The Exploit

Notes from the Front Lines of Penetration Testing

Cool Tools Series: CeWL for Penetration Testing

Cool Tools Series: CeWL for Penetration Testing

Written by

Are you performing a password audit for your internal domain or performing an authorized penetration test and need to crack some password hashes? Employees often select predictable passwords containing a root word related to the company or the industry the company operates in. 

CeWL (Custom Word List generator) is a tool that helps automate the creation of a custom word list based on web content by pulling out words associated with the company and industry to help populate a custom word list. 

Using CeWL

CeWL is a Ruby program that is available on GitHub and also comes installed natively on Kali Linux

Installation is as simple as ensuring you have Ruby available and following the instructions on the GitHub repository.

In this example, we’ll assume we have the following password hash for a fictional agriculture company:

Sample password hash

We can try running this through hashcat using the rockyou.txt word list, but this password hash will not be cracked with that word list. We need something more customized. 

Here we see the website for our fictional company, agriculture.local. 

Sample local website for our test

If we point CeWL to this website, it will pull out each word that is used on the website. We can run it by entering this command. Using -w outputs the word list to a file. 

./cewl.rb -w custom-wordlist.txt http://agriculture.local
CeWL command

After the tool runs, we can take a look at what it found:

Custom wordlist CeWL creating using our website

We can run this word list through hashcat using a couple of extra flags to extend the candidate word list using rules. The word list will just be the single words found on the site. It is likely the employees would add a year or special character as well if they used a word from the site as part of their password. 

hashcat -m 1800 -r append_year -r append_special.rule password.hash custom-wordlist.txt
Hashcat command using CeWL wordlist and rules that add years and special characters

Running hashcat with rules to append the current and previous year as well as a special character, we find that the password is cracked in no time:

Hashcat results showing password cracked

Summary

When employees choose a password, it’s often the case that a number of them will use the company name or a phrase based around the company. If there’s a motto or common industry terms, people may also choose those as the base syntax for their passwords. 

CeWL can help you generate a custom word list based around a specific company by pulling words from the company’s website. When combining a custom word list from CeWL with a series of rules to modify the password by adding year or special characters, your chances of cracking a password are greatly increased. 

Please check back for the next post in the Cool Tools series!


Jason Taylor

Posted on

Categories: ,

Also by Jason Taylor

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.