Sunday, October 15, 2017

Password wordlist generation with CRUNCH


- Layout for this exercise:

1 - Introduction

- A dictionary attack is based on trying all the strings in a pre-arranged list, typically derived from a wordlist such as in a dictionary.

- A password dictionary file or password wordlist is a text file containing a large number of potential passwords. 

- Password wordlists are used in combination with cracking tools that accept those password files and attempt to authenticate a service. 

- Linux includes by default a great number of wordlist files:

- However, an attacker could be interested in generating his own password wordlist based on different criteria like predefined character sets, number or characters, formats and patterns, ...

Key-space brute force is a technique to generate all possible combinations of characters and using them for password cracking. 

- For that purpose, crunch is a password wordlist generator that can be used for password dictionary attacks.

- Manual for crunch:

2 - Min-len, max-len and charset string

- In this first example crunch will generate a wordlist based on the following criteria:

i) minimum length = 3 characters
ii) maximun length = 4 characters
ii) charset = x9 (just two characters)

- The total number of strings is VR(2,3) + VR(2,4) = 2^3 + 2^4 = 24

- Output for crunch1.txt contains 24 lines, as expected:

3 - Increasing password complexity

- In comparison with the previous example, where the number of generated strings was small and easy to be cracked, let's create now a more complex wordlist.

- In this case the wordlist generator criteria is:

i) minimum length = 8 characters
ii) maximun length = 8 characters
ii) charset = 0123456789aeiouAEIOU (20 characters)

- The number of lines generated is huge VR(20,8) = 20^8 = 25600000000

- Let's notice that 214 GB of data is huge, making the task of brute forcing attack really difficult.

- The lesson is that the more complex to be the password, the less easy an attack to be successful.

4 - Using predefined charset lists

- Crunch allows to use a great number of predefined charsets. Some of them:

- For instance, let's take the symbols14 charset:

- Taking a minimum of 2 and a maximum of 4 characters, the number of generated strings is:

VR(14,2) + VR(14,3) VR(14,4) =  14^2 + 14^3 + 14^4 = 41356

5 - Specifying a password pattern

- The crunch option -t allows to specify a password pattern with lower and upper case characters, numbers and symbols:

- For instance, taking 8 characters in total, 2 of them for each of these groups:

,     ->  26 upper case characters: ABCDEFGHIJKLMNOPQRSTUVWXYZ
@  ->  26 lower case alpha characters: abcdefghijklmnopqrstuvwxyz
%   -> 10 numeric characters: 0123456789
^     -> 33 special characters: `~!@#$%^&*()-_=+[]\{}|;':",./<>?

- An instance of this pattern would be ABab01@#

 The total number of generated strings is:

VR(26,2) + VR(26,2) VR(33,2) VR(10,2) =  26^2 + 26^2 + 33^2 + 10^2 = 49764686400 

- Some lines of the output illustrate the specified pattern:

6 - Combining  words to generate a password

- The crunch option -p allows to combine (without repetition) different words into a single password:

- For instance, combining the 3 words hello bye 123 generates 3! = 6 lines. Let's notice that to include two numbers (any) into the command (1 1) is necessary, though they are ignored: