Building Word-lists for Red Teamers

Venkatraman K
OWASP Chennai
Published in
4 min readDec 14, 2020


This blog would basically give you an insight of building word-list that can be used for password spraying or cracking the captured hashes in your assessment or CTFs.

1. Constructing Word-list through regular expressions
2. Constructing Word-list from a Website
3. Constructing Word-list for Human-Specific Targets
4. Constructing Word-list from Keyboard Walks

Constructing Word-list through regular expressions

We are going to see the regular expressions that can be used to generate the passwords which are used in mostly in organization. We have used a python tool called as Exrex: Command line tool and python module that generates all — or random — matching strings to a given regular expression and more.

pip install exrex
exrex --help

Generally employees at organization set the passwords that follows a pattern ‘current month followed by year or current season followed by the year’ ie. December2020 or Winter2020. We have noticed that many organization still use these password patterns and some don’t even change these passwords regularly.

exrex "((W|w)inter|(S|s)ummer|(F|f)all|(A|a)utumn|(S|s)pring)20(16|17|18|19|20)"
exrex "((J|j)anuary|(F|f)ebruary|(M|m)arch|(A|a)pril|(M|m)ay|(J|j)une|(J|j)uly|(A|a)ugust|(S|s)eptember|(O|o)ctober|(N|n)ovember|(D|d)ecember)20(16|17|18|19|20)"

Sometimes password would be set in a combination of special characters of the Organization followed by the corresponding year. Consider a organization named evil corporation. We are trying to generate all the possible combinations for that involves the upper case, lowercase and some special characters of the company name and the corresponding year.

Organization Name: evilcorp
Regular Expression:
exrex "((E|e)(V|v)(I|i|1)(L|l|1)(c|C)(O|0|o)(r|R)(P|p))(@|)20(17|18|19|20)"

Constructing Word-list from a Web-Application

We will see a tool called as CeWL which can be used during assessments/ CTFs where you have a webpage with login end point and a about page where employees bio are given.
CeWL is a tool that spiders a web site and collects words from it. It is a pretty mature tool written in Ruby. It returns a large list of words that will be usefull for red teamers. This generates the wordlist which are company-specific like product names, internal organization names, employee names etc.

apt install cewl
cewl --help
cewl -d 2 -m 5 -w docswords.txt

Scans to a depth of 2 (-d 2) and use a minimum word length of 5 (-m 5), save the words to a file (-w docswords.txt) with the target as

Constructing Word-list Human-Specific Targets

We know hacking the people is the plays a effective role in Red Team Engagement, Employees of the organization can be a easy target for the initial foothold of getting into the organization. People tend to set weak passwords that matches their personal interest and personal information. We have used a tool called as CUPP.
CUPP is Common User Passwords Profiler, is a python tool which generates password list based on the inputs we give to the interactive questions that narrow down for a specific human. A weak password might be very short or only use alphanumberic characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

git clone
cd cupp
python3 -h
python3 -i
Sample Usage

Constructing Word-list from Keyboard Walks

Keyboard walks refers to a word-list which are made up of adjacent keys on the keyboard like 12345678, or 1qazxsw2. Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”. This would create the password, “zaq12ws”.

We will use a tool called as kwpprocessor

git clone
cd kwprocessor

The Keymaps folder contains the keyboard layout for multiple languages and the routes folder has 7 pre-configured keymap walks or routes that can be used to generate word-list.

To create a simple kwp wordlist, we will use the English keymap and the 2–10 max 3 directional change route file. This can be accomplished by running the command below:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route

This causes kwp to create multiple keymap walk combinations, of 2–10 characters with a maximum of 3 direction changes.

Narrow down the word-list has much as you can and use this to brute-force the login end points which wont be possibly trigger an alert in the organization. Be careful with rate limiting, some time you may end-up locking the account. Despite you can utilize this to crack the password hashes



Let us know if we have missed any word-list creation here that you have used and found helpful in your Assessments or CTFs, we would be happy to add that too !

Join our discord server to interact, learn and contribute. Check out our mini-blogs on Instagram and twitter. Wanna contribute to the community, reach out to us on discord, twitter etc.

Happy Red Teaming!



Venkatraman K
OWASP Chennai

@r3dw0lfsec | Security Researcher @ Vault Infosec | CEH | Bug Hunter