Password list maker in progress
#1
Hello everyone,

Sometimes I've just wanted something simple do dump a list of common alterations to words to get a new password list.  For example if I have a list of 100 common words, I wanted to add 1, 123, ! and other things to the end, generate some 1337-speak, capitalize the first letter, uppercase everything, then add everything to the end of the all-caps words, etc.

So here is a little script I've been working on.

C:\wordlists> python passtransform.py --wordlist pass.lst --outfile pass2.lst --sort

If I had "password" in the pass.lst, it would generate the following variations while keeping the original:

P@SSWORD
P@SSWORD!
P@SSWORD1
P@SSWORD123
P@SSWORD1234
P@ssword
P@ssword!
P@ssword1
P@ssword123
P@ssword1234
PASSWORD
PASSWORD!
PASSWORD1
PASSWORD123
PASSWORD1234
Password
Password!
Password1
Password123
Password1234
p@ssword
p@ssword!
p@ssword1
p@ssword123
p@ssword1234
password
password!
password1
password123
password1234


It's still a work in progress, and I haven't yet added $ to the end, little things like that, but easily done.

If you find it useful I'll put it on github and I'll take requests to add features/transformations, new command line switches for things, inserting into a database (MySQL or Postgres) etc. (Why? But I've heard of that).  Adding exclude rules.  Or whatever.

Remember with big password lists it generates word + 29 extras, so a wordlist with 10 words ends up with 370 words.  In its current state... means multiply the number of words by 37.  A password list with 1000 words ends up with 37,000 words, for example.

This is strictly for word lists, and I'm thinking it could also be used with maskprocessor.

Thanks,
James


Attached Files
.txt   passtransform.txt (Size: 4.06 KB / Downloads: 4)
#2
Is there any advantage of this over the probably much faster internal rule engine?
#3
I doubt it. It's probably just something for newbies like me who don't know much about using the internal rule engine, or to use it in combination with the rule engine.

Suppose you want a password file transformed and kept around to use, then you have some extra rules to try out. Then you could have run the script earlier and saved the password file, then played around with some extra rules on top of that.

I don't know. It's probably useless, unless there's some limitation the script could get around. I just wanted to do much the same thing before I learnt about the rule engine and keep the password list hanging around.
#4
Hey,
That's a good thing to test out things on your own, that's how I enhanced my skills.
As undeath mentionned, you can use the internal rules to generate custom world list with stdout, something simple like :
Code:
hashcat -a 0 old_passlist --stdout --outfile you_custom_passlist -r leet.rule -r append123.rule

Off-topic : If you want to learn a lot, try to solve the CMYIC 2017 challenge. I've just finished it last week and it helped me tremendously : https://contest-2017.korelogic.com/