PACK Package Description
PACK was developed in order to aid in a password cracking competition “Crack Me If You Can” that occurred during Defcon 2010. The goal of this toolkit is to aid in preparation for the “better than bruteforce” password attacks by analyzing common ways that people create passwords. After the analysis stage, the statistical database can be used to generate attack masks for tools such as oclHashcat. NOTE: This tool itself can not crack passwords, but helps other tools crack more passwords faster.
Source: http://thesprawl.org/projects/pack/
PACK Homepage | Kali PACK Repo
- Author: iphelix
- License: GPLv3
Tools included in the pack package
statsgen – Generate dictionary file statistics
root@kali:~# statsgen -h
Usage: statsgen [options] passwords.txt
Type --help for more options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-o password.masks, --output=password.masks
Save masks and stats to a file
--hiderare Hide statistics covering less than 1% of the sample
-q, --quiet Don't show headers.
Password Filters:
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--charset=loweralpha,numeric
Password charset filter (comma separated)
--simplemask=stringdigit,allspecial
Password mask filter (comma separated)
Usage: statsgen [options] passwords.txt
Type --help for more options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-o password.masks, --output=password.masks
Save masks and stats to a file
--hiderare Hide statistics covering less than 1% of the sample
-q, --quiet Don't show headers.
Password Filters:
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--charset=loweralpha,numeric
Password charset filter (comma separated)
--simplemask=stringdigit,allspecial
Password mask filter (comma separated)
maskgen – Generate hashcat masks
root@kali:~# maskgen -h
Usage: maskgen [options] masksfile.csv
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--mintime=MINTIME Minimum time to crack
--maxtime=MAXTIME Maximum time to crack
--complexity=COMPLEXITY
maximum password complexity
--occurence=OCCURENCE
minimum times mask was used
--checkmask=?u?l ?l ?l ?l ?l ?d
check mask coverage
--showmasks Show matching masks
--pps=1000000000 Passwords per Second
Usage: maskgen [options] masksfile.csv
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--mintime=MINTIME Minimum time to crack
--maxtime=MAXTIME Maximum time to crack
--complexity=COMPLEXITY
maximum password complexity
--occurence=OCCURENCE
minimum times mask was used
--checkmask=?u?l ?l ?l ?l ?l ?d
check mask coverage
--showmasks Show matching masks
--pps=1000000000 Passwords per Second
policygen – Generate hashcat masks
root@kali:~# policygen -h
Usage: policygen [options]
Type --help for more options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--length=8 Password length
-o masks.txt, --output=masks.txt
Save masks to a file
--pps=1000000000 Passwords per Second
-v, --verbose
Password Policy:
Define the minimum (or maximum) password strength policy that you
would like to test
--mindigits=1 Minimum number of digits
--minlower=1 Minimum number of lower-case characters
--minupper=1 Minimum number of upper-case characters
--minspecial=1 Minimum number of special characters
--maxdigits=3 Maximum number of digits
--maxlower=3 Maximum number of lower-case characters
--maxupper=3 Maximum number of upper-case characters
--maxspecial=3 Maximum number of special characters
Usage: policygen [options]
Type --help for more options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--length=8 Password length
-o masks.txt, --output=masks.txt
Save masks to a file
--pps=1000000000 Passwords per Second
-v, --verbose
Password Policy:
Define the minimum (or maximum) password strength policy that you
would like to test
--mindigits=1 Minimum number of digits
--minlower=1 Minimum number of lower-case characters
--minupper=1 Minimum number of upper-case characters
--minspecial=1 Minimum number of special characters
--maxdigits=3 Maximum number of digits
--maxlower=3 Maximum number of lower-case characters
--maxupper=3 Maximum number of upper-case characters
--maxspecial=3 Maximum number of special characters
statsgen Usage Example
Generate statistics for passwords with a length of 10 (–minlength=10 –maxlength=10) contained in the rockyou wordlist (rockyou.txt):
root@kali:~# statsgen --minlength=10 --maxlength=10 rockyou.txt
_
StatsGen 0.0.3 | |
_ __ __ _ ___| | _
| '_ \ / _` |/ __| |/ /
| |_) | (_| | (__| <
| .__/ \__,_|\___|_|\_\
| |
|_| iphelix@thesprawl.org
[*] Analyzing passwords in [rockyou.txt]
[+] Analyzing 14% (2013695/14344391) of passwords
NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords
[*] Length:
[+] 10: 100% (2013695)
[*] Character-set:
[+] loweralphanum: 41% (836160)
[+] numeric: 23% (478196)
[+] loweralpha: 20% (416939)
[+] loweralphaspecialnum: 02% (59911)
[+] loweralphaspecial: 02% (55761)
[+] mixedalphanum: 02% (54198)
[+] upperalphanum: 02% (47430)
[+] upperalpha: 00% (19723)
[+] mixedalpha: 00% (15460)
[+] all: 00% (9015)
[+] mixedalphaspecial: 00% (6856)
[+] specialnum: 00% (6685)
[+] upperalphaspecialnum: 00% (3698)
[+] upperalphaspecial: 00% (3459)
[+] special: 00% (204)
[*] Password complexity:
[+] digit: min(0) max(10)
[+] lower: min(0) max(10)
[+] upper: min(0) max(10)
[+] special: min(0) max(10)
[*] Simple Masks:
[+] stringdigit: 37% (750938)
[+] digit: 23% (478196)
[+] string: 22% (452122)
[+] digitstring: 03% (78963)
[+] othermask: 03% (67762)
[+] stringdigitstring: 02% (59783)
[+] stringspecialstring: 01% (33173)
[+] stringspecialdigit: 01% (25293)
[+] stringspecial: 01% (22207)
[+] digitstringdigit: 00% (17290)
[+] stringdigitspecial: 00% (12563)
[+] specialstringspecial: 00% (3463)
[+] digitspecialstring: 00% (2406)
[+] specialstring: 00% (1773)
[+] digitstringspecial: 00% (1621)
[+] specialstringdigit: 00% (1468)
[+] specialdigitstring: 00% (1225)
[+] digitspecialdigit: 00% (1185)
[+] digitspecial: 00% (1183)
[+] specialdigitspecial: 00% (515)
[+] specialdigit: 00% (362)
[+] special: 00% (204)
[*] Advanced Masks:
[+] ?d?d?d?d?d?d?d?d?d?d: 23% (478196)
[+] ?l?l?l?l?l?l?l?l?l?l: 20% (416939)
[+] ?l?l?l?l?l?l?l?l?d?d: 10% (213109)
[+] ?l?l?l?l?l?l?d?d?d?d: 07% (160592)
[+] ?l?l?l?l?l?l?l?l?l?d: 06% (129823)
[+] ?l?l?l?l?l?l?l?d?d?d: 04% (87611)
[+] ?l?l?l?l?d?d?d?d?d?d: 01% (33277)
_
StatsGen 0.0.3 | |
_ __ __ _ ___| | _
| '_ \ / _` |/ __| |/ /
| |_) | (_| | (__| <
| .__/ \__,_|\___|_|\_\
| |
|_| iphelix@thesprawl.org
[*] Analyzing passwords in [rockyou.txt]
[+] Analyzing 14% (2013695/14344391) of passwords
NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords
[*] Length:
[+] 10: 100% (2013695)
[*] Character-set:
[+] loweralphanum: 41% (836160)
[+] numeric: 23% (478196)
[+] loweralpha: 20% (416939)
[+] loweralphaspecialnum: 02% (59911)
[+] loweralphaspecial: 02% (55761)
[+] mixedalphanum: 02% (54198)
[+] upperalphanum: 02% (47430)
[+] upperalpha: 00% (19723)
[+] mixedalpha: 00% (15460)
[+] all: 00% (9015)
[+] mixedalphaspecial: 00% (6856)
[+] specialnum: 00% (6685)
[+] upperalphaspecialnum: 00% (3698)
[+] upperalphaspecial: 00% (3459)
[+] special: 00% (204)
[*] Password complexity:
[+] digit: min(0) max(10)
[+] lower: min(0) max(10)
[+] upper: min(0) max(10)
[+] special: min(0) max(10)
[*] Simple Masks:
[+] stringdigit: 37% (750938)
[+] digit: 23% (478196)
[+] string: 22% (452122)
[+] digitstring: 03% (78963)
[+] othermask: 03% (67762)
[+] stringdigitstring: 02% (59783)
[+] stringspecialstring: 01% (33173)
[+] stringspecialdigit: 01% (25293)
[+] stringspecial: 01% (22207)
[+] digitstringdigit: 00% (17290)
[+] stringdigitspecial: 00% (12563)
[+] specialstringspecial: 00% (3463)
[+] digitspecialstring: 00% (2406)
[+] specialstring: 00% (1773)
[+] digitstringspecial: 00% (1621)
[+] specialstringdigit: 00% (1468)
[+] specialdigitstring: 00% (1225)
[+] digitspecialdigit: 00% (1185)
[+] digitspecial: 00% (1183)
[+] specialdigitspecial: 00% (515)
[+] specialdigit: 00% (362)
[+] special: 00% (204)
[*] Advanced Masks:
[+] ?d?d?d?d?d?d?d?d?d?d: 23% (478196)
[+] ?l?l?l?l?l?l?l?l?l?l: 20% (416939)
[+] ?l?l?l?l?l?l?l?l?d?d: 10% (213109)
[+] ?l?l?l?l?l?l?d?d?d?d: 07% (160592)
[+] ?l?l?l?l?l?l?l?l?l?d: 06% (129823)
[+] ?l?l?l?l?l?l?l?d?d?d: 04% (87611)
[+] ?l?l?l?l?d?d?d?d?d?d: 01% (33277)
policygen Usage Example
Generate Hashcat masks with a length of 8 (–length=8) and containing at least 1 uppercase letter (–minupper 1) and at least 1 digit (–mindigit 1), saving the masks to a file (-o complexity.hcmask):
root@kali:~# policygen --length=8 --minupper 1 --mindigit 1 -o complexity.hcmask
[*] Password policy:
[+] Password length: 8
[+] Minimum strength: lower: 0, upper: 1, digits: 1, special: 0
[+] Maximum strength: lower: 8, upper: 8, digits: 8, special: 8
[*] Total Masks: 65536 Runtime: [76d|1834h|110078m|6604680s]
[*] Policy Masks: 52670 Runtime: [40d|977h|58659m|3519568s]
root@kali:~# head complexity.hcmask
?l?l?l?l?l?l?u?d
?l?l?l?l?l?l?d?u
?l?l?l?l?l?u?l?d
?l?l?l?l?l?u?u?d
?l?l?l?l?l?u?d?l
?l?l?l?l?l?u?d?u
?l?l?l?l?l?u?d?d
?l?l?l?l?l?u?d?s
?l?l?l?l?l?u?s?d
?l?l?l?l?l?d?l?u
[*] Password policy:
[+] Password length: 8
[+] Minimum strength: lower: 0, upper: 1, digits: 1, special: 0
[+] Maximum strength: lower: 8, upper: 8, digits: 8, special: 8
[*] Total Masks: 65536 Runtime: [76d|1834h|110078m|6604680s]
[*] Policy Masks: 52670 Runtime: [40d|977h|58659m|3519568s]
root@kali:~# head complexity.hcmask
?l?l?l?l?l?l?u?d
?l?l?l?l?l?l?d?u
?l?l?l?l?l?u?l?d
?l?l?l?l?l?u?u?d
?l?l?l?l?l?u?d?l
?l?l?l?l?l?u?d?u
?l?l?l?l?l?u?d?d
?l?l?l?l?l?u?d?s
?l?l?l?l?l?u?s?d
?l?l?l?l?l?d?l?u