# Reviving Dictionary Attacks with Custom Generated Wordlists

**Published by:** [jeffy yu](https://paragraph.com/@lljeffy/)
**Published on:** 2023-12-10
**URL:** https://paragraph.com/@lljeffy/reviving-dictionary-attacks-with-custom-generated-wordlists

## Content

Take Me Back to the Good Old DaysDictionary attacks used to be the bread and butter of pentesting – simple, effective, and as reliable as a swiss army knife. But here's the catch: companies got wise, and passwords got complex. The once trusty wordlists are starting to resemble VHS tapes in the Netflix world. Nostalgic? Perhaps. Outdated? Definitely. Who's still hanging onto 'password123' when your dog's Instagram account demands an uppercase letter, symbol, and the plot twist from a Christopher Nolan movie? Customizing wordlists is the next logical step, but it's a time sink, and time is a premium commodity when you’re poring over lines of code trying to find a backdoor. Manually tailoring a wordlist for each new client sounds good in theory, like hand-crafting your own artisanal coffee blend every morning, but what team has the time for that? And online generators? Static. Uninspired. They give you a handful of parameters to play with, but even then, the end product is like picking a paint-by-numbers kit versus a blank canvas. You’re in control of the colors, but the scene’s already sketched out, the template is inflexible. It lacks the personal touch that is needed to match the unique security posture of a well-guarded enterprise network.A Scalpel, Not a SledgehammerI created a Python script that leverages GPT-4 to generate wordlists customized for specific targets. Some pentesters use the term “customized dictionary creation.”Step 1: Input Target InfoThe script kicks off with a straightforward Q&A session. Here you'll input target information: the company name, any abbreviations, industry type, product names, employee names, and other unique tidbits like local lingo or birthdays. Essentially, anything that GPT-4 can use as ammunition to generate potential passwords.Step 2: Password Complexity CriteriaYou'll set the bar for password complexity here by specifying minimum lengths, requirements for capital letters, numbers, and symbols. This makes sure each item on the wordlist isn’t automatically invalidated by password policy rules.demoStep 3: Retrieve and DeployGPT-4 will work its magic, and the results will be saved in a txt file. The outputs are stored in the dictionary folder under the filename specified in the prompts.Example ResultsTexas@2023 Semiconductor$1 JohnDoe#123 TI_employee8! TexasInst@321 DoeJohn!789 SecureTI#456 Instruments$2 John&#x26;Texas9 Passw0rd!TI Doe#Semicon8 JohnTexas!2 TI#2023Pass Innovate@8TI SemiCon!1234 Electron1c$ Texas!4John Doe8#Insts Chip$Maker9 Circu1tTI! Microch1p#2 Texas#Engin8 SiliconVal3y! Dallas!Sem1 TI_Dallas4$ In$trument8 DoeSecure!3 Transist8#r Texas&#x26;Chips HighTech9@TI Innov8!@TI Semicon2019! Texas!2021TI JohnDoe$2022 PasswordTI$1 T3chnology! Advanced8#TI TiP@ssword2 Doe!Texas12 SiliconJohn! Instruments!3 Doe8*Doe8 TI_JohnDoe4$ Chipset@88 John$Texas2 TexasDoe!23 TI@Semicon8 SecureChip9# JobJohnTI#1 Instruments2023! Check out the Github repo here to try it out for yourself. Happy hunting!DisclaimerThis tool is intended for ethical pentesting, educational, and research purposes only. The authors are not responsible for any misuse or damage caused by this tool. Always obtain proper authorization before conducting penetration testing.

## Publication Information

- [jeffy yu](https://paragraph.com/@lljeffy/): Publication homepage
- [All Posts](https://paragraph.com/@lljeffy/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@lljeffy): Subscribe to updates