Hack Like a Pro: How to Crack Passwords, Part 5 (Creating a Custom Wordlist with CeWL)

How to Crack Passwords, Part 5 (Creating a Custom Wordlist with CeWL)

Welcome back, my novice hackers!

In my series on cracking passwords, I began by showing off some basic password-cracking principles; developed an efficient password-cracking strategy; demonstrated how to use Hashcat, one of the most powerful password-cracking programs; and showed how to create a custom wordlist using Crunch. In this tutorial, I will show you how to create a custom wordlist based upon the industry or business of the targets using CeWL.

Most password-cracking programs are only as good as the wordlist that you provide them. Brute-force password cracking is very tedious and time consuming, but if you can find an appropriate and well-designed wordlist that is specific to the user whose password you are trying to crack, you can save yourself hours—maybe even days—of password cracking.

Crunch is great at creating wordlists based upon a set of rules such as the number of characters, the character set, etc., but doesn't enable us to choose a wordlist that is particular to a business or industry or interests. We humans are not always very creative and often fall victim to the familiar, especially when generating passwords. If we understand that, it can be helpful to finding potential passwords and generating a relevant password list.

For instance, employees at a construction company are more likely to use words for passwords that are used in their industry, such as lumber, girder, build, soffit, eave, etc. People in the drug industry are more likely have passwords such as prescription, drug, narcotic, barbiturate, etc. You get the idea.

It's simply human nature that words that we use in our everyday experience will first pop into our heads when we are considering passwords. That's why so many people use their pet's name, spouse's names, children's names, birthdates, street address, anniversaries, etc. They aren't very creative and use words and numbers that first come to mind.

We can use this lack of creativity to develop a specific wordlist for a specific company or industry. That's what CeWL can do for us. It's designed to grab words from the company's website to create a wordlist specific to the company in order to crack passwords of the users at that business.

Let's get started.

Step 1: Fire Up Kali & CeWL Help

First, fire up Kali and open a terminal. Next, let's type the "cewl" command and get its help screen.

  • kali > cewl --help

Note the depth (-d) and the min_word_length (-m) switches. The -d switch determines how deep (the default is 2) into the website CeWL will crawl grabbing words, and the -m switch determines the minimum length of words it will grab. Since most firms have a minimum password length, there's no need to grab short words. In this case, I will be setting the minimum to 7 letters.

Step 2: Build a Custom List with CeWL

Now, to build a custom wordlist, we set CeWL to scraping words from the website of our friends at SANS Institute. We can do this by typing:

Let's break that down.

  • -w customwordlist.ext: the -w means write to the file name that follows.
  • -d 5: the depth (in this case, 5) that CeWL will crawl to website.
  • -m 7: the minimum word length; in this case it will grab words of 7 characters minimum.
  • www.sans.org: the website we are crawling.

This command will then crawl the sans.org website to a depth of 5 pages, grabbing words at least 7 letters long. After several hours of crawling through the website, CeWL places all of the words it found into the file customwordlist.txt. We can then open it with any text editor; in this case, we will use Leafpad.

  • kali > leafpad customwordlist.txt

This will open the file like that below.

Note that these words are a reflection of the industry that SANS Institute is in—information security.

Step 3: Combine This List with a List Generated by Crunch

Now, combine this wordlist with another wordlist, or one generated by Crunch. Place these words first as they are specific to this user or company and are more likely to be correct.

Of course, we can use CeWL to create custom wordlists for password cracking targets other than employees at a particular company. For instance, if we know the individual who is our target is a soccer fan, we use CeWL to crawl a soccer site to grab soccer related words. That is, we can use CeWL to create specific password lists based upon just about any subject area by simply crawling a website to grab potential keywords.

Stay tuned: we will continue to explore new and better ways to crack passwords in this series, so keep coming back, my novice hackers!

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Cover image via Shutterstock


It always amuses me how simple and easy to guess passwords are. Not only that but the fact that almost everyone uses the same password for everything. What's so hard about creating passwords consisting of randomly generated numbers and letters?


Effort in remembering or writing them down and time to look them up in your password file.
O tempora, O mores!
People start preventing only when it's too late I guess.

Sometimes you register on a small site.. after a long time.. say 2 years you forget about it.. then you suddenly nees your id for one thing or another... im sure you wont remember the password if you have diff passwords for different accounts..

So it can be a pain in the..

I am sure being hacked is more pain.

Trust me.

I use my favorite song lines as passwords.. it spans over 25 characters and also i change the usual stuff like o to 0, i to 1, e to 3 etc. I remain consistent and adapt one changing technique, and remembering it is easy!

Note: I use japanese songlines in Romanji, because i love J-pop. More security for free!.. :D

Thats a nice idea..!!

That's clever, I gotta say!
You start writing the password, stop singing and then join ;-)

Hey the qords cewl gets are case sensitive right??
So what to do to try all possible cases or atleast full upper or lower case??

Share Your Thoughts

  • Hot
  • Latest