-[ Password profiling using wyd.pl ]-

-[ Examplary usage 1: Penetration testing on a public internet server ]-	

	-[ Preface ]-
	During a penetration test on a public internet server, a pop3
	and a webserver service could be identified. It was possible to 
	gather some information about possible usernames but no password
	could be guessed.
	
	After testing the default wordlist available in the testers toolset,
	none of the account could be successfully cracked. 
	
	-[ Usage of the password pofiling technique ]-
	Because the tester has access to the companies website, he has a good
	ressource of possible passwords. Productnames, locations, slang or
	specific jargon words are often used as user passwords. Loyality to 
	the company/product might be one reason, uncreativity and
	simplicity another one.
	
	-[ Gathering the website ]-
	Using any website mirroring tool the whole website can be 
	retrieved. "wget -r" does a great job on that. Lets give it a
	shot:
	
	mkdir ~/target-website
	cd ~/target-website
	wget -r http://www.target-website.com
	
	After a while, wget has fetched the whole website content to the
	local directory. The authors suggest to get as much data as possible.
	See "man wget" for more detail usage on wget.
	
	-[ Profiling - Round one ]-
	
	To generate a customized list of potential passwords. You have
	to use "wyd.pl". 
	
	wyd.pl -o ~/possible-passwords.txt ~/target-website 
	
	That's it. After a few minutes, depending on the amount of data from
	the website, wyd.pl has finished and you will have a file with 
	potential passwords (~/possible-passwords.txt).
	
	-[ Profiling - Round two ]-
	
	A lot of people dont have a common word as a password. They often
	use a word like "London" and add something like "123" so they
	get "London123". Those are permutations of common words.
	At first sight this seems to be difficult to guess, but the 
	defacto standard password cracker "John the cracker" has a lot 
	of preconfigured permutation / mangling rules. To further enhance
	our first results, we use "john" to permutate our gathered info
	to get a more complete possible-password-list with modifications.
	
	There are two ways of doing this. Either by using UNIX pipes to
	combine wyd.pl and john, or you use the existing 
	~/possible-passwords.txt file as input into john. The authors 
	suggest this version, because it allows more control.
	
	./john --rules --wordlist=~/possible-passwords.txt --stdout 
	
	If you like you can add ">> ~/possible-passwords-mangled.txt" to
	that comand to write the output to a file instead of the console.
	
	-[ The Attack ]-
	
	It's not part of this how to. Most often its a simple dictionary
	attack using common known bruteforcer tools and your custom 
	profiled dictionary.
	 
-[ ------------------------------------------------------------------ ]-

-[ Examplary usage 2: Crime investigation - Password protected file ]-

	-[ Preface ]-
	During a crime investigation some computer systems have been 
	aquired for further evidences. After analyzing the aquired disk
	images, possible relevant files could be identified. Fraud.rar
	Planing.rar and Accounts.rar where password protected rar archives.
	The rest of the files on the disks seemed to be regular data like
	.mp3 files, Word files etc. 
	
	After testing the default wordlist available in the testers toolset,
	none of the protected files could been extracted due to not
	having the right password. 
	
	-[ Usage of password pofiling technique ]-
	Disk images are holding a complete copy of the data when aquiring
	the orignial harddisks. Quite often, the used passwords are stored 
	somewhere in the computersystem of a person or are related to them.
	This may sound weird in the beginning, but how many person you know
	are using the title of their favourite song as their password. 
	PDF's, Presentations, Documents and plain-text data are very likely
	to hold at least the partial password of its user. By profiling the 
	accessible directories and files on the harddisk the investigators 
	may find the password in a short amount of time.
	
	-[ Prepare the data ]-
	Depending on the available system and diskspace the aquired image 
	can be either mounted or the accessible data can be copied to a
	specific folder. This document does not contain details how to 
	do this but "losetup" or "mount -o loop" can help you here a lot.
	For the rest of this document we asume that the relevant data is
	stored on "/mnt/evidences".
	
	-[ Continuation ]-

	See the use case explanation from above.
	
	
-[ ------------------------------------------------------------------ ]-

-[ Additionaly information ]-	

	-[ Strings / Binary file inclusion ]-
	wyd.pl has an additional option "-s <min-len>". When you have a lot
	of unsupported file formats, which are not ascii based, you can use
	this option to make wyd.pl to parse all files using the UNIX
	command "strings". The parameter <min-len> is a number which 
	defines the minimum length of printable amount of characters that
	must be available within a file, before "wyd.pl" will treat them as
	a word. The problem with strings is, that it will detect a lot of 
	useless "false-positives". If you dont get any success wihout the
	"-s" option, you can give wyd.pl another shot.
	

