Kali Linux

Cracken : A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool

Cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust (more on talk/). Inspired by great tools like maskprocessor, hashcat, Crunch and  HuggingFace’s tokenizers.

What? Why? Woot??

At DeepSec2021 we presented a new method for analysing passwords as Hybrid-Masks exploiting common substrings in passwords by utilizing NLP tokenizers (more info on talk/).

Our method splits a password into its subwords instead of just a characters mask. HelloWorld123! splitted into ['Hello', 'World', '123!'] as these three subwords are very common in other passwords.

Hybrid Masks & Smartlists

  • Smartlists – Compact & representative subword lists created from passwords by utilizing NLP tokenizers
  • Hybrid-Mask – A representation of a password as a combination of wordlists & characters (e.g. ?w1?w2?l?d)

Analyzing RockYou Passwords with Smartlists & Hybrid-Masks:

Cracken  is used for

  • ✅ Generating Hybrid-Masks very VERY FAST  (see performance section)
  • ✅ Building Smartlists – compact & representative list of subwords from given passwords files (using  HuggingFace’s tokenizers)
  • ✅ Analyzing passwords for their Hybrid-Masks – building statistics for better password candidates (again very fast)

Possible workflows with Cracken

Simple

  1. Generate wordlist candidates from a hybrid mask – e.g. cracken -w rockyou.txt -w 100-most-common.txt '?w1?w2?d?d?d?d?s'
  2. You can pipe the passwords Cracken generates into hashcat, john or your favorite password cracker

Advanced

  1. Create a Smartlist from existing passwords – cracken create
  2. Analyze a passwords list of plaintext passwords – cracken entropy
  3. use most frequent Hybrid-Masks to generate password candidates fast – cracken generate -i hybrid-masks.txt

For more details see Usage section

Getting Started

download (linux only currently): latest release 

for more installation options see installation section

run Cracken:

generate all words of length 8 starting with uppercase followed by 6 lowercase chars and then a digit:

$ cracken -o pwdz.lst ‘?u?l?l?l?l?l?l?d’

generate words from two wordlists with year suffix (1000-2999) <firstname><lastname><year>

$ cracken –wordlist firstnames.txt –wordlist lastnames.lst –charset ’12’ ‘?w1?w2?1?d?d?d’

create a Smartlist of size 50k from subwords extracted from rockyou.txt

$ cracken create -f rockyou.txt -m 50000 –smartlist smart.lst

estimate the entropy of hybrid mask of the password HelloWorld123! using a smartlist

$ cracken entropy -f smart.lst ‘HelloWorld123!’
hybrid-min-split: [“hello”, “world1”, “2”, “3”, “!”]
hybrid-mask: ?w1?w1?d?d?s
hybrid-min-entropy: 42.73
charset-mask: ?l?l?l?l?l?l?l?l?l?l?d?d?d?s
charset-mask-entropy: 61.97

Performance

As of writing this, Cracken is probably the world’s fastest wordlist generator:

Cracken has around 25% increased performance over hashcat’s fast maskprocessor thats written in C.

Cracken can generate around 2 GB/s per core.

more details on benchmarks

Why speed is important? A typical GPU can test billions passwords per second depending on the password hash function. When the wordlist generator produces fewer words per second than the cracking tool can handle – the cracking speed will degrade.

Hybrid-Masks Analysis Performance

Cracken uses A* algorithm to analyze passwords very fast. it can find the minimal Hybrid-Mask of passwords file at rate of ~100k Passwords/sec (cracken entropy -f words1.txt -f words2.txt ... -p pwds.txt)

Installation

install Cracken or compile from source

Download Binary (Linux Only Currently)

download latest release from releases 

Build From Source (All Platforms)

Cracken is written in Rust and needs rustc to get compiled. Cracken should support all Platforms that Rust support.

installation instructions for cargo 

there are two options building from source – installing with cargo from crates.io (preferred) or compiling manually from source.

install from crates.io (preferred)

install with cargo

$ cargo install cracken

build from source

clone Cracken:

$ git clone https://github.com/shmuelamar/cracken

build Cracken:

$ cd cracken
$ cargo build –release

run it:

$ ./target/release/cracken –help

Usage Info

$ cracken –help
Cracken v1.0.0 – a fast password wordlist generator
USAGE:
cracken [SUBCOMMAND]
FLAGS:
-h, –help Prints help information
-V, –version Prints version information
SUBCOMMANDS:
generate (default) – Generates newline separated words according to given mask and wordlist files
create Create a new smartlist from input file(s)
entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.
There are two types of keyspace size estimations:
mask – keyspace of each char (digit=10, lowercase=26…).
hybrid – finding minimal split into subwords and charsets.
For specific subcommand help run: cracken –help
Example Usage:
Generate Subcommand Examples:
all digits from 00000000 to 99999999
cracken ?d?d?d?d?d?d?d?d
all digits from 0 to 99999999
cracken -m 1 ?d?d?d?d?d?d?d?d
words with pwd prefix – pwd0000 to pwd9999
cracken pwd?d?d?d?d
all passwords of length 8 starting with upper then 6 lowers then digit
cracken ?u?l?l?l?l?l?l?d
same as above, write output to pwds.txt instead of stdout
cracken -o pwds.txt ?u?l?l?l?l?l?l?d
custom charset – all hex values
cracken -c 0123456789abcdef ‘?1?1?1?1’
4 custom charsets – the order determines the id of the charset
cracken -c 01 -c ab -c de -c ef ‘?1?2?3?4’
4 lowercase chars with years 2000-2019 suffix
cracken -c 01 ‘?l?l?l?l20?1?d’
starts with firstname from wordlist followed by 4 digits
cracken -w firstnames.txt ‘?w1?d?d?d?d’
starts with firstname from wordlist with lastname from wordlist ending with symbol
cracken -w firstnames.txt -w lastnames.txt -c ‘!@#$’ ‘?w1?w2?1’
repeating wordlists multiple times and combining charsets
cracken -w verbs.txt -w nouns.txt ‘?w1?w2?w1?w2?w2?d?d?d’
Create Smartlists Subcommand Examples:
create smartlist from single file into smart.txt
cracken create -f rockyou.txt –smartlist smart.txt
create smartlist from multiple files with multiple tokenization algorithms
cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt –smartlist smart.txt
create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6
cracken create -f rockyou.txt –min-word-len 3 –numbers-max-size 6 –smartlist smart.txt
Entropy Subcommand Examples:
estimating entropy of a password
cracken entropy –smartlist vocab.txt ‘helloworld123!’
estimating entropy of a passwords file with a charset mask entropy (default is hybrid)
cracken entropy –smartlist vocab.txt -t charset -p passwords.txt
estimating the entropy of a passwords file
cracken entropy –smartlist vocab.txt -p passwords.txt
cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01)
more info at: https://github.com/shmuelamar/cracken

Generate Subcommand Usage Info

$ cracken generate –help
cracken-generate
(default) – Generates newline separated words according to given mask and wordlist files
USAGE:
cracken generate [FLAGS] [OPTIONS] –masks-file
FLAGS:
h, –help
Prints help information
s, –stats
prints the number of words this command will generate and exits
V, –version
Prints version information
OPTIONS:
c, –custom-charset …
custom charset (string of chars). up to 9 custom charsets – ?1 to ?9. use ?1 on the mask for the first charset
i, –masks-file
a file containing masks to generate
x, –maxlen
maximum length of the mask to start from
m, –minlen
minimum length of the mask to start from
-o, –output-file
output file to write the wordlist to, defaults to stdout
-w, –wordlist …
filename containing newline (0xA) separated words. note: currently all wordlists loaded to memory
ARGS:
the wordlist mask to generate.
available masks are:
builtin charsets:
?d – digits: “0123456789”
?l – lowercase: “abcdefghijklmnopqrstuvwxyz”
?u – uppercase: “ABCDEFGHIJKLMNOPQRSTUVWXYZ”
?s – symbols: ” !\”#$%&'()*+,-./:;<=>?@[\]^_`{|}~”
?a – all characters: ?d + ?l + ?u + ?s
?b – all binary values: (0-255)
custom charsets ?1 to ?9:
?1 – first custom charset specified by –charset ‘mychars’
wordlists ?w1 to ?w9:
?w1 – first wordlist specifie
d by –wordlist ‘my-wordlist.txt’

Create Smartlist Subcommand Usage Info

$ cracken create –help
cracken-create
Create a new smartlist from input file(s)
USAGE:
cracken create [FLAGS] [OPTIONS] –file … –smartlist
FLAGS:
-h, –help Prints help information
-q, –quiet disables printing progress bar
-V, –version Prints version information
OPTIONS:
-f, –file … input filename, can be specified multiple times for multiple files
–min-frequency minimum frequency of a word, relevant only for BPE tokenizer
-l, –min-word-len filters words shorter than the specified length
–numbers-max-size filters numbers (all digits) longer than the specified size
-o, –smartlist output smartlist filename
-t, –tokenizer … tokenizer to use, can be specified multiple times.

one of: bpe,unigram,wordpiece [default: bpe] [possible values: bpe, unigram, wordpiece]
-m, –vocab-max-size max vocabulary size

Entropy Subcommand Usage Info

$ cracken entropy –help
cracken-entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.
There are two types of keyspace size estimations:
mask – keyspace of each char (digit=10, lowercase=26…).
hybrid – finding minimal split into subwords and charsets.
USAGE:
cracken entropy [FLAGS] [OPTIONS] –smartlist …
FLAGS:
-h, –help Prints help information
-s, –summary output summary of entropy for password
-V, –version Prints version information
OPTIONS:
-t, –mask-type type of mask to output, one of: charsets(charsets only), hybrid(charsets+wordlists) [possible values: hybrid, charset]
-p, –passwords-file newline separated password file to estimate entropy for
-f, –smartlist … smartlist input file to estimate entropy with, a newline separated text file
ARGS:
password to

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago