The Exploit

Notes from the Front Lines of Penetration Testing

Cool Tools Series: CeWL for Penetration Testing

Cool Tools Series: CeWL for Penetration Testing

Written by

Jason Taylor

Are you performing a password audit for your internal domain or performing an authorized penetration test and need to crack some password hashes? Employees often select predictable passwords containing a root word related to the company or the industry the company operates in. 

CeWL (Custom Word List generator) is a tool that helps automate the creation of a custom word list based on web content by pulling out words associated with the company and industry to help populate a custom word list. 

Using CeWL

CeWL is a Ruby program that is available on GitHub and also comes installed natively on Kali Linux

Installation is as simple as ensuring you have Ruby available and following the instructions on the GitHub repository.

In this example, we’ll assume we have the following password hash for a fictional agriculture company:

Sample password hash

We can try running this through hashcat using the rockyou.txt word list, but this password hash will not be cracked with that word list. We need something more customized. 

Here we see the website for our fictional company, agriculture.local. 

Sample local website for our test

If we point CeWL to this website, it will pull out each word that is used on the website. We can run it by entering this command. Using -w outputs the word list to a file. 

./cewl.rb -w custom-wordlist.txt http://agriculture.local
CeWL command

After the tool runs, we can take a look at what it found:

Custom wordlist CeWL creating using our website

We can run this word list through hashcat using a couple of extra flags to extend the candidate word list using rules. The word list will just be the single words found on the site. It is likely the employees would add a year or special character as well if they used a word from the site as part of their password. 

hashcat -m 1800 -r append_year -r append_special.rule password.hash custom-wordlist.txt
Hashcat command using CeWL wordlist and rules that add years and special characters

Running hashcat with rules to append the current and previous year as well as a special character, we find that the password is cracked in no time:

Hashcat results showing password cracked

Summary

When employees choose a password, it’s often the case that a number of them will use the company name or a phrase based around the company. If there’s a motto or common industry terms, people may also choose those as the base syntax for their passwords. 

CeWL can help you generate a custom word list based around a specific company by pulling words from the company’s website. When combining a custom word list from CeWL with a series of rules to modify the password by adding year or special characters, your chances of cracking a password are greatly increased. 

Please check back for the next post in the Cool Tools series!

Written by

Jason Taylor

Jason has a passion for asking “what-if” questions and for trying to “break” software and test how it responds to unintended uses. Jason has a background in System Administration and Security Engineering in the financial sector. He holds both defensive and offensive certifications including OSCP, PNPT, GCIH, CASP+, and is Splunk Certified. When he’s not spending his time taking new training courses, he loves spending time with his wife and kids and occasionally working on an IoT project to automate some aspect of their greenhouse or chicken coop.

Jason Taylor
Jason has a passion for asking “what-if” questions and for trying to “break” software and test how it responds to unintended uses. Jason has a background in System Administration and Security Engineering in the financial sector. He holds both defensive and offensive certifications including OSCP, PNPT, GCIH, CASP+, and is Splunk Certified. When he’s not spending his time taking new training courses, he loves spending time with his wife and kids and occasionally working on an IoT project to automate some aspect of their greenhouse or chicken coop.

Posted on

Categories: ,

Also by Jason Taylor
  • Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities
  • OWASP Top 10 for LLM Applications Penetration Testing
  • Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing
  • Jason Taylor, Lead Penetration Tester

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Learn More

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Learn More

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Learn More

Read More From The Exploit

  • PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool

    PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
    By Brad Herring • August 12, 2025
    Read More
  • Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key

    Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key for Penetration Testing
    By Scottie Cole • June 17, 2025
    Read More
  • Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing

    Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing
    By Jason Taylor • June 3, 2025
    Read More

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

Schedule a Demo