Cupp (Common User Passwords Profiler) is an open-source Python utility that creates highly-focused password dictionaries by harvesting publicly-available personal information. This guide walks through installation, configuration, and responsible usage on a Debian-based penetration-testing distribution.

Installation

sudo apt update && sudo apt install cupp -y

Generating a Custom Dictionary

Launch the interactive wizard:

cupp -i

The script prompts for the following details:

• Target’s first and last name
• Known nicknames or usernames
• Birthday in DDMMYYYY format
• Partner’s, children’s, and pet names
• Company or organization name
• Additional keywords (hobbies, favorite sports team, etc.)

After confirmation, Cupp writes the resulting wordlist to <target>.txt. A typical run against a fictional subject named Alice Smith produced 54,818 candidate passwords.

Inspecitng the Output

head -n 20 alice.txt

The file contains permutations such as:

Alice1987
alice_smith
Alic3Sm1th!
Smith2024
alice.smith123

Advanced Options

• cupp -l downloads latest leaked password collections for augmentation.
• cupp -w existing.txt merges the new results with an existing dictionary.
• cupp -q runs in quiet mode, useful for automation scripts.

Ethical Considerations

Only use Cupp against systems you own or have explicit authorization to test. Combine the generated list with rate-limiting and alerting to avoid account lockouts.