# Password mutations Many people create their passwords according to `simplicity instead of security`. To eliminate this human weakness that often compromises security measures, password policies can be created on all systems that determine how a password should look. many employees often select passwords that can have the company's name in the passwords. A person's preferences and interests also play a significant role. These can be pets, friends, sports, hobbies, and many other elements of life. `OSINT` information gathering can be very helpful for finding out more about a user's preferences and may assist with password guessing. Commonly, users use the following additions for their password to fit the most common password policies: | **Description** | **Password Syntax** | | -------------------------------------- | ------------------- | | First letter is uppercase. | `Password` | | Adding numbers. | `Password123` | | Adding year. | `Password2022` | | Adding month. | `Password02` | | Last character is an exclamation mark. | `Password2022!` | | Adding special characters. | `P@ssw0rd2022!` | Based on statistics provided by [WPengine](https://wpengine.com/resources/passwords-unmasked-infographic/), most password lengths are `not longer` than `ten` characters. So what we can do is to pick specific terms that are at least `five` characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the `current year`, followed by a special character, at the end of their password, we would reach the `ten-character` password requirement. ## Hashcat We can use a very powerful tool called [Hashcat](https://hashcat.net/hashcat/) to combine lists of potential names and labels with specific mutation rules to create custom wordlists. Hashcat mutation syntax | **Function** | **Description** | | ------------ | ------------------------------------------------- | | `:` | Do nothing. | | `l` | Lowercase all letters. | | `u` | Uppercase all letters. | | `c` | Capitalize the first letter and lowercase others. | | `sXY` | Replace all instances of X with Y. | | `$!` | Add the exclamation character at the end. | {% file src="" %} Hashcat will apply the rules of `custom.rule` for each word in `password.list` and store the mutated version in our `mut_password.list` accordingly. Thus, one word will result in fifteen mutated words in this case. ```bash hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list ``` `Hashcat` and `John` come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is `best64.rule`, which can often lead to good results. Existing rules examples: ```bash ls /usr/share/hashcat/rules/ ``` ## **Generating Wordlists Using CeWL** ```bash cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist ``` * `-d` depth to spider * `-m` minimum length of the word * `--lowercase` storage of the found words in lowercase * `-w` output ## Limiting password length 11 chars min, alphanumeric and punctuation: ``` sed -n '/^[[:alnum:][:punct:]]\{11,\}$/p' mut_password.list > mut_pass.list ``` Max or min chars (if on Windows, this will count UTF-16 as 2 chars and will add for line endings... use notepad++ to sanitize that passwords file lol). Min of 8 chars length: ```bash awk 'length > 7' .\pass.list ``` ## My own rules Created with the help of the [official documentation](https://hashcat.net/wiki/doku.php?id=rule_based_attack) ### Underscore (optional) and numbers with different capitalization Combine the next two using: ```bash hashcat --stdout -r .\underscore.rule -r .\custom.rule .\password.txt ``` {% file src="" %} {% file src="" %} ### Included in Hashcat `d3ad0ne`