Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
Password cracking comes in two main flavors, offline and online. With offline password cracking you are trying to crack a list of password hashes stored locally and you can try passwords as fast as your CPU/GPU and storage will allow. The speed of offline password cracking allows you to try billions of passwords in a reasonable amount of time. With online password cracking you are trying to log into a service either locally or remotely and have to wait for the service to respond. The speed of online password cracking is determined by the resources of the service and the speed of the network. Trying billions of passwords with online password cracking is not feasible. Understanding the password policy of the service and including only passwords that meet the policy requirements will prevent you from wasting time.
The first step to creating passwords for online password cracking is to find good word lists and a tool to mangle those words. You can find good word lists at Skull Security and Korelogic. To mangle the word lists, I use hashcat. Use the following command to create passwords from a word list using the best64 mangling rules:
hashcat-cli32.exe wordlist.txt -r rules/best64.rule --stdout > passwords.txt
The next step is to find only the passwords that meet specific criteria such as a having a minimum or maximum length or meeting the Windows complexity requirements.
Typical password policies specify a minimum length, may specify a maximum length, and may specify whether upper and lower case letters, digits, or symbols are required. With Web-based services the password requirements vary widely and can usually be found on the registration page. Windows computers specify a minimum length and may require complexity. If complexity is required the password must use three of the four groups: lowercase letters, uppercase letters, digits, and symbols. If complexity is not required then the password only has to meet the minimum length.
Passfilter.py is a python script that can be used to read a list of words from a file or stdin and print only the words that meet the defined password policy. You can specify the minimum and maximum length, which character groups are required, and the list of symbols that can be used. The usage for Passfilter.py is printed below:
usage: Passfilter.py [-h] [-w | -r string] [-m min] [-x max] [-s symbols]
[-f wordlist]
Passfilter.py reads a file or stdin and returns words that meet the
defined requirements. For most password policies the set of allowed letters
and numbers is the same. The set of allowed symbols varies widely between
policies. Passfilter.py defines a default set of symbols which can be
overridden using the -s flag.
Examples:
Return all words 3 to 10 characters long.
passfilter.py wordlist
Return all words 3 to 10 characters long that meet the windows complexity
requirements.
passfilter.py -w wordlist
Return all words 5 to 9 characters long that have at least two lowercase
letters and at least one digit.
passfilter.py -m 5 -x 9 -r lld wordlist
optional arguments:
-h, --help show this help message and exit
-w Passwords must meet Windows complexity requirements.
-r string String representing the character groups and count required.
-m min Minimum password length. (default: 3)
-x max Maximum password length. (default: 10)
-s symbols Symbols allowed in the password. (default:
!"#$%&'()*+,-./:;?@[\]^_`{|}~)
-f wordlist Wordlist to parse (default: stdin).
You can download Passfilter.py here.