From 575ac1bd8ddcac6dd2f78fb435b8f4562b72824a Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 21 Sep 2014 21:11:15 -0400 Subject: [PATCH 1/5] Added maskgen --- tools/maskgen.md | 246 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 tools/maskgen.md diff --git a/tools/maskgen.md b/tools/maskgen.md new file mode 100644 index 0000000..f6153ff --- /dev/null +++ b/tools/maskgen.md @@ -0,0 +1,246 @@ +# maskgen (part of the sprawl's password analysis and cracking toolkit) + +Notes +------- +MaskGen allows you to craft pattern-based mask attacks for input into Hashcat family of password crackers. The tool uses output produced by statsgen above with the '-o' flag in order to produce the most optimal mask attack sorted by mask complexity, mask occurrence or ratio of the two (optimal index). + + +Help Text +------- +``` +Usage: maskgen [options] masksfile.csv + +Options: + --version show program's version number and exit + -h, --help show this help message and exit + --minlength=8 Minimum password length + --maxlength=8 Maximum password length + --mintime=MINTIME Minimum time to crack + --maxtime=MAXTIME Maximum time to crack + --complexity=COMPLEXITY + maximum password complexity + --occurence=OCCURENCE + minimum times mask was used + --checkmask=?u?l ?l ?l ?l ?l ?d + check mask coverage + --showmasks Show matching masks + --pps=1000000000 Passwords per Second + +``` + +Example Usage +------- +Let's run MaskGen with only StatGen's output as an argument: + +``` +$ python maskgen.py rockyou.masks + + _ + MaskGen #.#.# | | + _ __ __ _ ___| | _ + | '_ \ / _` |/ __| |/ / + | |_) | (_| | (__| < + | .__/ \__,_|\___|_|\_\ + | | + |_| iphelix@thesprawl.org + + +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[*] Finished generating masks: + Masks generated: 146578 + Masks coverage: 100% (14344390/14344390) + Masks runtime: >1 year +``` +There are several pieces of information that you should observe: + +Default cracking speed used for calculations is 1,000,000,000 keys/sec +Default sorting mode is [optindex] equivalent to --optindex flag. +146,578 unique masks were generated which have 100% coverage +Total runtime of all generated masks is more than 1 year. +Specifying target time + +Since you are usually limited in time to perform and craft attacks, maskgen allows you to specify how much time you have to perform mask attacks and will generate the most optimal collection of masks based on the sorting mode. Let's play a bit with different sorting modes and target times: + +``` +$ python maskgen.py rockyou.masks --targettime 600 --optindex -q +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 779 + Masks coverage: 56% (8116195/14344390) + Masks runtime: 0:11:36 + + +$ python maskgen.py rockyou.masks --targettime 600 --complexity -q +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [complexity]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 5163 + Masks coverage: 31% (4572346/14344390) + Masks runtime: 0:10:01 + + +$ python maskgen.py rockyou.masks --targettime 600 --occurrence -q +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [occurrence]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 4 + Masks coverage: 16% (2390986/14344390) + Masks runtime: 1:34:05 +``` +All of the above runs have target time of 600 seconds (or 10 minutes) with different sorting modes. Based on our experiments, masks generated using OptIndex sorting mode can crack 56% of RockYou passwords in about 10 minutes. At the same time masks generated using Occurrence sorting mode not only have pretty weak coverage of only 16%, but also exceeded specified target time by more than an hour. + +NOTE: Masks sorted by complexity can be very effective when attacking policy based lists. + +Let's see some of the masks generated by maskgen in optindex mode using the --showmasks flag: + +``` +$ python maskgen.py rockyou.masks --targettime 43200 --optindex -q --showmasks +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[L:] Mask: [ Occ: ] [ Time: ] +... +[ 7] ?l?d?s?l?l?d?d [6 ] [ 0:00:00] +[ 8] ?s?l?l?l?l?l?l?s [3480 ] [ 0:05:36] +[ 9] ?l?l?l?l?d?d?d?d?s [1553 ] [ 0:02:30] +[ 8] ?d?l?d?d?d?l?l?l [47 ] [ 0:00:04] +[ 8] ?d?l?l?d?l?d?d?l [47 ] [ 0:00:04] +[ 8] ?d?l?l?d?d?l?d?l [47 ] [ 0:00:04] +[ 8] ?d?l?d?l?d?d?l?l [47 ] [ 0:00:04] +[ 8] ?d?d?l?l?d?l?d?l [47 ] [ 0:00:04] +[ 8] ?d?l?d?d?l?l?l?l [122 ] [ 0:00:11] +[ 8] ?u?u?d?u?d?d?d?d [18 ] [ 0:00:01] +[ 6] ?d?s?s?s?s?s [4 ] [ 0:00:00] +[10] ?l?l?l?l?l?l?l?l?d?d [213109 ] [ 5:48:02] +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 3970 + Masks coverage: 74% (10620959/14344390) + Masks runtime: 16:10:38 +``` +Displayed masks follow a pretty intuitive format: + +``` + [ 9] ?l?l?l?l?d?d?d?d?s [1553 ] [ 0:02:30] + \ \ \ \ + \ \_ generated mask \ \_ mask runtime + \ \ + \_ mask length \_ mask occurrence +``` +In the above sample you can see some of the logic that goes into mask generation. For example, while '?s?l?l?l?l?l?l?s' mask has one of the longest runtimes in the sample (5 minutes), it still has higher priority because of its relatively higher occurrence to '?l?l?l?l?d?d?d?d?s'. At the same time, while '?l?d?s?l?l?d?d' has pretty low coverage it still gets a higher priority than other masks because as only a six character mask it executes very quickly. + +Specifying mask filters + +You can further optimize your generated mask attacks by using filters. For example, you may have sufficiently powerful hardware where you can simple bruteforce all of the passwords up to 8 characters. In this case, you can generate masks only greater than 8 characters using the --minlength flag as follows: + +``` +$ python maskgen.py rockyou.masks --targettime 43200 --optindex -q --minlength 8 +[*] Analyzing masks in [rockyou.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 585 + Masks coverage: 41% (5905182/14344390) + Masks runtime: 15:50:36 +``` +Naturally the generated mask coverage was reduced, but these filters become useful when preparing a collection of masks when attacking password lists other than the one used to generate them. + +The list below shows additional filters you can use: + +``` + Individual Mask Filter Options: + --minlength=8 Minimum password length + --maxlength=8 Maximum password length + --mintime=3600 Minimum mask runtime (seconds) + --maxtime=3600 Maximum mask runtime (seconds) + --mincomplexity=1 Minimum complexity + --maxcomplexity=100 + Maximum complexity + --minoccurrence=1 Minimum occurrence + --maxoccurrence=100 + Maximum occurrence +``` +Occurrence and complexity flags can be particularly powerful to fine-tune generated masks using different sorting modes. + +Saving generated masks + +Once you are satisfied with the above generated masks, you can save them using the -o flag: + +``` +$ python maskgen.py rockyou.masks --targettime 43200 --optindex -q -o rockyou.hcmask +[*] Analyzing masks in [rockyou.masks] +[*] Saving generated masks to [rockyou.hcmask] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 3970 + Masks coverage: 74% (10620959/14344390) + Masks runtime: 16:10:38 +``` +This will produce 'rockyou.hcmask' file which can be directly used by Hashcat suite of tools or as part of a custom script that loops through them. + +Checking mask coverage + +It is often useful to see how well generated masks perform against already cracked lists. Maskgen can compare a collection of masks against others to see how well they would perform if masks from one password list would be attempted against another. Let's compare how well masks generated from RockYou list will perform against another compromised list such as Gawker: + +``` +$ python statsgen.py ../PACK-0.0.3/archive/gawker.dic -o gawker.masks + +$ python maskgen.py gawker.masks --checkmasksfile rockyou.hcmask -q +[*] Analyzing masks in [gawker.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Checking coverage of masks in [rockyou.hcmask] +[*] Finished matching masks: + Masks matched: 1775 + Masks coverage: 96% (1048889/1084394) + Masks runtime: 16:25:44 +``` +Using the '--checkmasksfile' parameter we attempted to run masks inside 'rockyou.hcmask' file generated earlier against masks from a sample leaked list 'gawker.masks'. This results in a good 96% coverage where 1775 of the 3970 total generated RockYou-based masks matched masks in Gawker list. + +It is also possible to see the coverage of one or more masks by specifying them directly on the command-line as follows: + +``` +$ python maskgen.py gawker.masks --checkmasks="?u?l?l?l?l?l?d,?l?l?l?l?l?d?d" -q +[*] Analyzing masks in [gawker.masks] +[*] Using 1,000,000,000 keys/sec for calculations. +[*] Checking coverage of the these masks [?u?l?l?l?l?l?d, ?l?l?l?l?l?d?d] +[*] Finished matching masks: + Masks matched: 2 + Masks coverage: 1% (18144/1084394) + Masks runtime: 0:00:04 +``` +Both of the specified masks matched with only 1% coverage. + +Specifying speed + +Depending on your exact hardware specs and target hash you may want to increase or decrease keys/sec speed used during calculations using the '--pps' parameter: + +``` +$ python maskgen.py rockyou.masks --targettime 43200 --pps 50000000 -q +[*] Analyzing masks in [rockyou.masks] +[*] Using 50,000,000 keys/sec for calculations. +[*] Sorting masks by their [optindex]. +[!] Target time exceeded. +[*] Finished generating masks: + Masks generated: 1192 + Masks coverage: 61% (8754548/14344390) + Masks runtime: 12:17:31 +``` +Using the '--pps' parameter to match you actual performance makes target time more meaningful. + + +Links +------- +[TheSprawl](https://thesprawl.org/projects/pack/) + From 1c33aa25731fa2f4420e362b1f9d79b41b845546 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 21 Sep 2014 21:11:34 -0400 Subject: [PATCH 2/5] Added ophcrack-cli --- tools/ophcrack-cli.md | 71 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 tools/ophcrack-cli.md diff --git a/tools/ophcrack-cli.md b/tools/ophcrack-cli.md new file mode 100644 index 0000000..ab91157 --- /dev/null +++ b/tools/ophcrack-cli.md @@ -0,0 +1,71 @@ +# ophcrack-cli + +Notes +------- +Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. + + +Help Text +------- +``` +ophcrack 3.4.0 by Objectif Securite (http://www.objectif-securite.ch) + +Usage: ophcrack [OPTIONS] +Cracks Windows passwords with Rainbow tables + + -a disable audit mode (default) + -A enable audit mode + -b disable bruteforce + -B enable bruteforce (default) + -c config_file specify the config file to use + -D display (lots of!) debugging information + -d dir specify tables base directory + -e do not display empty passwords + -f file load hashes from the specified file (pwdump or session) + -g disable GUI + -h display this information + -i hide usernames + -I show usernames (default) + -l file log all output to the specified file + -n num specify the number of threads to use + -o file write cracking output to file in pwdump format + -p num preload (0 none, 1 index, 2 index+end, 3 all default) + -q quiet mode + -r launch the cracking when ophcrack starts (GUI only) + -s disable session auto-saving + -S session_file specify the file to use to automatically save the progress of the search + -u display statistics when cracking ends + -t table1[,a[,b,...]][:table2[,a[,b,...]]] + specify which table to use in the directory given by -d + -v verbose + -w dir load hashes from encrypted SAM file in directory dir + -x file export data in CSV format to file + + +Example: ophcrack -g -d /path/to/tables -t xp_free_fast,0,3:vista_free -f in.txt + + Launch ophcrack in command line using tables 0 and 3 in + /path/to/tables/xp_free_fast and all tables in /path/to/tables/vista_free + and cracks hashes from pwdump file in.txt + +``` + +Example Usage +------- +Stolen from aerokid240 + +``` +# ophcrack -g -d path_to_rainbow_tables_dir/ -t path_to_rainbow_tables_dir/ -n 4 -f hashes.txt + +'-d' - Path to rainbow tables +'-g' - do no run the GUI interface +'-t' - specify which table to use. Just putting the dir path to the table works for me +'-n' - number of threads to use +'-f' - path to hashes file obtained from programs like fgdump or pwdump +``` + +Links +------- +* [sourceforge](http://ophcrack.sourceforge.net/) +* [Aerokid240](http://aerokid240.blogspot.com/2010/08/using-ophcrack-from-da-command-line.html) +* [rainbow tables](http://ophcrack.sourceforge.net/tables.php) \ No newline at end of file From 14c8d56566967e4c477faf55a9b8bcdd52dc5545 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 21 Sep 2014 21:11:45 -0400 Subject: [PATCH 3/5] Added ophcrack --- tools/ophcrack.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 tools/ophcrack.md diff --git a/tools/ophcrack.md b/tools/ophcrack.md new file mode 100644 index 0000000..78b0f2d --- /dev/null +++ b/tools/ophcrack.md @@ -0,0 +1,60 @@ +# ophcrack + +Notes +------- +Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms. + + +Help Text +------- +This is a graphical tool + +*Ophcrack 3 password cracking howto* +This howto assumes you have already installed ophcrack 3 and downloaded the ophcrack rainbow tables you want to use. It also assumes that you understand how to use third party tools like pwdump or fgdump (http://www.foofus.net/fizzgig/) to dump the SAM of a Windows system. + +Ophcrack and the ophcrack LiveCD are available for free at the ophcrack project page (http://ophcrack.sourceforge.net/). + +Ophcrack rainbow tables are avaible at ophcrack rainbow tables page (http://ophcrack.sourceforge.net/tables.php). The XP free small, XP free fast and Vista free rainbow tables are free. The others ophcrack rainbow tables are sold by Objectif Securite. +*First step* +This step is optional but will speed up the cracking process. + +Run ophcrack and set the number of threads under the Preferences tab to the number of cores of the computer running ophcrack plus one.For example, for an old processor set the number of threads to 2, for a Core 2 Duo to 3 and for a Core 2 Quad to 5. If you change this value, you have to exit ophcrack and to restart it in order to save the change. If you don't exit and restart, the new number of threads will not be taken into account by the program. +*Second step* +This step is mandatory. + +Load hashes using the Load button. You can either enter the hash manually (Single hash option), import a text file containing hashes you created with pwdump, fgdump or similar third party tools (PWDUMP file option), extract the hashes from the SYSTEM and SAM files (Encrypted SAM option), dump the SAM from the computer ophcrack is running on (Local SAM option) or dump the SAM from a remote computer (Remote SAM option). + +For the Encrypted SAM option, the SAM is located under the Windows system32/config directory and can only be accessed for a Windows partition that is NOT running. For the Local SAM and Remote SAM options, you MUST logged in with the administrator rights on the computer you want to dump the SAM. +*Third step* +This step is optional but will speed up the cracking process. + +Delete with the Delete button every user account you are not interested in (for exemple the Guest account). You can use the Ctrl key to make multiple selection. Ctrl-a will select every loaded hash. + +Keep in mind that the time needed to crack password hashes with rainbow tables is proportional to the number of hashes loaded. With a brute force attack the cracking time is NOT dependent on the number of unsalted hashes loaded. That's why it's advisable to remove any unnecessary user account with the Delete button. +*Fourth step* +This step is mandatory. + +Install (Tables button), enable (green and yellow buttons) and sort wisely (up and down arrows) the rainbow tables your are going to use. Keep in mind that storing the rainbow tables on a fast medium like a hard disk will significantly speed up the cracking process. + +Here are a few guidelines : +If you want to crack LM hashes as found on Windows XP by default (the LM Hash column is never empty on the ophcrack main window), first install and enable either the XP free small (if you have less than 512MB of free RAM) or the XP free fast (if you have more than 512MB of free RAM). Do NOT enable both of them since this is generally useless and will slow down the cracking process. Then install and enable the Vista free tables set. Finally install and enable the other XP rainbow tables you may have (XP special, XP german) and Vista ones (Vista special, Vista num, Vista nine, Vista eight). Sort the rainbow tables with the up and down arrows the following way : first the XP free then the Vista free then the XP special after that the Vista special, the Vista numeric, the XP german, the Vista nine and finally the Vista eight tables. + + +If you want to crack NT hashes as found on Windows Vista by default (the LM Hash column is always empty on the ophcrack main window), first install and enable the Vista free tables set. Then install and enable every others Vista tables you may have. Disable every other XP tables sets since they are useless and slow down the cracking process. Sort the enabled rainbow tables with the up and down arrows the following way : first the Vista free then the Vista special, the Vista numeric, the Vista nine and finally the Vista eight tables. + + +If you want to crack a mix of LM and NT enabled hashes (some accounts have their LM column empty, others have both the LM and NT columns filled with hashes) proceed the same way as "If you want to crack LM enabled hashes". +*Fifth step* +This step is mandatory. + +Click on the Crack button to start the cracking process. You'll see the progress of the cracking process in the bottom boxes of the ophcrack window. When a password is found, it will be displayed in the NT Pwd field. You can then save the results of a cracking session at any time with the Save button. +``` + +Example Usage +------- + + +Links +------- +* [sourceforge](http://ophcrack.sourceforge.net/) +* [youtube](https://www.youtube.com/watch?v=Fp1aHff5lgY) \ No newline at end of file From 6017bc617fb23e1321a5a5af5c1d91c61d7de39a Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 21 Sep 2014 21:11:59 -0400 Subject: [PATCH 4/5] added policygen --- tools/policygen.md | 139 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 tools/policygen.md diff --git a/tools/policygen.md b/tools/policygen.md new file mode 100644 index 0000000..118353a --- /dev/null +++ b/tools/policygen.md @@ -0,0 +1,139 @@ +# policygen + +Notes +------- +PolicyGen - Analyze and Generate password masks according to a password policy +This tool is part of PACK (Password Analysis and Cracking Kit) + + +Copyright (C) 2013 Peter Kacherginsky + + +Help Text +------- +``` +Usage: policygen [options] + +Type --help for more options + +Options: + --version show program's version number and exit + -h, --help show this help message and exit + --length=8 Password length + -o masks.txt, --output=masks.txt + Save masks to a file + --pps=1000000000 Passwords per Second + -v, --verbose + + Password Policy: + Define the minimum (or maximum) password strength policy that you + would like to test + + --mindigits=1 Minimum number of digits + --minlower=1 Minimum number of lower-case characters + --minupper=1 Minimum number of upper-case characters + --minspecial=1 Minimum number of special characters + --maxdigits=3 Maximum number of digits + --maxlower=3 Maximum number of lower-case characters + --maxupper=3 Maximum number of upper-case characters + --maxspecial=3 Maximum number of special characters + +``` + +Example Usage +------- +From PACK's github: + +``` +PolicyGen +========= + +A lot of the mask and dictionary attacks will fail in the corporate environment with minimum password complexity requirements. Instead of resorting to a pure bruteforcing attack, we can leverage known or guessed password complexity rules to avoid trying password candidates that are not compliant with the policy or inversely only audit for noncompliant passwords. Using PolicyGen, you will be able to generate a collection of masks following the password complexity in order to significantly reduce the cracking time. + +Below is a sample session where we generate all valid password masks for an environment requiring at least one digit, one upper, and one special characters. + + $ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --minspecial 1 -o complexity.hcmask + _ + PolicyGen #.#.# | | + _ __ __ _ ___| | _ + | '_ \ / _` |/ __| |/ / + | |_) | (_| | (__| < + | .__/ \__,_|\___|_|\_\ + | | + |_| iphelix@thesprawl.org + + + [*] Saving generated masks to [complexity.hcmask] + [*] Using 1,000,000,000 keys/sec for calculations. + [*] Password policy: + Pass Lengths: min:8 max:8 + Min strength: l:1 u:1 d:1 s:1 + Max strength: l:None u:None d:None s:None + [*] Generating [compliant] masks. + [*] Generating 8 character password masks. + [*] Total Masks: 65536 Time: 76 days, 18:50:04 + [*] Policy Masks: 40824 Time: 35 days, 0:33:09 + +From the above output you can see that we have generated 40824 masks matching the specified complexity that will take about 35 days to run at the speed of 1,000,000,000 keys/sec. + +In case you are simply performing a password audit and tasked to discover only non-compliant passwords you can specify '--noncompliant' flag to invert generated masks: + + $ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --minspecial 1 -o noncompliant.hcmask -q --noncompliant + [*] Saving generated masks to [noncompliant.hcmask] + [*] Using 1,000,000,000 keys/sec for calculations. + [*] Password policy: + Pass Lengths: min:8 max:8 + Min strength: l:1 u:1 d:1 s:1 + Max strength: l:None u:None d:None s:None + [*] Generating [non-compliant] masks. + [*] Generating 8 character password masks. + [*] Total Masks: 65536 Time: 76 days, 18:50:04 + [*] Policy Masks: 24712 Time: 41 days, 18:16:55 + +Let's see some of the non-compliant masks generated above using the '--showmasks' flag: + + $ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --minspecial 1 -o noncompliant.hcmask -q --noncompliant --showmasks + [*] Saving generated masks to [noncompliant.hcmask] + [*] Using 1,000,000,000 keys/sec for calculations. + [*] Password policy: + Pass Lengths: min:8 max:8 + Min strength: l:1 u:1 d:1 s:1 + Max strength: l:None u:None d:None s:None + [*] Generating [non-compliant] masks. + [*] Generating 8 character password masks. + [ 8] ?d?d?d?d?d?d?d?d [l: 0 u: 0 d: 8 s: 0] [ 0:00:00] + [ 8] ?d?d?d?d?d?d?d?l [l: 1 u: 0 d: 7 s: 0] [ 0:00:00] + [ 8] ?d?d?d?d?d?d?d?u [l: 0 u: 1 d: 7 s: 0] [ 0:00:00] + [ 8] ?d?d?d?d?d?d?d?s [l: 0 u: 0 d: 7 s: 1] [ 0:00:00] + ... + [ 8] ?s?s?s?s?s?s?s?d [l: 0 u: 0 d: 1 s: 7] [ 0:07:06] + [ 8] ?s?s?s?s?s?s?s?l [l: 1 u: 0 d: 0 s: 7] [ 0:18:28] + [ 8] ?s?s?s?s?s?s?s?u [l: 0 u: 1 d: 0 s: 7] [ 0:18:28] + [ 8] ?s?s?s?s?s?s?s?s [l: 0 u: 0 d: 0 s: 8] [ 0:23:26] + [*] Total Masks: 65536 Time: 76 days, 18:50:04 + [*] Policy Masks: 24712 Time: 41 days, 18:16:55 + +As you can see all of the masks have at least one missing password complexity requirement. Interestingly with fewer generated masks it takes longer to attack because of long running masks like '?s?s?s?s?s?s?s?s'. + +Specifying maximum complexity +----------------------------- + +It is also possible to specify maximum password complexity using --maxlower, --maxupper, --maxdigit and --maxspecial flags in order to fine-tune you attack. For example, below is a sample site which enforces password policy but does not allow any special characters: + + $ python policygen.py --minlength 8 --maxlength 8 --minlower 1 --minupper 1 --mindigit 1 --maxspecial 0 -o maxcomplexity.hcmask -q + [*] Saving generated masks to [maxcomplexity.hcmask] + [*] Using 1,000,000,000 keys/sec for calculations. + [*] Password policy: + Pass Lengths: min:8 max:8 + Min strength: l:1 u:1 d:1 s:None + Max strength: l:None u:None d:None s:0 + [*] Generating [compliant] masks. + [*] Generating 8 character password masks. + [*] Total Masks: 65536 Time: 76 days, 18:50:04 + [*] Policy Masks: 5796 Time: 1 day, 20:20:55 + +``` + +Links +------- +* [github](https://github.com/iphelix/pack/blob/master/policygen.py) From 443fdb2c4de50e15def392625063a60cb7adf03e Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 21 Sep 2014 21:12:20 -0400 Subject: [PATCH 5/5] updated index.md bringing inline with added tools --- password/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/password/index.md b/password/index.md index d600b7b..8665e99 100644 --- a/password/index.md +++ b/password/index.md @@ -19,11 +19,11 @@ Offline Attacks * [hash-identifier](../tools/hash-identifier.md) * [john](../tools/john.md) * [lsadump](../tools/lsadump.md) - * [maskgen](../tools/_template.md) + * [maskgen](../tools/maskgen.md) * [oclhashcat](../tools/oclhashcat.md) - * [ophcrack](../tools/_template.md) - * [ophcrack-cli](../tools/_template.md) - * [policygen](../tools/_template.md) + * [ophcrack](../tools/ophcrack.md) + * [ophcrack-cli](../tools/ophcrack-cli.md) + * [policygen](../tools/policygen.md) * [pwdump](../tools/_template.md) * [pyrit](../tools/pyrit.md) * [rainbowcrack](../tools/_template.md)