Password mutations

Many people create their passwords according to simplicity instead of security. To eliminate this human weakness that often compromises security measures, password policies can be created on all systems that determine how a password should look.

many employees often select passwords that can have the company's name in the passwords. A person's preferences and interests also play a significant role. These can be pets, friends, sports, hobbies, and many other elements of life. OSINT information gathering can be very helpful for finding out more about a user's preferences and may assist with password guessing.

Commonly, users use the following additions for their password to fit the most common password policies:

Description

Password Syntax

First letter is uppercase.

Password

Adding numbers.

Password123

Adding year.

Password2022

Adding month.

Password02

Last character is an exclamation mark.

Password2022!

Adding special characters.

P@ssw0rd2022!

Based on statistics provided by WPengine, most password lengths are not longer than ten characters. So what we can do is to pick specific terms that are at least five characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the current year, followed by a special character, at the end of their password, we would reach the ten-character password requirement.

Hashcat

We can use a very powerful tool called Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists.

Hashcat mutation syntax

Function

Description

:

Do nothing.

l

Lowercase all letters.

u

Uppercase all letters.

c

Capitalize the first letter and lowercase others.

sXY

Replace all instances of X with Y.

$!

Add the exclamation character at the end.

13KB

custom.rule

Hashcat will apply the rules of custom.rule for each word in password.list and store the mutated version in our mut_password.list accordingly. Thus, one word will result in fifteen mutated words in this case.

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Hashcat and John come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is best64.rule, which can often lead to good results.

Existing rules examples:

ls /usr/share/hashcat/rules/

Generating Wordlists Using CeWL

cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

-d depth to spider
-m minimum length of the word
--lowercase storage of the found words in lowercase
-w output

Limiting password length

11 chars min, alphanumeric and punctuation:

sed -n '/^[[:alnum:][:punct:]]\{11,\}$/p' mut_password.list > mut_pass.list

Max or min chars (if on Windows, this will count UTF-16 as 2 chars and will add for line endings... use notepad++ to sanitize that passwords file lol). Min of 8 chars length:

awk 'length > 7' .\pass.list

My own rules

Created with the help of the official documentation

Underscore (optional) and numbers with different capitalization

Combine the next two using:

hashcat --stdout -r .\underscore.rule -r .\custom.rule .\password.txt

underscore.rule

19KB

mycustom.rule

Included in Hashcat

d3ad0ne

PreviousRemote password attacks NextPassword Reuse / Default Passwords

Last updated 2 months ago