Common User Password Profiler, also known as CUPP is a very useful tool on Kali. Essentially, it is a python script, capable of generating targeted wordlists on an individual, by collecting basic data on them.
Because CUPP is a python script, it therefore does not need to be installed, only downloaded and executed from terminal.
Most of the data required can be obtained with passive reconnaissance of an individual on channels such as Facebook, LinkedIn, Twitter and other social media platforms.
CUPP (when ran in interactive mode) will prompt you for answers to certain questions. Including questions along the lines of:
• Date of Birth
• Childs Name(s)
• Pets Name(s)
• Place of Work
You can probably obtain most of the above from a simple search of the internet – and some of the others will require some Social Engineering.
Once this data is collected and entered into CUPP, it will generate a password list based upon the answers you have put in. This should always be the first thing attempted when trying to crack an individuals password – simply because it is not as long as a dictionary or as complex as a brute force attack, rather more, it will contain words specific to the user you are targeting. Ultimately, you will have some users that are going to be much more security conscious than others so this method is by no means full proof.
Currently I am using a vanilla install of Kali, and am logged in as a root user (Not best practice I know!) so, there will be a lack of sudo commands in this guide!
Lets first download CUPP from Git Hub. Open a terminal and use the following command to download CUPP into your current directory:
git clone https://github.com/mebus/cupp.git
Once this has downloaded, navigate your way to the ‘CUPP‘ folder.
Use the following command to launch CUPP in interactive mode:
Python cupp.py -I
At this point the CUPP script will begin prompting you for questions.
After you have entered in some data, CUPP will generate your password list and save it to the ‘CUPP‘ folder, using the First Name as the name of the file.
You can see below a part of the file created from within this session:
And there you have it! A custom password script that’s targeted to a specific user! You can now feed this into whichever cracking program you are using.
As with all of these articles, please use this information responsibly! I also take no responsibility or liability for how you use it.
If you have any questions, comments or suggestions then please feel free to put them below.
Reviewed and Improved by: Ella Goodheart