CUPP – Common User Passwords Profiler
Usernames and Password values are the most commonly used methods for authentication purposes in almost every web application or any type of application. When the credentials provided in this type match the values stored at the server, only the user is authenticated to the specified service. Using weak Usernames and Passwords may lead to various impactful cyber threats like Password Cracking, Brute-Forcing, and Account Takeover. CUPP tool is an automated script written in the python language that interacts with the user and answers some fundamental questions about the victim like Name, Company Name, Partner’s Name, etc. After analyzing these answers, the CUPP tool generates some possible Usernames+Password words that attackers can use for various attacks like Password Cracking and Brute-Forcing.
Note: Make Sure You have Python Installed on your System, as this is a python-based tool. Click to Install: Python Installation Steps on Linux
Features of CUPP Tool
- CUPP tool is an automated tool.
- CUPP tool is designed in the python language.
- CUPP tool is open-source and free to use.
- CUPP tool supports interactive questioning and generates results.
- CUPP tool downloads huge wordlists from the repository.
- CUPP tool supports Leet Mode.
How does CUPP Tool Works?
The working of the CUPP Tool is quite simple. It would help if you executed the python script using the following command.
After running the script, you need to choose the appropriate tag for the flag or creating the wordlists. For Example, if you have selected the -i tag, the CUPP tool interacts with you and asks you some common questions about your target domain or person. You need to answer those questions, and if you are not too familiar or don’t know the answer, you can skip the question about pressing the Enter Button on the keyboard. After providing all the solutions, your work is done; now, the CUPP tool will analyze the input and design unique words or password words. After analyzing the responses, the CUPP tool generates a text file containing the phrase that attackers can use to brute force or use as Username or Password wordlist to perform password cracking attacks against that victim.
Leet Mode in CUPP
Leet mode is the method or technique used to secure the sensitive credentials used for authentication purposes. Leet mode allows users to substitute or replace the characters with similar-looking numerical or special characters. This Substitution makes the confidentiality of credentials stronger than the common credential. For example,
A: 4, @ B: 8, |8 C: ©, ¢ D: |), |}
In the above examples, we have possible numerical and unique character values for Characters A, B, C, D. Leet mode makes the Password or Username values stronger. CUPP tool supports this leet mode. So we can design the wordlists as per the Leet mode instruction given to the characters.
For using this Leet mode in the CUPP tool, we need to change the characters in the cupp.cfg. In the below Screenshot, We have displayed the contents of cupp.cfg file.
You can see that some characters are replaced with numerical values or special characters. So we can change this and give the matter as per our choice. We will use this mode as an example in the “Working with CUPP Tool on Kali Linux” Section.
Installation of CUPP Tool in Kali Linux OS
Step 1: Check whether Python Environment is Established or not, use the following command.
Step 2: Open up your Kali Linux terminal and move to Desktop using the following command.
Step 3: You are on Desktop now create a new directory called CUPP using the following command. In this directory, we will complete the installation of the CUPP tool.
Step 4: Now switch to the CUPP directory using the following command.
Step 5: Now you have to install the tool. You have to clone the tool from Github.
git clone https://github.com/Mebus/cupp.git
Step 6: The tool has been downloaded successfully in the CUPP directory. Now list out the contents of the tool by using the below command.
Step 7: You can observe that there is a new directory created of the CUPP tool that has been generated while we were installing the tool. Now move to that directory using the below command:
Step 8: Once again to discover the contents of the tool, use the below command.
Step 9: Now we are done with our installation, Use the below command to view the help (gives a better understanding of tool) index of the tool.
python3 cupp.py -h
Working with CUPP Tool in Kali Linux OS
Example 1: Interactive questions for user password profiling
python3 cupp.py -i
1. In this example, We will be creating Password Wordlists from basic information known about our victim. (-i) i the tag used for Interactive questions for password wordlist creation.
2. In the below Screenshot, You can see that I have provided some answers to the question asked about my victim such as Name, Pet’s Name, Company, etc. Using this Information password list is created with 5933 unique words, and these words are stored in the text file, which can be used for further phases.
3. In the below Screenshot, We are displaying the text file created which consists of unique 5933 words.
Example 2: Download huge wordlists from the repository
python3 cupp.py -l
1. In this example, We will be downloading pre-created wordlists for the repository. There are various options that consist of their own wordlist data.
2. In the below Screenshot, We have selected Option 16 (Hindi). This wordlist consists of names of persons who are normally used in India or in the Hindi Language.
3. In the below Screenshot, You can see the names of persons who are commonly used in the Hindi Language.
Example 3: Parse default usernames and passwords directly from Alecto DB
python3 cupp.py -a
1. In this Example, We are downloading some common usernames and passwords from Alecto Database which are used for Administrative logins.
2. In the below Screenshot, We have the list of wordlist of passwords that are commonly used in administrative authentications.
3. In the below Screenshot, We have the list of Usernames that are commonly used in administrative authentications.
Example 4: Show the version of this program
python3 cupp.py -v
In this Example, We are simply printing the latest or current version of the CUPP tool. (-v) tag is used for printing version.
Example 5: Quiet mode (don’t print banner)
python3 cupp.py -q
In this Example, We are hiding the ASCII text for the Banner Text. (-q) tag is used to hide the banner.
Example 6: Leet Mode
Make Changes in the cupp.cfg file
1. In this example, We will be performing Leet Mode Demonstration. In the below Screenshot, We have the unchanged cupp.cfg file which we will be changing.
2. In the below Screenshot, We have to change the value of a=4 to a=@.
3. In the below Screenshot, We have executed the cupp.py script and we will provide the target name. So We have provided the name of the target as Gaurav Gandal which contains character a.
4. In the below Screenshot, You can see that the tool interface is asking for the confirmation of leet mode, so we have provided it with Y(Yes).
5. In the below Screenshot, You can see that a character is substituted with the ‘@’ character, and all the words are saved in the text file.