In many of our network and web application penetration tests, we come across login portals that aren’t protected by anti-automation controls. Essentially, this allows us to launch unrestricted dictionary attacks on previously identified usernames.

When faced with this scenario, many attackers will immediately turn to their ‘Top 500 Passwords’ list in hope of quick wins. Not that there’s anything wrong with such an approach, but this should never be the end of the rabbit-hole.

Muris Kurgas has written CUPP or the ‘Common User Passwords Profiler’ to generate custom password lists tailored for individual targets. The application leverages user-supplied open-source intelligence (OSINT) information to compile an extensive and powerful password list. CUPP is written in Python and even provides an interactive interface to build its custom password lists.

To get started, download or clone the latest version of CUPP from Github:

git clone

Next, open up the cupp.cfg file in your favorite text editor. This is where all the magic happens. Make any adjustments you see fit. I always add another line under ‘leet’ that changes ‘a’ to ‘@’. It’s also a good idea to add years that are two digits, not just four.

Once you’ve saved your config file, you should be ready to launch the application:

python -i

CUPP will ask you for basic information on your target including first and last name, partner’s name, pet’s name, company name, etc. Once finished, you should have your password list.

Happy hacking! If you have any questions, feel free to drop us a line on our contact page.