PACK Package Description

PACK was developed in order to aid in a password cracking competition “Crack Me If You Can” that occurred during Defcon 2010. The goal of this toolkit is to aid in preparation for the “better than bruteforce” password attacks by analyzing common ways that people create passwords. After the analysis stage, the statistical database can be used to generate attack masks for tools such as oclHashcat. NOTE: This tool itself can not crack passwords, but helps other tools crack more passwords faster.

Source: http://thesprawl.org/projects/pack/
PACK Homepage | Kali PACK Repo

  • Author: iphelix
  • License: GPLv3

Tools included in the pack package

statsgen – Generate dictionary file statistics
root@kali:~# statsgen -h
Usage: statsgen [options] passwords.txt

Type --help for more options

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o password.masks, --output=password.masks
                        Save masks and stats to a file
  --hiderare            Hide statistics covering less than 1% of the sample
  -q, --quiet           Don't show headers.

  Password Filters:
    --minlength=8       Minimum password length
    --maxlength=8       Maximum password length
    --charset=loweralpha,numeric
                        Password charset filter (comma separated)
    --simplemask=stringdigit,allspecial
                        Password mask filter (comma separated)

maskgen – Generate hashcat masks

root@kali:~# maskgen -h
Usage: maskgen [options] masksfile.csv

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --minlength=8         Minimum password length
  --maxlength=8         Maximum password length
  --mintime=MINTIME     Minimum time to crack
  --maxtime=MAXTIME     Maximum time to crack
  --complexity=COMPLEXITY
                        maximum password complexity
  --occurence=OCCURENCE
                        minimum times mask was used
  --checkmask=?u?l ?l ?l ?l ?l ?d
                        check mask coverage
  --showmasks           Show matching masks
  --pps=1000000000      Passwords per Second

policygen – Generate hashcat masks

root@kali:~# policygen -h
Usage: policygen [options]

Type --help for more options

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --length=8            Password length
  -o masks.txt, --output=masks.txt
                        Save masks to a file
  --pps=1000000000      Passwords per Second
  -v, --verbose

  Password Policy:
    Define the minimum (or maximum) password strength policy that you
    would like to test

    --mindigits=1       Minimum number of digits
    --minlower=1        Minimum number of lower-case characters
    --minupper=1        Minimum number of upper-case characters
    --minspecial=1      Minimum number of special characters
    --maxdigits=3       Maximum number of digits
    --maxlower=3        Maximum number of lower-case characters
    --maxupper=3        Maximum number of upper-case characters
    --maxspecial=3      Maximum number of special characters

statsgen Usage Example

Generate statistics for passwords with a length of 10 (–minlength=10 –maxlength=10) contained in the rockyou wordlist (rockyou.txt):

root@kali:~# statsgen --minlength=10 --maxlength=10 rockyou.txt
                       _
     StatsGen 0.0.3   | |
      _ __   __ _  ___| | _
     | '_ \ / _` |/ __| |/ /
     | |_) | (_| | (__|   <
     | .__/ \__,_|\___|_|\_\
     | |                    
     |_| iphelix@thesprawl.org


[*] Analyzing passwords in [rockyou.txt]
[+] Analyzing 14% (2013695/14344391) of passwords
    NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords

[*] Length:
[+]                        10: 100% (2013695)

[*] Character-set:
[+]             loweralphanum: 41% (836160)
[+]                   numeric: 23% (478196)
[+]                loweralpha: 20% (416939)
[+]      loweralphaspecialnum: 02% (59911)
[+]         loweralphaspecial: 02% (55761)
[+]             mixedalphanum: 02% (54198)
[+]             upperalphanum: 02% (47430)
[+]                upperalpha: 00% (19723)
[+]                mixedalpha: 00% (15460)
[+]                       all: 00% (9015)
[+]         mixedalphaspecial: 00% (6856)
[+]                specialnum: 00% (6685)
[+]      upperalphaspecialnum: 00% (3698)
[+]         upperalphaspecial: 00% (3459)
[+]                   special: 00% (204)

[*] Password complexity:
[+]                     digit: min(0) max(10)
[+]                     lower: min(0) max(10)
[+]                     upper: min(0) max(10)
[+]                   special: min(0) max(10)

[*] Simple Masks:
[+]               stringdigit: 37% (750938)
[+]                     digit: 23% (478196)
[+]                    string: 22% (452122)
[+]               digitstring: 03% (78963)
[+]                 othermask: 03% (67762)
[+]         stringdigitstring: 02% (59783)
[+]       stringspecialstring: 01% (33173)
[+]        stringspecialdigit: 01% (25293)
[+]             stringspecial: 01% (22207)
[+]          digitstringdigit: 00% (17290)
[+]        stringdigitspecial: 00% (12563)
[+]      specialstringspecial: 00% (3463)
[+]        digitspecialstring: 00% (2406)
[+]             specialstring: 00% (1773)
[+]        digitstringspecial: 00% (1621)
[+]        specialstringdigit: 00% (1468)
[+]        specialdigitstring: 00% (1225)
[+]         digitspecialdigit: 00% (1185)
[+]              digitspecial: 00% (1183)
[+]       specialdigitspecial: 00% (515)
[+]              specialdigit: 00% (362)
[+]                   special: 00% (204)

[*] Advanced Masks:
[+]      ?d?d?d?d?d?d?d?d?d?d: 23% (478196)
[+]      ?l?l?l?l?l?l?l?l?l?l: 20% (416939)
[+]      ?l?l?l?l?l?l?l?l?d?d: 10% (213109)
[+]      ?l?l?l?l?l?l?d?d?d?d: 07% (160592)
[+]      ?l?l?l?l?l?l?l?l?l?d: 06% (129823)
[+]      ?l?l?l?l?l?l?l?d?d?d: 04% (87611)
[+]      ?l?l?l?l?d?d?d?d?d?d: 01% (33277)

policygen Usage Example

Generate Hashcat masks with a length of 8 (–length=8) and containing at least 1 uppercase letter (–minupper 1) and at least 1 digit (–mindigit 1), saving the masks to a file (-o complexity.hcmask):

root@kali:~# policygen --length=8 --minupper 1 --mindigit 1 -o complexity.hcmask
[*] Password policy:
[+] Password length: 8
[+] Minimum strength: lower: 0, upper: 1, digits: 1, special: 0
[+] Maximum strength: lower: 8, upper: 8, digits: 8, special: 8
[*] Total Masks:  65536 Runtime: [76d|1834h|110078m|6604680s]
[*] Policy Masks: 52670 Runtime: [40d|977h|58659m|3519568s]
root@kali:~# head complexity.hcmask
?l?l?l?l?l?l?u?d
?l?l?l?l?l?l?d?u
?l?l?l?l?l?u?l?d
?l?l?l?l?l?u?u?d
?l?l?l?l?l?u?d?l
?l?l?l?l?l?u?d?u
?l?l?l?l?l?u?d?d
?l?l?l?l?l?u?d?s
?l?l?l?l?l?u?s?d
?l?l?l?l?l?d?l?u
Menu