# Password mutations Many people create their passwords according to `simplicity instead of security`. To eliminate this human weakness that often compromises security measures, password policies can be created on all systems that determine how a password should look. many employees often select passwords that can have the company's name in the passwords. A person's preferences and interests also play a significant role. These can be pets, friends, sports, hobbies, and many other elements of life. `OSINT` information gathering can be very helpful for finding out more about a user's preferences and may assist with password guessing. Commonly, users use the following additions for their password to fit the most common password policies: | **Description** | **Password Syntax** | | -------------------------------------- | ------------------- | | First letter is uppercase. | `Password` | | Adding numbers. | `Password123` | | Adding year. | `Password2022` | | Adding month. | `Password02` | | Last character is an exclamation mark. | `Password2022!` | | Adding special characters. | `P@ssw0rd2022!` | Based on statistics provided by [WPengine](https://wpengine.com/resources/passwords-unmasked-infographic/), most password lengths are `not longer` than `ten` characters. So what we can do is to pick specific terms that are at least `five` characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the `current year`, followed by a special character, at the end of their password, we would reach the `ten-character` password requirement. ## Hashcat We can use a very powerful tool called [Hashcat](https://hashcat.net/hashcat/) to combine lists of potential names and labels with specific mutation rules to create custom wordlists. Hashcat mutation syntax | **Function** | **Description** | | ------------ | ------------------------------------------------- | | `:` | Do nothing. | | `l` | Lowercase all letters. | | `u` | Uppercase all letters. | | `c` | Capitalize the first letter and lowercase others. | | `sXY` | Replace all instances of X with Y. | | `$!` | Add the exclamation character at the end. | {% file src="/files/8ZVztFWeA85gor1YMNvn" %} Hashcat will apply the rules of `custom.rule` for each word in `password.list` and store the mutated version in our `mut_password.list` accordingly. Thus, one word will result in fifteen mutated words in this case. ```bash hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list ``` `Hashcat` and `John` come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is `best64.rule`, which can often lead to good results. Existing rules examples: ```bash ls /usr/share/hashcat/rules/ ``` ## **Generating Wordlists Using CeWL** ```bash cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist ``` * `-d` depth to spider * `-m` minimum length of the word * `--lowercase` storage of the found words in lowercase * `-w` output ## Limiting password length 11 chars min, alphanumeric and punctuation: ``` sed -n '/^[[:alnum:][:punct:]]\{11,\}$/p' mut_password.list > mut_pass.list ``` Max or min chars (if on Windows, this will count UTF-16 as 2 chars and will add for line endings... use notepad++ to sanitize that passwords file lol). Min of 8 chars length: ```bash awk 'length > 7' .\pass.list ``` ## My own rules Created with the help of the [official documentation](https://hashcat.net/wiki/doku.php?id=rule_based_attack) ### Underscore (optional) and numbers with different capitalization Combine the next two using: ```bash hashcat --stdout -r .\underscore.rule -r .\custom.rule .\password.txt ``` {% file src="/files/T5VaiYNwd7QWwArGfaNJ" %} {% file src="/files/EhfhlRc6IUnOUUDzqvUT" %} ### Included in Hashcat `d3ad0ne` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/password-attacks/password-mutations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.