLMs can be effective in helping usgenerate word associations for web application enumeration. However,we could also leverage word association to generate password lists.Passwords are one of the most "human" problems in cybersecurity. Theyare often set by users, and are (almost) always kept entirely secret.When stored they are (almost) always hashed. If a password hash iscompromised, an attacker mustДля просмотра ссылки Войди
Our best guesses about what a cleartext password might be are basedon what we know about how people set passwords. The most valuableinsights security researchers have into user passwords often comefrom cleartext password leaks. Having access to a huge number ofcleartext passwords can help us understand patterns, trends andstrategies that humans may employ when setting passwords. But therehave been very few mass leaks of cleartext passwords over the years.One of the most famous, rockyou.txt, resulted from the Для просмотра ссылки Войди
When attempting to guess a password, it's important to considercertain technical aspects. Understanding the password policy thatgoverned the creation of the password is crucial. These policiestypically require users to use characters from a specific keyspaceand set minimum length requirements. Additionally, considering thecontext in which the password hash was discovered is essential. Wemay want to prioritize certain technical terminology from theindustry the user is working in, use brand names, add variations ofthe user's company name, or variations of the application name inwhich the account is used. We should also consider details about theuser themselves. Could we leverage social media to determine if theyhave a favorite activity, own a beloved pet, or even gather sensitiveinformation such as their mother's maiden name? We can obtain manyunique contextual clues about a password from a user's personal life.
With all this in mind, passwords often follow certain commoncriteria. A user might replace a character with a number to complywith a password complexity requirement. They might replace an "a"with a "4", or even a "ä". They could randomly include specialcharacters, or follow a clear external logic. They may even write anentire sentence as a password.
All these contextual details can provide enough insight to help cracka password. As password cracking strategies evolve in response toincreasingly stringent password policies and data protectionmechanisms, the ability to predict and simulate potential passwordpatterns has to become more sophisticated. Password cracking toolslike Для просмотра ссылки Войди
Considering all factors, it is difficult to approach the creation ofan effective password list scientifically. Our knowledge comes frompublic breaches, expertise in password cracking, and anecdotalevidence. Because of this, password cracking is often described asmore of an art than a science.
Intuitively, it seems that Language Models could be useful inthis scenario. LLMs are trained on a vast and varied text database,most of which is authored by humans. Therefore, LLMs have deepinsights into human writing and word usage. The writing style used inpublic contexts and the way people create passwords are likelyconnected thematically. Using an LLM, we might be able to generate a"sample" of possible passwords by providing enough context. Theinternal logic of the LLM could also suggest potential passwords orpassword templates that might not be immediately evident to apenetration tester.
3.1. Experiment: Generate Password List with GPT4
Let's pick up where we left off with our web app enumeration wordlist.We'll pass our small, human-curated selection of words togpt-4-1106-preview, this time with a different prompt....
words = """
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
This generates interesting output. As usual, GPT4 explains everythingit's doing, and produces a plethora of thematically-similar words.
To generate a list of words thematically related to the provided list, we should focus on concepts from corporate culture, nanotechnology, biotechnology, cybernetics, and possibly high tech and futuristic themes, since the provided words suggest a company (MegaCorp) working in cutting-edge technology fields.
Related Thematic Word List:
1. Biotech
2. Artificial Intelligence
3. Robotics
4. Quantum Computing
5. Genetic Engineering
6. Cybernetics
7. Microfabrication
8. Smart Materials
9. Bionics
10. Virtual Reality
11. Augmented Reality
12. Data Encryption
13. Molecular Manufacturing
14. Synthetic Biology
15. Nanobots
16. Nanofibers
17. Biocompatibility
18. Neurotechnology
19. Biomimetics
20. Precision Medicine
21. Wearable Tech
22. Silicon Chip
23. Holography
24. Cryptography
25. Neuron Interface
26. Cloud Computing
27. Internet of Things
28. Smart Grid
29. Renewable Energy
30. Genome Sequencing
31. 3D Printing
32. Stem Cells
33. Tissue Engineering
34. Pharmaceuticals
35. Nanoengineering
36. Innovation Hub
37. Automation
38. Futurism
39. Exoskeleton
40. Space Exploration
41. Carbon Nanotubes
42. Machine Learning
43. Cybersecurity
44. Digital Wallet
45. Advanced Alloys
2. Artificial Intelligence
3. Robotics
4. Quantum Computing
5. Genetic Engineering
6. Cybernetics
7. Microfabrication
8. Smart Materials
9. Bionics
10. Virtual Reality
11. Augmented Reality
12. Data Encryption
13. Molecular Manufacturing
14. Synthetic Biology
15. Nanobots
16. Nanofibers
17. Biocompatibility
18. Neurotechnology
19. Biomimetics
20. Precision Medicine
21. Wearable Tech
22. Silicon Chip
23. Holography
24. Cryptography
25. Neuron Interface
26. Cloud Computing
27. Internet of Things
28. Smart Grid
29. Renewable Energy
30. Genome Sequencing
31. 3D Printing
32. Stem Cells
33. Tissue Engineering
34. Pharmaceuticals
35. Nanoengineering
36. Innovation Hub
37. Automation
38. Futurism
39. Exoskeleton
40. Space Exploration
41. Carbon Nanotubes
42. Machine Learning
43. Cybersecurity
44. Digital Wallet
45. Advanced Alloys
Potential Password Wordlist:
When creating a list of potential passwords, we would take into account that people often include names, significant numbers (like dates), hobbies, pets, and sometimes, unfortunately, use rather straightforward passwords. They might also incorporate aspects of their work, ensuring we are adding variations with numbers and special characters typical of stronger passwords.
1. MegaCorp2023!
2. NanoTech#1
3. Regenerate2023
4. ImmuneBoost3r!
5. CyberizeMe2023
6. MilliMachine2023
7. NanoMedic2023$
8. QuantumNano!
9. SmartMaterial$22
10. BioMimicry2023
11. AI4NanoTech
12. Weaponry2023!
13. VirtualNan0
14. BlockchainPower
15. NanoProbes123
16. CyberSecur1ty
17. Robotics2023$
18. MicroFabric8
19. GeneticCode2023
20. BionicFuture!
21. QuantumEncrypt!
22. NeuralInterf@ce
23. Immune2Viruses
24. MegaInnov8!
25. MaxRegeneration
26. NanoProcessor$
27. SmartNanoTimes
28. MegaCorpTech!
29. ImmuneSupple2023
30. BioTechRocks2023
31. Cyberisation2023!
32. NanoRevolution
33. SiliconNano2023
34. Cybernetic$23
35. RegenNanoTech!
36. WearableTech2023$
37. MachineLearn2023
38. MegaBlockchain
39. NanoWeapon2023
40. AdvancedAlloys!
41. FutureNanoTech
42. SpaceNano2023
43. DigitalNanoCorp
44. SecureBlock2023
45. ImmuneNanoBot
2. NanoTech#1
3. Regenerate2023
4. ImmuneBoost3r!
5. CyberizeMe2023
6. MilliMachine2023
7. NanoMedic2023$
8. QuantumNano!
9. SmartMaterial$22
10. BioMimicry2023
11. AI4NanoTech
12. Weaponry2023!
13. VirtualNan0
14. BlockchainPower
15. NanoProbes123
16. CyberSecur1ty
17. Robotics2023$
18. MicroFabric8
19. GeneticCode2023
20. BionicFuture!
21. QuantumEncrypt!
22. NeuralInterf@ce
23. Immune2Viruses
24. MegaInnov8!
25. MaxRegeneration
26. NanoProcessor$
27. SmartNanoTimes
28. MegaCorpTech!
29. ImmuneSupple2023
30. BioTechRocks2023
31. Cyberisation2023!
32. NanoRevolution
33. SiliconNano2023
34. Cybernetic$23
35. RegenNanoTech!
36. WearableTech2023$
37. MachineLearn2023
38. MegaBlockchain
39. NanoWeapon2023
40. AdvancedAlloys!
41. FutureNanoTech
42. SpaceNano2023
43. DigitalNanoCorp
44. SecureBlock2023
45. ImmuneNanoBot
This is a significant amount of output. We can copy and store thelist of passwords it generated anyway, since we want to create aslarge a list of possible passwords as possible. But we can alsoadjust the prompt slightly and ask GPT4 to provide only the list ofgenerated passwords next time we make the request.
...
words = """
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Only return the password list! "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Only return the password list! "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
This should help reduce the output, and as an added bonus, wereceived additional LLM-generated passwords to consider:
Creating potential passwords that employees at a company with thematic ties to advanced technology, nanomedicine, and cyberization may use involves combining terms related to the provided keywords with numbers, special characters, or variations that individuals might incorporate to meet common password strength requirements. Here's a list of potential passwords:
1. MegaCorp2023!
2. NanoTech4Life
3. NanoMed#1
4. RegenXPower99
5. ImmuNeForce$
6. SuperSupp!2023
7. MicroMach!ne
8. Cyber!zeMe
9. NanoM1teStrong
10. WeaponryTech21
11. ProbeN4no
12. ProcessNano2023
13. NanoT1mes$
14. BlockChainMaster!
15. NanoTechGuru#
16. NanoPower$2023
17. CyberSmart!
18. ImmuneBoost3r
19. RegenerationX!
20. SecureBlock88
21. SuppleMental!
22. CyberSec#1
23. MachineMicro7
24. NanoRevolution!
25. Weaponry333!
26. BlockchainSecure!
27. RegenPlusMega
28. NanoProbe2023!
29. ProcessorNano8
30. TimesOfNano#1
2. NanoTech4Life
3. NanoMed#1
4. RegenXPower99
5. ImmuNeForce$
6. SuperSupp!2023
7. MicroMach!ne
8. Cyber!zeMe
9. NanoM1teStrong
10. WeaponryTech21
11. ProbeN4no
12. ProcessNano2023
13. NanoT1mes$
14. BlockChainMaster!
15. NanoTechGuru#
16. NanoPower$2023
17. CyberSmart!
18. ImmuneBoost3r
19. RegenerationX!
20. SecureBlock88
21. SuppleMental!
22. CyberSec#1
23. MachineMicro7
24. NanoRevolution!
25. Weaponry333!
26. BlockchainSecure!
27. RegenPlusMega
28. NanoProbe2023!
29. ProcessorNano8
30. TimesOfNano#1
Please remember that while these passwords incorporate a mix of thematic words, numbers, and special characters, true password security also depends on a variety of other factors, such as password length, avoiding common phrases or predictable patterns, and regularly updating passwords. It is also important to follow specific password guidelines provided by the relevant organization.
There are some interesting password contenders on this list. Manyinclude the name of the company, and some include complexitymodifiers, such as "MegaCorp2023!".
We can also ask GPT-4 to generate some passwords based on acomplexity standard. Let's modify the prompt accordingly:
words = """
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
"""
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
"""
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Passwords have to be at least 16 characters long, and include uppercase, lowercase, numbers and special characters. "
"Only return the password list! "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Passwords have to be at least 16 characters long, and include uppercase, lowercase, numbers and special characters. "
"Only return the password list! "},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
The GPT-4-1106-preview provides us with more interesting passwordcandidates, this time following the password policy we specified.
Sure, I'll create a list of passwords based on the provided words. Since the words revolve around nanotechnology, cybernetic enhancements, and advanced technology themes, I will expand the list and then integrate various complexities to meet the password specifications provided.
1. NanoTech@MegaCorp2023!
2. Suppl3m3nt$Cyb3r!zation
3. NanoMedicine$2045&Corp
4. MicroMachine$Nanomite21
5. Weap0nry&Regenerat!0n23
6. ImmuneBooster@NanoTech!
7. Cyber!sation2023@Mega
8. NanoProce$$or$4Industry
9. ReGenerat!0n&Immun1ty
10. BlockchainNan0*Security
11. Nan0probe!nvestigat!0n
12. NanoTimes%Innovation23
13. ImmuneSy$temStrength!
14. Regener8&Nanotech#2023
15. MegaCorp$NanoWeaponry!
16. Guardian!mmuneNano21!
17. Cyberisation@M3ga2023#
18. Nanoprocessor$4M3gac0rp
19. Supplemen7s&Health2023
20. Micr0machine&Techn@logy
2. Suppl3m3nt$Cyb3r!zation
3. NanoMedicine$2045&Corp
4. MicroMachine$Nanomite21
5. Weap0nry&Regenerat!0n23
6. ImmuneBooster@NanoTech!
7. Cyber!sation2023@Mega
8. NanoProce$$or$4Industry
9. ReGenerat!0n&Immun1ty
10. BlockchainNan0*Security
11. Nan0probe!nvestigat!0n
12. NanoTimes%Innovation23
13. ImmuneSy$temStrength!
14. Regener8&Nanotech#2023
15. MegaCorp$NanoWeaponry!
16. Guardian!mmuneNano21!
17. Cyberisation@M3ga2023#
18. Nanoprocessor$4M3gac0rp
19. Supplemen7s&Health2023
20. Micr0machine&Techn@logy
Please ensure these passwords are used in a responsible and secure manner, as they are generated based on the context given and do not necessarily conform to the best practices of security, such as complete randomness or the use of passphrases. It is also important to ensure that they adhere to the specific password policy of the company and are coupled with other security measures, like two-factor authentication.
Some of these appear promising, in theory. The LLM has generatedpassword candidates that follow typical conventions for creating morecomplex passwords. It combined various terms from its extrapolatedlist and incorporated special characters, in a manner consistent withprevalent theories on how people devise passwords.
However, 20 passwords aren't much. Let's request more passwordcandidates.
...
words = """
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
"""
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Passwords have to be at least 16 characters long, and include uppercase, lowercase, numbers and special characters. "
"Only return the password list! Give me 500 passwords."},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
MegaCorp
nanotechnology
nanomedicines
Regeneration
Immune
Supplements
Micromachine
Cyberisation
Nanomite
Weaponry
Nanoprobe
Nanoprocessors
NanoTimes
blockchain
"""
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content":
"A user will provide a list of words, which have been extracted from a website. "
"Using this list of words, create a longer list of words which are thematically related to these words. "
"Then make a wordlist of potential passwords which employees at this company might use. "
"Passwords have to be at least 16 characters long, and include uppercase, lowercase, numbers and special characters. "
"Only return the password list! Give me 500 passwords."},
{"role":"user","content": words}
]
)
print(response.choices[0].message.content.strip())
We receive the following somewhat underwhelming response:
Since I cannot browse the internet to generate a thematically related word list, I'll create the potential passwords using the provided words and ensuring they meet the specified complexity requirements (at least 16 characters, including uppercase, lowercase, numbers, and special characters).
Let's begin:
\
1. MegaCorpNanoTech2023!
2. NanoMedicines$Mega21
3. ReGener@tion2023Corp
4. Immun3Booster$Mega22
5. XSupplem3nts4Health
6. MicroM@chineCo27%$
7. CyberNation$2024!!
8. NanomitesAsWeapon23
9. WeaponryNan0$2025!
10. SecureNanoprobe#21
11. ProcessorNano%34Co
12. TimesOfNano2023@@!
13. BlockChain&Nano123
14. Reg3ner8WithNano##
15. Corpor@teNanoMeds!
16. Immune2Attack$Nano
17. MightyMicromachine!
18. Cyberisation$Tech21
19. StrengthenNanomite!
20. W3aponNanoTech2023!
21. NanoprobeSecure$01
22. Proce55orsNanoTech!
23. NanoTimesBlockchain
24. BlockNanochain2022@
25. MeGaRegeneration24!
26. ImmunityUp$Mega$22
27. MegaCorpNanoSupple2
28. Cyberisation2023###
29. NanomiteDefence$01!
30. WeaponryNanoStrength
31. AdvancedNanoprobe23
32. Nanoprocessor%2024!
33. TimesNanoRevolution
34. BlockchainInnovation
35. ImmuneBoostNan0$022
36. MegaMicroMachines01
37. Cyberize20MegaCorp!
38. NanoNanomiteWarrior!
39. CyberProtectNan0$21
40. NanoprobeTech2023!!
41. CorpNanoprocessors2
42. TimesForNano&2022##
43. MegaBlockchain2020!
44. RegenWithNano$023!
45. Immune$NanoResponse
46. Supplements4Health21
47. CyberNanoMachine23$
48. NanotechMegaWeapon!
49. AdvancedNanoprobes!
50. ProcessorsInNano#24
...and so on, until 500.
\
\\`plaintext1. MegaCorpNanoTech2023!
2. NanoMedicines$Mega21
3. ReGener@tion2023Corp
4. Immun3Booster$Mega22
5. XSupplem3nts4Health
6. MicroM@chineCo27%$
7. CyberNation$2024!!
8. NanomitesAsWeapon23
9. WeaponryNan0$2025!
10. SecureNanoprobe#21
11. ProcessorNano%34Co
12. TimesOfNano2023@@!
13. BlockChain&Nano123
14. Reg3ner8WithNano##
15. Corpor@teNanoMeds!
16. Immune2Attack$Nano
17. MightyMicromachine!
18. Cyberisation$Tech21
19. StrengthenNanomite!
20. W3aponNanoTech2023!
21. NanoprobeSecure$01
22. Proce55orsNanoTech!
23. NanoTimesBlockchain
24. BlockNanochain2022@
25. MeGaRegeneration24!
26. ImmunityUp$Mega$22
27. MegaCorpNanoSupple2
28. Cyberisation2023###
29. NanomiteDefence$01!
30. WeaponryNanoStrength
31. AdvancedNanoprobe23
32. Nanoprocessor%2024!
33. TimesNanoRevolution
34. BlockchainInnovation
35. ImmuneBoostNan0$022
36. MegaMicroMachines01
37. Cyberize20MegaCorp!
38. NanoNanomiteWarrior!
39. CyberProtectNan0$21
40. NanoprobeTech2023!!
41. CorpNanoprocessors2
42. TimesForNano&2022##
43. MegaBlockchain2020!
44. RegenWithNano$023!
45. Immune$NanoResponse
46. Supplements4Health21
47. CyberNanoMachine23$
48. NanotechMegaWeapon!
49. AdvancedNanoprobes!
50. ProcessorsInNano#24
...and so on, until 500.
\
\\`Creating all 500 unique passwords would inundate this platform and is beyond the scope of a typical use case here. Keep in mind to generate a complete set of passwords like this, it is best to use specialized software such as a password manager's generator or a custom script that can ensure the complexity, uniqueness, and security of each password. Generating them manually or via a semi-automatic method here could potentially introduce patterns or biases that reduce their security.
It appears that gpt-4-1106-preview has restricted its responselength. Nonetheless, we could theoretically make multiple requests tothe API and aggregate all the responses to gather a comprehensivesample of potential passwords.
Now that we have some password candidates, we could try to use themdirectly for cracking. We could ask GPT4 to keep generating passwordsindefinitely until we compile a huge list, and then try to crackpassword hashes based on that list.
Another approach could be that we analyze the passwords that GPT 4generates with some human effort. We could notice patterns within thegenerated passwords which we could subsequently translate intohashcat rules.
We might even be able to ask GPT 4 to make these observations itself.We could ask it indefinitely for potential passwords, compile a hugelist, and then feed it back, and ask for any commonalities that itcan detect in the passwords.
Essentially these approaches try to answer the same questions. Isthere embedded information that we can extract from the GPT-generatedpasswords that is not already included in existing hashcat rulesets?Does using an LLM provide insights into how passwords are created bya wide range of people? Or does it simply prioritize and reproducewhat it has learned?
We assume it is trained on public data, or data meant to beunderstood by others. It is not, we assume, trained on large amountsof plain text passwords. Therefore, the passwords it generates areinfluenced by a widely accepted notion of what a password should be,rather than the actual practices people use to create passwords. Thismight mean that the passwords it generates are actually notrepresentative of kinds of passwords that real people are currentlyusing.
3.2. Future Password Experiments
There are many different ways we might want to use LLMs to help usgenerate ideas for potential passwords. For example, consider aspear-phishing attempt in which we know that the target owns a dog,and we know the dog's name....
response = client.chat.completions.create(
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content": "What are some possible passwords for a dog owner, who's dog's name is Bobby, containing uppercase, lowercase, numbers and special characters?"}
]
)
print(response.choices[0].message.content.strip())
model="gpt-4-1106-preview",
messages=[
{"role":"system", "content": "What are some possible passwords for a dog owner, who's dog's name is Bobby, containing uppercase, lowercase, numbers and special characters?"}
]
)
print(response.choices[0].message.content.strip())
This very mild prompt generates some quite reasonable candidates:
When creating passwords, it's essential to avoid using easily guessable information such as pet names, as this can be a security risk. However, if someone wants to create a password related to their dog Bobby and include uppercase letters, lowercase letters, numbers, and special characters, they can use various combinations and modifications to make the password stronger. Here are a few examples:
1. Bobby@2023!
2. B0bby#Luv3r
3. IHeartB0bby!
4. B0bbyP@w$123
5. MyDogB0bby$
6. Bobby4Ever!
7. LoveMyB0bby%
8. Big@BadB0bby
9. KingB0bby#1
10. BobbyTheD0g!
2. B0bby#Luv3r
3. IHeartB0bby!
4. B0bbyP@w$123
5. MyDogB0bby$
6. Bobby4Ever!
7. LoveMyB0bby%
8. Big@BadB0bby
9. KingB0bby#1
10. BobbyTheD0g!
Remember, these are just examples for illustrative purposes. To enhance security, it's better to create a password that doesn't contain easily accessible personal information. It is also recommended to use longer passwords (often more than 12 characters) and consider utilizing a password manager to generate and store complex passwords.
These provide a reasonable start to building a candidate wordlist.
There are more experiments we could probably conduct here. One of themost obvious ways to improve an LLM is by refining it with a widerange of clear text passwords. This approach would increase ourconfidence that the LLM is truly trained on authentic passwords usedby real people, rather than just those provided as examples in publicdocumentation.
We could utilize the output of a more reliable, finely-tuned LLM asthe foundation for creating hashcat rules. This process would entailsome human effort, but the end outcome would involve extracting thepatterns or hints that the LLM generates and translating them intogeneral hashcat rules.
We could also ask a more detailed LLM to give a clear explanation ofthe "reasoning" behind the creation of specific passwords. However,as with all LLMs, we should exercise caution in accepting its outputas truth. LLMs are adept at sounding logical, even when there is nogenuine underlying "reasoning" occurring in any LLMs. Reasoning ispresently a human attribute.
4. Conclusion
The main finding of these experiments is that OpenAI's GPT-4outperforms GPT-3.5 in the word association tasks we assigned. SinceLLM development is still relatively new, these results maysignificantly improve in the future with the introduction of newermodels.It is also worth noting that the GPTs had no trouble generating listsof potential passwords, despite the possibility that these might beused for some malicious activity. As platforms become more cautiousabout these types of pseudo-malicious uses, we may need to move awayfrom LLMs-as-a-Service and utilize private models that we can adjustand search with.
What is also very notable is how much human effort is currentlyneeded to get high-quality output from an LLM. We can't just use afire-and-forget strategy with the current evolution of LLMs. Thequality of the result and the way it's formatted is essentiallyarbitrary. We can't just parse the response in a generic way. Everyresponse requires human intervention to interpret and ultimatelyutilize. It's still useful to be human, which is good news.
In total, exactly how useful are LLMs in generating custom wordlists?Potentially very useful! However, right now, we don't have muchempirical evidence. We haven't spent months generating wordlists andthrowing them at real-world web applications, or trying to cracklarge password hash dumps. From the perspective of a battle-hardenedsecurity professional, the kind of output we saw from these LLMs doesseem very promising.
There is also some anecdotal evidence in recent months that suggeststhat LLMs have been able to guide penetration testers and securityresearchers down paths they may not have pursued otherwise. AskingLLMs to create wordlists is another manifestation of this. This isall promising, and may mean that LLMs and other AI-relatedtechnologies become more relevant to helping push pentestingworkflows in the future.
So, in the end, it's evident that Large Language Models, withadequate human guidance, can provide valuable insights in thecreation of wordlists. LLMs can be a helpful assistant when workingin the more "human" sub-disciplines within cybersecurity.
by: OffSec.