Hello Friends!! Today we are going explore the function of Cupp which is an authoritative tool that creates a wordlist especially particular for a person that can be used while making brute force attack for guessing login credential.

Table of Content

• Introduction to Cupp
• How Cupp Works
• Getting Started
• Generating Custom Dictionary
• Adding to Custom Dictionary
• Downloading Dictionaries from Cupp Repository 
• Downloading Default Usernames and Passwords
• Quiet Mode

Introduction to Cupp

Cupp stands for Common User Passwords Profiler and this tool can be used in many circumstances like license penetration tests or forensic crime investigations, CUPP is a cross-platform and written in Python and it’s functioning is simple but with very powerful results. This application is a social engineer’s best friend when it comes to creating targeted password dictionaries which are tailored to an individual.

How Cupp Works

Cupp takes vectors from the profiling done for an individual, such as their nickname, pets name, child’s birthdate, etc. It works on the principle that a password is, more often, a combination of things known to an individual. These known things are often personal details that are very close to a person’s heart.

In cases when a person might use special notations in place of alphabets (e.g: leet can be written as 133t) Cupp has you covered.

Installation and Configuration

Cupp can be downloaded from GitHub using the “git clone” command. Within the downloaded Cupp folder, run the “cup.py” file. Once the file is run, the program shows you the various options it has to offer.

git clone https://github.com/Mebus/cupp.git
cd cupp
ls
./cupp.py

Optional Arguments:

-i      Interactive questions for user password profiling

-w FILENAME      Use this option to profile an existing dictionary,

-l      Download huge wordlists from a repository

-a      Parse default usernames and passwords directly from Alecto DB.

Project Alecto uses purified databases of Phenoelit and CIRT which merged and enhanced.

-v      Version of the program

Generating Custom Dictionary

Now it’s time to have some fun!

We will be using the interactive option to generate the custom dictionary. You will see that we have the option to input options such as pet’s name, child’s name, partners nickname, etc. All these things are highly personal and very common to find these things in a password, one way or another.

There’s also an option to add any specific keywords, special characters, and random numbers. Apart from all this, there’s the option to activate Leet mode, this will make the generated dictionary extremely effective.

That’s all, the dictionary now gets made and saved.

./cupp.py -i

Adding to Custom Dictionary

Cupp gives us the option to add more words to our created dictionary. We can customize the kind of words we would like to add by using the provided options.

./cupp.py -w raj.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case, our location for output is /root/cupp /raj.txt.cupp.txt

Downloading Dictionaries from Cupp Repository 

Cupp has its own repositories of dictionaries which are pre-classified. These dictionaries can be downloaded and used. The downloaded files are compressed and have to be uncompressed to be viewed.

Enter the number to choose a name to select the dictionary you want to download, we have pressed 16 and downloaded to view a dictionary of Hindi names.

./cupp.py –l
cd dictionaries
cd hindi
gzip -d hindu-names.gz
cat hindu-names

Downloading Default Usernames and Passwords

Cupp can download premade dictionaries holding the most common usernames and passwords from the project Alecto database for usage.

./cupp.py –a
ls
cat alectodb-passwords.txt

Quiet Mode

Quiet mode is for running Cupp in a more hush-hush way. If you’re the kind of person who does not want a big banner on their screen showing everyone what you’re doing, you’ll like this option. This basically makes for a cleaner screen while cupp is carrying out the commands you’re giving it, without the funny cow popping up on top.

We’re going the couple the quiet mode option with the dictionary download option that we demonstrated above.

./cupp.py -a -q

We hope you enjoyed this basic walkthrough of the Cupp application. It is very handy and easy to use the tool when it comes to making custom dictionaries. Go ahead and see if it can guess your password.

Stay tuned for more articles on the latest and greatest in hacking!!!

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here