Fixed length passwords w/ wordlists
#1
Hello!

I have been trying to find this, and I assume there's some elegant way to do it (pre-determined combinator? tmesis?) but here goes

As part of penetration testing I have a list of hashed passwords which are 8 characters long (don't ask) and I have wordlists that are 3-8 characters long. Basically I just want to try all passwords that contain these words.

Ideally I just want to say "given these words, pad with charset 1 (front, back, middle) so that you try all 8 character passwords"

I have setup a series of commands which operate independently, which covers most of what I need, but there has to be a better (and probably more efficient) way to do this?

It should also be mentioned that there's an efficient order - for example, 6?d?d first then 6?1?1 is more efficient than just doing 6?1?1 despite the former being contained in the latter.

rem set options=-a 6 words_3.dict ?d?d?d?d?d
rem set options=-1 ?l?d -a 6 words_4.dict ?1?1?1?1
rem set options=-a 6 words_4.dict ?d?d?d?d
rem set options=-1 ?l?d -a 6 words_5.dict ?1?1?1
rem set options=-a 6 words_5.dict ?d?d?d
rem set options=-a 6 words_6.dict ?d?d
rem set options=-1 ?l?d -a 6 words_6.dict ?1?1
rem set options=-a 6 words_7.dict ?d
rem set options=-1 ?l?d -a 6 words_7.dict ?1
rem set options=-a 7 ?d?d?d?d words_4.dict
rem set options=-a 7 ?d?d?d words_5.dict
rem set options=-a 7 ?d?d words_6.dict
rem set options=-a 7 ?d words_7.dict
rem set options=-1 ?l?d?u -a 6 words_6.dict ?1?1
rem set options=-1 ?l?d?u -a 6 words_7.dict ?1
rem set options=-1 ?l?d?u -a 6 words_5.dict ?1?1?1
Reply
#2
Use princeprocessor, add ?l, ?d and ?u as part of the wordlist, set pw-min 8 and --pw-max 8 and use --elem-cnt-max 4 to workaround the brute-force effect.
Reply