In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:
- If you are security testing a hospital, you may want to add a dictionary with medical terms.
- If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
- Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape).
Once you have a wordlist, you can easily add it to Metasploit. Here's a video to show you how:
Adding custom wordlists this way will work in Metasploit Express and Metasploit Pro. If you want to try it out, get your free Metasploit Pro trial today!