PACK - Password Analysis & Cracking Kit
PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.
StatsGen
The most basic analysis that you can perform is simply obtaining most common length, character-set and other characteristics of passwords in the provided list. In the example below, we will use 'rockyou.txt' containing approximately 14 million passwords. Launch statsgen.py with the following command line:
$ python statsgen.py rockyou.txt
Using filters
Let's see how RockYou users tend to select their passwords using the "stringdigit" simple mask (a string followed by numbers):
$ python statsgen.py ../PACK-0.0.3/archive/rockyou.txt --simplemask stringdigit -q --hiderare
Saving advanced masks
While the "Advanced Mask" section only displays patterns matching greater than 1% of all passwords, you can obtain and save a full list of password masks matching a given dictionary by using the following command:
$ python statsgen.py rockyou.txt -o rockyou.masks
MaskGen
MaskGen allows you to craft pattern-based mask attacks for input into Hashcat family of password crackers. The tool uses output produced by statsgen above with the '-o' flag in order to produce the most optimal mask attack sorted by mask complexity, mask occurrence or ratio of the two (optimal index).
Let's run MaskGen with only StatGen's output as an argument:
$ python maskgen.py rockyou.masks
Specifying target time
Since you are usually limited in time to perform and craft attacks, maskgen allows you to specify how much time you have to perform mask attacks and will generate the most optimal collection of masks based on the sorting mode. Let's play a bit with different sorting modes and target times:
$ python maskgen.py rockyou.masks --targettime 600 --optindex -q
Specifying mask filters
You can further optimize your generated mask attacks by using filters. For example, you may have sufficiently powerful hardware where you can simple bruteforce all of the passwords up to 8 characters. In this case, you can generate masks only greater than 8 characters using the --minlength flag as follows:
$ python maskgen.py rockyou.masks --targettime 43200 --optindex -q --minlength 8
Saving generated masks
Once you are satisfied with the above generated masks, you can save them using the -o flag:
$ python maskgen.py rockyou.masks --targettime 43200 --optindex -q -o rockyou.hcmask
Checking mask coverage
It is often useful to see how well generated masks perform against already cracked lists. Maskgen can compare a collection of masks against others to see how well they would perform if masks from one password list would be attempted against another. Let's compare how well masks generated from RockYou list will perform against another compromised list such as Gawker:
$ python statsgen.py ../PACK-0.0.3/archive/gawker.dic -o gawker.masks
$ python maskgen.py gawker.masks --checkmasksfile rockyou.hcmask -q
Specifying speed
Depending on your exact hardware specs and target hash you may want to increase or decrease keys/sec speed used during calculations using the '--pps' parameter:
$ python maskgen.py rockyou.masks --targettime 43200 --pps 50000000 -q
PolicyGen
A lot of the mask and dictionary attacks will fail in the corporate environment with minimum password complexity requirements. Instead of resorting to a pure bruteforcing attack, we can leverage known or guessed password complexity rules to avoid trying password candidates that are not compliant with the policy or inversely only audit for noncompliant passwords. Using PolicyGen, you will be able to generate a collection of masks following the password complexity in order to significantly reduce the cracking time.
Below is a sample session where we generate all valid password masks for an environment requiring at least one digit, one upper, and one special characters.
$ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --minspecial 1 -o complexity.hcmask
Specifying maximum complexity
It is also possible to specify maximum password complexity using --maxlower, --maxupper, --maxdigit and --maxspecial flags in order to fine-tune you attack. For example, below is a sample site which enforces password policy but does not allow any special characters:
$ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --maxspecial 0 -o maxcomplexity.hcmask -q
Rules Analysis
rulegen.py implements password analysis and rule generation for the Hashcat password cracker as described in the Automatic Password Rule Analysis and Generation paper. Please review this document for detailed discussion on the theory of rule analysis and generation.
Analyzing a Single Password
The most basic use of rulegen.py involves analysis of a single password to automatically detect rules. Let's detect rules and potential source word used to generate a sample password P@55w0rd123:
$ python rulegen.py --verbose --password P@55w0rd123
Spell-checking provider
Notice that we are using the aspell Enchant module for source word detection. The exact spell-checking engine can be changed using the --provider flag as follows:
$ python rulegen.py --verbose --provider myspell --password P@55w0rd123 -q
Forcing source word
The use of the source word detection engine can be completely disabled by specifying a source word with the --word flag:
$ python rulegen.py -q --verbose --word word --password P@55w0rd123
Defining Custom Dictionary
Inevitably you will come across a point where generating rules using the standard spelling-engine wordlist is no longer sufficient. You can specify a custom wordlist using the --wordlist flag. This is particularly useful when reusing source words from a previous analysis session:
$ python rulegen.py -q --verbose --wordlist rockyou.txt --password 1pa55w0rd1
Generating Suboptimal Rules and Words
While rulegen.py attempts to generate and record only the best source words and passwords, there may be cases when you are interested in more results. Use --morewords and --morerules flags to generate words and rules which may exceed optimal edit distance:
$ python rulegen.py -q --verbose --password '$m0n3y$' --morerules --morewords
Disabling Advanced Engines
rulegen.py includes a number of advanced engines to generate better quality words and rules. It is possible to disable them to observe the difference (or if they are causing issues) using --simplewords and --simplerules flags. Let's observe how both source words and rules change with these flags on:
$ python rulegen.py -q --verbose --password '$m0n3y$' --simplewords --simplerules
Processing password lists
Now that you have mastered all of the different flags and switches, we can attempt to generate words and rules for a collection of passwords. Let's generate a text file korelogic.txt containing the following fairly complex test passwords:
&~defcon
'#(4)\
August19681
'&a123456
10-D'Ann
~|Bailey
Krist0f3r
f@cebOOK
Nuclear$(
zxcvbn2010!
13Hark's
NjB3qqm
Sydney93?
antalya%]
Annl05de
;-Fluffy
Now let's observe rulegen.py analysis by simply specifying the password file as the first argument:
$ python rulegen.py korelogic.txt -q
Specifying output basename
As previously mentioned rulegen.py saves output files using the 'analysis' basename by default. You can change file basename with the --basename or -b flag as follows:
$ python rulegen.py korelogic.txt -q -b korelogic