Hack Whack and Smack

Password Generator – L337’r

Password Generation Tool

For most organisations one of the most prevalent security concerns remains users selection of secure passwords. Even when restricted through a reasonable password policy, users seem to continue to select passwords with some relevance to the geography of the area, the name of the business or popular sporting/hobbyist interests specific to the region.

How

Mutation through substitution is a common password generation technique. This is the process of maintaining a word of relevance but increasing the entropy by substituting letters for numbers or special characters. An example of this would be taking the word ‘password’ and through common substation routines, transitioning the word to be ‘Pa55w0rd’. This is something that is far to commonly seen during engagements, the other interesting factor is that the mutated version of the password meets Microsoft’s complexity guidelines as it details 3 of the 4 main changes a password should include (uppercase, lowercase, number and special character).

Microsoft Guidelines – https://technet.microsoft.com/en-gb/library/cc786468%28v=ws.10%29.aspx

The Tool

In combination with a number of scenarios encountered during engagements, we have created a tool that generates a mutated password list from one word. The idea behind the tool was to keep the code simplistic to allow easy on site modifications as further details about the company password policy become clear.

The tool has three main workflows:

Substitution Through Miniature Dictionary (limited substitution) –mini

The Miniature dictionary includes a subset of the maximum dictionary and focuses on swapping only common numbers and symbols. While also flipping the first character between uppercase and lowercase. This is specific to the way most users select passwords, utilising a uppercase character as the first letter in their password.

Substitution Through Maximum Dictionary (increased substitution) –maxi

The Maximum dictionary includes swapping all characters between uppercase and lowercase and swaps letters for common numbers and symbols.

Replace functionality (limited to special characters) –replace

The replace functionality is also looped into the two other dictionary functions but is a function in its own right. The replace functionality was specific to a recent engagement where a password was pulled from memory but had a special character that was of an unknown character set. The password included a square character that was unusable. Crunch was initially used to create a wordlist that took the main word and applied substitution of all common special characters in place of the square. Therefore it was obvious from that point that the replace functionality should make it into this tool.

Additional sub mutation routines

–range – The range option is used to add numbers (of a range) to the end of each password.

–suffix – The suffix option is used to append a suffix to the end of each password. This is common in organisations that utilise either dates or suffixes within passwords.

It was noted on a previous engagements that a service account password would always end with ‘_svc’.

–order – The order option allows the specification of an order of application for the three additional functions (–range, –replace and –suffix). Therefore you can specify a password that replaces a end character with all special characters, then includes a range of 0-10 and finally adds a suffix. The default order of the order option is dictionary, replace, range and suffix (drns).

 

While this is not the first tool that provides mutation capability, the idea was that it is easy to use, flexible and open to on the fly changes as required. We like to think of it as the square wheel of password generation tools – so without further ado, a basic demo:

We even created a help page:

leetme - help

The following example shows a limited output of what you can expect the tool to generate:

python leetme.py –mini –range 3 password

 

leetme - example

The script can be downloaded on from the tools page TOOLS

Also a wee shout out to modulo who helped write the script.