Cracken is a snappy password wordlist generator, Smartlist creation and password hybrid-mask analysis instrument written in herbal safe Rust (further on be in contact/). Inspired by way of great tools like maskprocessor, hashcat, Crunch and
What? Why? Woot??
At DeepSec2021 we introduced a brand spanking new method for analysing passwords as Hybrid-Masks exploiting conventional substrings in passwords by way of the usage of NLP tokenizers (further knowledge on be in contact/).
Our method splits a password into its subwords instead of just a characters mask. HelloWorld123!
splitted into ['Hello', 'World', '123!']
as the ones 3 subwords are slightly same old in a lot of passwords.
Hybrid Masks & Smartlists
Smartlists – Compact & promoting information subword lists constituted of passwords by way of the usage of NLP tokenizers
Hybrid-Mask – A representation of a password as a mix of wordlists & characters (e.g.
?w1?w2?l?d
)
Examining RockYou Passwords with Smartlists & Hybrid-Masks:
complete table proper right kind proper right here
Cracken is used for:
Imaginable workflows with Cracken:
Simple:
- Generate wordlist candidates from a hybrid mask – e.g.
cracken -w rockyou.txt -w 100-most-common.txt '?w1?w2?d?d?d?d?s'
- You’ll be able to pipe the passwords Cracken generates into
hashcat
,john
or your favorite password cracker
Difficult:
- Create a Smartlist from supply passwords –
cracken create
- Analyze a passwords tick list of plaintext passwords –
cracken entropy
- use most popular
Hybrid-Masks
to generate password candidates speedy –cracken generate -i hybrid-masks.txt
For extra details see Usage section
Getting Started
download (linux only lately): latest release
for additonal arrange conceivable alternatives see arrange
section
run Cracken:
generate all words of length 8 starting with uppercase followed by way of 6 lowercase chars and then a digit:
$ cracken -o pwdz.lst '?u?l?l?l?l?l?l?d'
generate words from two wordlists with twelve months suffix (1000-2999) <firstname><lastname><twelve months>
$ cracken --wordlist firstnames.txt --wordlist lastnames.lst --charset '12' '?w1?w2?1?d?d?d'
create a Smartlist of size 50k from subwords extracted from rockyou.txt
$ cracken create -f rockyou.txt -m 50000 --smartlist very good.lst
estimate the entropy of hybrid mask of the password HelloWorld123! the usage of a smartlist
$ cracken entropy -f very good.lst 'HelloWorld123!'hybrid-min-split: ["hello", "world1", "2", "3", "!"]
hybrid-mask: ?w1?w1?d?d?s
hybrid-min-entropy: 42.73
--
charset-mask: ?l?l?l?l?l?l?l?l?l?l?d?d?d?s
charset-mask-entropy: 61.97
Potency
As of penning this, Cracken is maximum surely the field’s fastest wordlist generator:
Cracken has spherical 25% upper potency over hashcat’s speedy maskprocessor thats written in C.
Cracken can generate spherical 2 GB/s in line with core.
further details on benchmarks/
Why tempo is very important? A typical GPU can check out billions passwords in line with 2d depending on the password hash function. When the wordlist generator produces fewer words in line with 2d than the cracking instrument can take care of – the cracking tempo will degrade.
Hybrid-Masks Analysis Potency
Cracken uses A*
algorithm to research passwords very speedy. it will to look out the minimal Hybrid-Mask of passwords file at price of ~100k Passwords/sec (cracken entropy -f words1.txt -f words2.txt ... -p pwds.txt
)
Arrange
arrange Cracken or acquire from provide
Download Binary (Linux Simplest This present day)
download latest release from releases
Bring together From Provide (All Platforms)
Cracken is written in Rust and needs rustc to get compiled. Cracken will have to support all Platforms that Rust support.
arrange instructions for cargo
there are two conceivable alternatives building from provide – putting in place with cargo from crates.io (most up to date) or compiling manually from provide.
1. arrange from crates.io (most up to date)
arrange with cargo:
2. carry in combination from provide
clone Cracken:
$ git clone https://github.com/shmuelamar/cracken
carry in combination Cracken:
$ cd cracken
$ cargo carry in combination --release
run it:
$ ./objective/release/cracken --help
Usage Wisdom
$ cracken --help
Cracken v1.0.0 - a snappy password wordlist generator USAGE:
cracken [SUBCOMMAND]
FLAGS:
-h, --help Prints lend a hand knowledge
-V, --version Prints version knowledge
SUBCOMMANDS:
generate (default) - Generates newline separated words in line with given mask and wordlist data
create Create a brand spanking new smartlist from input file(s)
entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.
There are two sorts of keyspace size estimations:
* mask - keyspace of every char (digit=10, lowercase=26...).
* hybrid - finding minimal reduce up into subwords and charsets.
For specific subcommand lend a hand run: cracken <subcommand> --help
Example U sage:
## Generate Subcommand Examples:
# all digits from 00000000 to 99999999
cracken ?d?d?d?d?d?d?d?d
# all digits from 0 to 99999999
cracken -m 1 ?d?d?d?d?d?d?d?d
# words with pwd prefix - pwd0000 to pwd9999
cracken pwd?d?d?d?d
# all passwords of length 8 starting with upper then 6 lowers then digit
cracken ?u?l?l?l?l?l?l?d
# an an an identical as above, write output to pwds.txt instead of stdout
cracken -o pwds.txt ?u?l?l?l?l?l?l?d
# custom charset - all hex values
cracken -c 0123456789abcdef '?1?1?1?1'
# 4 custom charsets - the order determines the identity of the charset
cracken -c 01 -c ab -c de -c ef '?1?2?3?4'
# 4 lowercase chars with years 2000-2019 suffix
cracken -c 01 '?l?l?l?l20?1?d'
# starts with firstname from wordlist followed by way of 4 digits
cracken -w firstnames.txt '?w1?d?d?d?d'
# starts with firstname from wordlist with lastname from wordlist completing with symbol
cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1'
# repeating wordlists a few events and combining charsets
cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d'
## Create Smartlists Subcommand Examples:
# create smartlist from single file into very good.txt
cracken create -f rockyou.txt --smartlist very good.txt
# create smartlist from a few data with a few tokenization algorithms
cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist very good.txt
# create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6
cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist very good.txt
## Entropy Subcommand Examples:
# estimating entropy of a password
cracken entropy --smartlist vocab.txt 'helloworld123!'
# estimating entropy of a passwords file with a charset mask entropy (default is hybrid)
cracken entropy --smartlist vocab.txt -t charset -p passwords.txt
# estimating the entropy of a passwords file
cracken entropy --smartlist vocab.txt -p passwords.txt
cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01)
further knowledge at: https://github.com/shmuelamar/cracken
Generate Subcommand Usage Wisdom
$ cracken generate --help
cracken-generate
(default) - Generates newline separated words in line with given mask and wordlist dataUSAGE:
cracken generate [FLAGS] [OPTIONS] <mask> --masks-file <masks-file>
FLAGS:
-h, --help
Prints lend a hand knowledge
-s, --stats
prints the number of words this command will generate and exits
-V, --version
Prints version knowledge
OPTIONS:
-c, --custom-charset <custom-charset>...
custom charset (string of chars). up to 9 custom charsets - ?1 to ?9. use ?1 on the mask for the principle charset
-i, --masks-file <masks-file>
a file containing masks to generate
-x, --maxlen <max-length>
maximum length of the mask to start out out out from
-m, --minlen & lt;min-length>
minimum length of the mask to start out out out from
-o, --output-file <output-file>
output file to put in writing the wordlist to, defaults to stdout
-w, --wordlist <wordlist>...
filename containing newline (0xA) separated words. believe: lately all wordlists loaded to memory
ARGS:
<mask>
the wordlist mask to generate.
available masks are:
builtin charsets:
?d - digits: "0123456789"
?l - lowercase: "abcdefghijklmnopqrstuvwxyz"
?u - uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
?s - symbols: " !"#$%&'()*+,-./:;<=>[email protected][]^_`~"
?a - all characters: ?d + ?l + ?u + ?s
?b - all binary values: (0-255)
custom charset s ?1 to ?9:
?1 - first custom charset specified by --charset 'mychars'
wordlists ?w1 to ?w9:
?w1 - first wordlist specified by --wordlist 'my-wordlist.txt'
Create Smartlist Subcommand Usage Wisdom
$ cracken create --help
cracken-create
Create a brand spanking new smartlist from input file(s)USAGE:
cracken create [FLAGS] [OPTIONS] --file <file>... --smartlist <smartlist>
FLAGS:
-h, --help Prints lend a hand knowledge
-q, --quiet disables printing building bar
-V, --version Prints version knowledge
OPTIONS:
-f, --file <file>... input filename, may also be specified a few events for a few data
--min-frequency <min_frequency> minimum frequency of a understand, comparable only for BPE tokenizer
-l, --min-word-len <min_word_len> filters words shorter than the required length
--numbers-max-size <numbers_max_size> filters numbers (all digits) longer than the required size
-o, --smartlist <smartlist> output smartlist filename
-t, --tokenizer <tokeniz er>... tokenizer to use, may also be specified a few events.
one amongst: bpe,unigram,wordpiece [default: bpe] [possible values: bpe, unigram, wordpiece]
-m, --vocab-max-size <vocab_max_size> max vocabulary size
Entropy Subcommand Usage Wisdom
$ cracken entropy --help
cracken-entropy Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.
There are two sorts of keyspace size estimations:
* mask - keyspace of every char (digit=10, lowercase=26...).
* hybrid - finding minimal reduce up into subwords and charsets.
USAGE:
cracken entropy [FLAGS] [OPTIONS] <password> --smartlist <smartlist>...
FLAGS:
-h, --help Prints lend a hand knowledge
-s, --summary output summary of entropy for password
-V, --version Prints version knowledge
OPTIONS:
-t, --mask-type <mask_type> type of mask to output, one amongst: charsets(charsets only), hybrid(charsets+wordlists) [possible values: hybrid, charset]
-p, --passwords-file <passwords-file> newline separated password file to estimate entropy for
-f, --smartlist <smartlist>... smartlist input file to estimate entropy with, a newline separated text file
ARGS:
<password> password to
License
Cracken is permitted underneath MIT. THIS PROJECT MUST BE USED FOR LEGAL PURPOSES ONLY
Contributing
Cracken is underneath lively building, if you wish to lend a hand beneath is this the partial roadmap for this undertaking. Feel free to place up PRs and open issues.