0

As part of pentesting NT hashes where the underlying passwords are minimum 16 characters of length, I have created a wordlist of common words, sports teams, movies, names, years etc. - inspired by the approach in this paper https://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/

Now I need to combine all the single words in the wordlist (the list as of now consists of approx 8k words) to create passphrases that are minimum 16 characters of length. Do you have any tips on how to do that, or do you know of a script? Perhaps one that generates various combinations and discards all that are less than 16 characters?

Also are there any other aspects I should be aware of?

Thank you in advance!

Dino
  • 33
  • 1
  • 2
  • 7
  • 1
    Software recommendations are off topic, I'm afraid. You could certainly do it with a naive script, which just generates all possible combinations, and discards any which are less than 16 chars long, although I'm sure it would be possible to optimise this. – Matthew Aug 29 '18 at 13:30
  • Hi Matthew. Thank you for making me aware of software recommendations being off topic. I have edited the question and hope that it's on topic now :) – Dino Aug 29 '18 at 13:46
  • The question still asks for a script, and the "method" part is more of a programming question than a security question. – schroeder Sep 21 '19 at 07:03

2 Answers2

1

You probably could use hashcat to combine the wordlists. I think the mode was called the combinator_attack. However this will also generate passwords with less than 16 chars, but greatly works concurrently.

You could also print out the combined wordlist by hashcat and then write a script which deletes all passwords with less than 16 chars, but I'm not sure if you want to have the full wordlist even saved on your harddisk as it probably will be a very big file.

Sebastian Walla
  • 162
  • 4
0

John the Ripper also does something like this, but it's a bit of a pain to set up.

http://www.openwall.com/lists/john-users/2008/10/17/2

Wordlist rules are only usable for this when your list of words is very short - or, if you have different lists for different "word positions", when all but one list are very short (it is OK for one of these lists to be long - you'd place that one in your wordlist file).

catdog dogcat catbird birdcat catcow

...and so on for two-word combinations. For that, you'll need to place your "first" words into a wordlist file, one per line:

cat dog bird cow

and you need to create wordlist rules out of your "second" words, using the "append character" command:

[List.Rules:Wordlist] $c$a$t $d$o$g $b$i$r$d $c$o$w

Then running JtR produces:

$ john -w=w --rules --stdout catcat dogcat birdcat cowcat catdog dogdog ... cowcow words: 16 time: 0:00:00:00 100% w/s: 1600 current: cowcow

catdogbird catbirddog dogcatbirdcow cowbirddogcat etc

For three-word combinations, you may have JtR apply the rules for a second time:

$ john -w=w --rules --stdout > w2 words: 16 time: 0:00:00:00 100% w/s: 1600 current: cowcow $ john -w=w2 --rules --stdout catcatcat dogcatcat birdcatcat cowcatcat catdogcat ... birdcowcow cowcowcow words: 64 time: 0:00:00:00 100% w/s: 6400 current: cowcowcow

Of course, in practice your final invocation of "john" won't use the "--stdout" option, but it will instead include the filename for your file with the password hash. I am using "--stdout" in these examples to show what candidate "passwords" would be tried.

Ivan
  • 6,288
  • 3
  • 18
  • 22