By: Brendon Anderson
For everything that movies and TV shows get wrong about ‘hacking’, they generally always get one thing right; humans are a great attack vector. Social engineering, watering hole attacks, and weak, predictable passwords are all prime examples of how humans have been and probably always will be the weakest link in the information security chain. To exploit these human vulnerabilities there exist a number of tools, including CUPP or Common User Password Profiler.
CUPP is a python script that is designed to take in information about a target, including personal information like relatives names, alma mater, etc. and create wordlists for bruteforcing or other attacks based on the given input. In a world where companies are becoming significantly more security aware, and technological advances are minimizing the number of software and hardware vulnerabilities, weak or reused passwords are quickly becoming one of the most promising attack avenues, especially in targeted engagements where one compromised user can snowball into devastating results. CUPP’s strength is in its automation capabilities, but using it effectively does require a bit of finesse and knowledge. After all, without relevant information to feed into it, CUPP is essentially toothless.
An example run of CUPP’s interactive wizard
CUPP’s automated wizard is probably the most used, and most useful, feature. By default it asks for basic information about your target, their partner, children, and pets, and the company that they work for. Afterward you can add additional words you may think relevant to the target, such as their college mascot or their favorite sports team, and uses all this information to generate a moderately large wordlist. It certainly won’t be exhaustive but it’s a fantastic starting point and since it’s written in Python it can be completely customized to fit any use case, especially in scenarios where you know the password requirements or limit imposed upon your target. Before we can get the most out of CUPP, we have to answer a lynchpin question; how do we come by enough relevant information about our target to create a promising wordlist? To answer this, we can turn to tried-and-true methods of information gathering using Google, or specifically tailored ‘people’ search engines like Spokeo.
Spokeo’s results page
To start with, let’s analyze how we could arrive at the information that CUPP takes by default, which includes: target’s full name, nickname, and DOB, their partner’s full name, nickname and DOB, their child’s full name, nickname, and DOB, their pet’s name, and the name of the company they work for. Let’s assume that we are starting with our targets first and last name, since in a targeted attack where CUPP would be useful it’s unlikely that we would be operating with less than that. Firstly, we need to assess if our target is or has been married, and also if they have any children. While many counties have online databases of marriage licenses, they don’t all allow public access. Since the cases where an outside party should theoretically need someone else’s marriage license are slim, it’s generally necessary to prove you have a genuine reason, such as a court order, before you can pull any records. However, property information is often public record, so by using Spokeo to find a likely address, we can determine which county’s property records to search. Both mortgage applications and deed transfers will almost always contain the names of both spouses, so searching through any land records that the target has generated is a great way to potentially find their spouse’s name, and after we have that we can turn back to Spokeo to find things like DOB and any aliases.
Monroe county public records search
Finding out if someone has any children can be a bit trickier. Like marriage records, birth certificates are technically public, but it’s often difficult to get a legitimate copy as a third party. While not a free option, ancestry websites such as Ancestry.com can provide an excellent avenue for finding any birth records. Another good avenue that can also be used for finding spouses is searching for gift registries. Registering online for gifts is an extremely common practice, and sites such as Registryfinder.com can be used to index baby shower registries given a first and last name of a parent. Like most information gathering techniques it’s not infallible, but having more avenues to search is always a good thing.
Out of all of the basic info CUPP uses for its wordlist generation, pet’s name is probably the most difficult to come by from a completely external perspective. This is where we most likely need to get a little creative with social engineering. If we know the general vicinity our target lives in, as we should’ve been able to find from land records and searching on sites like Spokeo, we can both find veterinary offices within their local vicinity, and also learn what the state policy is for disclosure of veterinary medical records. In New York, for example, a vet is allowed to disclose an animal’s medical records if they suspect that an animal is being abused, or if they believe that by disclosing the animals records a human or animal may be saved from harm. Knowing this, we could use a bit of manipulation in order to coerce information about our target’s pet from an individual at the vets office. It’s an ethically gray route, but one that a determined attacker wouldn’t think twice about taking.
Finally, we arrive at the company the target currently works for. This item can also be somewhat difficult to retrieve without any leverageable connection to the target, but there do exist some routes. Background checks are a common part of the employment process; employers need to be sure that the person they’re hiring actually is who they say they are, so many sites exist for gathering and collating personal records, including employment history. This strategy does have some complications however, namely that in some states it is illegal to conduct a background check without the subject’s permission. Another good avenue for finding someone’s work history is their own resume. Many times people will host their resume online, either on a personally owned website or on a headhunting site like Ziprecruiter or Indeed.
Arguably more useful than all of CUPP’s default information categories is any secondary information about our target. Human memory is a fickle thing, so when people have to create passwords they often times stick to things that are easy to remember like their high school mascot or favorite model of car. This is where social media plays a huge role in information gathering, both for use in CUPP and otherwise. Not only can you potentially find answers for every piece of information we’ve gone over so far, but you can also create a fantastic profile of who your target is as a person. By crawling through someone’s Tweets, Facebook statuses, Instagram posts, Pinterest pins, etc. we can establish key phrases that our target uses and causes or products they’re interested in, along with a bevy of other words that would be most likely to appear in their passwords.
In today’s world it is almost impossible to prevent leaving a digital footprint of some kind. Digitization of public records and the ubiquity of social media have made it easier than ever to conduct targeted recon on an individual, and the increasing prevalence of technology means that our passwords bear more weight than ever before. Through the use of tools like CUPP, we can weaponize personal information to enhance brute force attacks, and also learn how to create better passwords that fall outside the capabilities of attackers’ tools.
CUPP Github: https://github.com/Mebus/cupp
Spokeo Search Engine: https://www.spokeo.com/