explaingit

mebus/cupp

5,916PythonAudience · ops devopsComplexity · 2/5LicenseSetup · easy

TLDR

CUPP is a Python command-line tool used in authorized security testing that generates a targeted password wordlist for a specific person based on personal details like their name, birthday, and pet's name.

Mindmap

mindmap
  root((cupp))
    What it does
      Generate password lists
      Profile-based targeting
      Wordlist enhancement
    Input Sources
      Interactive questionnaire
      Existing wordlist
      Online repositories
      Alecto default credentials
    Use Cases
      Penetration testing
      Password auditing
      Forensic investigation
    Setup
      Python 3
      cupp.cfg config file
      Command-line tool
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Generate a targeted password wordlist for a specific person during an authorized penetration test to check whether they use personal information as passwords.

USE CASE 2

Audit employee password strength by running CUPP in interactive mode and testing the output against your organization's account system with permission.

USE CASE 3

Download a general-purpose wordlist from CUPP's online repository to use in a broader password-spraying assessment.

USE CASE 4

Check default device credentials against the Alecto database during a network security audit of routers or IoT devices.

Tech stack

Python

Getting it running

Difficulty · easy Time to first run · 5min

Only legal to use against accounts and systems you are explicitly authorized to test, unauthorized use is illegal.

GNU General Public License v3, free to use, modify, and distribute, but any software that includes this code must also be released under the same GPL v3 license.

In plain English

CUPP stands for Common User Passwords Profiler. It is a Python tool used in security testing to generate a list of likely passwords for a specific person based on information about them, such as their name, birthday, pet's name, or other personal details. The idea is that people often choose passwords tied to things that matter to them, so knowing those details lets a security tester build a targeted list to test against an account rather than trying millions of random combinations. The tool is intended for authorized security testing scenarios, such as penetration tests where a company has hired someone to check whether their employees use weak or guessable passwords, or for forensic investigations. Running it without permission against accounts you do not own would be illegal. From the command line, you can start an interactive session where CUPP asks you a series of questions about the target person and then generates a wordlist based on the answers. Other options let you enhance an existing password list, download large general-purpose wordlists from an online repository, or pull default usernames and passwords from the Alecto database, which is a collection of known default credentials used by various devices and systems. CUPP requires Python 3 and is configured through a file called cupp.cfg. It is released under the GNU General Public License version 3, meaning it can be freely used, modified, and distributed. The project was originally created by Muris Kurgas and has since been maintained and extended by several contributors on GitHub.

Copy-paste prompts

Prompt 1
I am doing an authorized penetration test and want to use CUPP to generate a password wordlist for a target user. Walk me through running CUPP in interactive mode and explain what kinds of information to gather beforehand.
Prompt 2
Using CUPP, how do I take an existing wordlist and enhance it with CUPP's mutation rules to add common number and symbol patterns that people often add to personal passwords?
Prompt 3
What is the Alecto database in CUPP and how do I use it to check whether network devices on an authorized audit are using known default credentials?
Prompt 4
Explain how CUPP differs from a general wordlist tool like rockyou.txt. When is a profile-based wordlist more effective for a targeted account during a pen test?
Open on GitHub → Explain another repo

← mebus on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.