Password Profiling

Common Passwords

Use exrex to generate wordlist

python3 exrex.py -v "((W|w)inter|(S|s)ummer|(F|f)all|(A|a)utumn|(S|s)pring)20(16|17|18|19|20)" > seasons_months.txt
python3 exrex.py -v "((J|j)anuary|(F|f)ebruary|(M|m)arch|(A|a)pril|(M|m)ay|(J|j)une|(J|j)uly|(A|a)ugust|(S|s)eptember|(O|o)ctober|(N|n)ovember|(D|d)ecember)20(16|17|18|19|20)" >> seasons_months.txt

CUPP

CUPP can be used to generate a passwordlist. Use OSINT to gather information about the target and utilize the interactive mode from CUPP to generate a relatively small password-list specified at a user.

Website scraping

Scrape a website for words longer then 6 characters

cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt

John password mutation

sudo nano /etc/john/john.conf

(search -> [List.Rules:Wordlist])

$[0-9]$[0-9]

john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

Keyboard walking/mapping

Keymap walking passwords are popular amongst many organizations as they are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.

Generate these using kwprocessor

git clone https://github.com/hashcat/kwprocessor.git
cd kwprocessor
make

Example:

./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > ../keymap.txt

Tooling

Last updated 2 years ago

hashtagCommon Passwords

hashtagCUPP

hashtagWebsite scraping

hashtagJohn password mutation

hashtagKeyboard walking/mapping

hashtagTooling