Reconnaissance and Intelligence Gathering

Learn effective techniques for gathering information to create targeted wordlists and improve password cracking success rates

Reconnaissance and Intelligence Gathering Phase

The reconnaissance phase is a critical step in password cracking that significantly improves success rates. By gathering intelligence about the target organization and its users, penetration testers can create custom wordlists and strategies that are more likely to crack passwords efficiently.

Information Gathering for Custom Wordlists

OSINT Techniques

Open Source Intelligence (OSINT) can provide valuable data for wordlist creation:

  • Company websites: Gather terminology, product names, and slogans
  • Social media profiles: Collect names, interests, and important dates
  • Press releases: Find company-specific terms and projects
  • Job listings: Identify technologies and internal terminology
  • Public documents: Extract organization-specific vocabulary
# Using CeWL to spider a website and create a wordlist
cewl -d 2 -m 6 -w company_terms.txt https://example.com

# Extract additional information with metadata
cewl -d 2 -m 6 -w company_terms.txt --meta https://example.com

Employee Information

Employee details often form the basis of passwords:

  • Employee names: First, last, and usernames
  • Email formats: Understand naming conventions
  • Job titles: Roles often appear in passwords
  • Departments: Department codes or names
  • Employment dates: Years of hiring or important milestones
# Using theHarvester to gather email addresses
theHarvester -d example.com -b all -l 500

# Using LinkedIn data (when authorized)
# Export employee names to a file and process:
cat linkedin_names.txt | awk '{print tolower($1)}' > firstnames.txt
cat linkedin_names.txt | awk '{print tolower($2)}' > lastnames.txt

Creating Targeted Wordlists

Company-Specific Wordlists

Create wordlists tailored to the target organization:

# Combine company terms with common password patterns
cat company_terms.txt | while read word; do
  echo "\${word}"
  echo "\${word}123"
  echo "\${word}!"
  echo "\${word}2023"
done > company_passwords.txt

# Add company founding year variations
for year in {1990..2023}; do
  echo "Company\${year}" >> company_passwords.txt
  echo "company\${year}" >> company_passwords.txt
done

Include specific elements:

  • Company name and variations like CompanyName, company_name
  • Product names and abbreviations
  • Company slogans and mottos
  • Office locations and addresses
  • Internal project codenames

Wordlist Processing and Optimization

1
Combine multiple sources

Merge wordlists from different sources to create a comprehensive base:

# Combine multiple wordlists
cat company_terms.txt employee_names.txt industry_terms.txt > combined.txt

# Remove duplicates
sort -u combined.txt > combined_unique.txt

This creates a foundation for further processing.

2
Apply common password patterns

Transform base words using common password creation patterns:

# Create a rule file for John the Ripper
echo "[List.Rules:Corporate]" > corporate.rule
echo "c" >> corporate.rule  # Capitalize
echo "c $1" >> corporate.rule  # Capitalize and add 1
echo "c $2" >> corporate.rule  # Capitalize and add 2
echo "c $3" >> corporate.rule  # Capitalize and add 3
echo "$!" >> corporate.rule  # Add !

# Apply rules to generate password candidates
john --wordlist=combined_unique.txt --rules=corporate.rule --stdout > processed_wordlist.txt

This expands your wordlist with likely variations.

3
Optimize for size and efficiency

Balance wordlist size with effectiveness:

# Sort by length (shortest first for efficiency)
cat processed_wordlist.txt | awk '{print length, $0}' | sort -n > optimized_wordlist.txt

# Limit size if necessary
head -n 1000000 optimized_wordlist.txt > final_wordlist.txt

This improves cracking efficiency by prioritizing shorter, more common passwords.

4
Test and refine

Validate your wordlist against sample data if available:

# Test against sample hashes
john --wordlist=final_wordlist.txt sample_hashes.txt

# Analyze results and refine
john --show sample_hashes.txt > cracked.txt

Use the results to further refine your wordlist.

Identifying Potential Targets and Entry Points

Network Reconnaissance

Identify systems that may contain password hashes:

  • Domain controllers: Primary source of Windows password hashes
  • Authentication servers: LDAP, RADIUS, Kerberos servers
  • Web applications: Custom authentication systems
  • Database servers: Often contain user credentials
  • Backup systems: May contain unprotected password data
# Network scanning with proper authorization
nmap -sV -p 389,636,88,1433,3306 10.0.0.0/24

# Identifying domain controllers
nmap -p 88,389 --open 10.0.0.0/24

Service Enumeration

Identify services that may be vulnerable to password attacks:

  • Remote access services: SSH, RDP, VPN endpoints
  • Web applications: Admin portals, intranet sites
  • File sharing services: SMB, FTP, NFS
  • Email services: Exchange, IMAP, POP3
  • Management interfaces: iLO, iDRAC, IPMI
# Service scanning
nmap -sV -p 22,23,25,80,443,445,3389 10.0.0.0/24

# Identifying web applications
nikto -h 10.0.0.1

User Account Discovery

Windows Environment

In Windows environments, identify user accounts through various methods:

# Using enum4linux with proper authorization
enum4linux -a 10.0.0.1

# Using net commands with proper access
net user /domain
net group "Domain Admins" /domain

# Using PowerShell with proper access
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, GivenName, Surname

Focus on:

  • Domain administrators
  • Service accounts
  • Recently created accounts
  • Accounts with elevated privileges

Identifying Password Storage Locations

Operating System Storage

Common password storage locations in operating systems:

  • Windows: SAM database, NTDS.dit, LSASS memory
  • Linux/Unix: /etc/shadow, /etc/master.passwd
  • macOS: /var/db/dslocal/nodes/Default/users/
  • Network devices: NVRAM, config files

Understanding these locations helps target hash extraction efforts.

Application Storage

Common password storage in applications:

  • Databases: User tables with password columns
  • Configuration files: Web.config, wp-config.php
  • Cached credentials: Browser storage, credential managers
  • Memory: Runtime memory of authentication services

Applications often implement custom password storage mechanisms that may be vulnerable.

Password Policy Analysis

Complexity Requirements Analysis

Analyze password complexity policies to inform cracking strategies:

# Windows domain policy with proper access
Get-ADDefaultDomainPasswordPolicy

# Output example:
# ComplexityEnabled           : True
# MinPasswordLength           : 8
# PasswordHistoryCount        : 24

Common complexity requirements:

  • Minimum length requirements
  • Character class requirements
  • Dictionary word restrictions
  • Username inclusion restrictions

Understanding these requirements helps narrow down the password search space.

Risk Assessment Matrix

Use this matrix to prioritize password cracking efforts based on risk:

Target TypeImpactLikelihoodRisk LevelCracking Priority
Domain Admin AccountsCriticalMediumHigh1
Service AccountsHighHighHigh2
Database CredentialsHighMediumMedium3
Regular User AccountsMediumHighMedium4
Application AccountsMediumMediumMedium5
Test/Dev AccountsLowHighLow6

Intelligence-Driven Cracking Strategy

1
Develop target profiles

Create profiles for different user groups:

Profile: Executive Management
- Likely complexity: Medium to High
- Common patterns: Company name + year, position titles
- Potential personal elements: Alma maters, sports teams
- Cracking approach: Targeted wordlists with company terms

Profile: IT Staff
- Likely complexity: High
- Common patterns: Technical terms, complex variations
- Potential personal elements: Tech interests, gaming references
- Cracking approach: Technical wordlists with extensive rules

Tailor your approach based on these profiles.

2
Map organizational structure

Understand the organization's hierarchy and departments:

Department: Finance
- Terminology: fiscal, quarter, budget, audit
- Systems: ERP, financial reporting tools
- Potential password patterns: Financial terms + numbers

Department: IT
- Terminology: technical jargon, product names
- Systems: Infrastructure, development tools
- Potential password patterns: Complex with special characters

Use this information to create department-specific wordlists.

3
Develop attack sequences

Create a prioritized sequence of cracking attempts:

1. Quick wins: Common passwords + company name
2. Targeted executive accounts: Executive-specific wordlist
3. IT admin accounts: Technical wordlist with complex rules
4. Service accounts: Pattern-based attacks for automated accounts
5. General user accounts: Broader wordlist with common patterns

This ensures efficient use of resources by targeting high-value accounts first.

4
Document intelligence findings

Create a comprehensive intelligence report:

Intelligence Summary:
- Organization uses 8-character minimum password policy
- Password rotation every 90 days
- Common pattern observed: CompanyName + Season + Year
- Executive accounts likely to contain reference to titles
- IT accounts likely to use technical terms and complex patterns

This documentation guides your cracking strategy and provides context for your findings.

Next Steps

Now that you understand the reconnaissance and intelligence gathering phase, you can:

  1. Learn about vulnerability analysis and scanning methods
  2. Explore exploitation techniques for extracting password hashes
  3. Prepare for password cracking using the intelligence you've gathered