• PACK (Password Analysis and Cracking Kit) was originally developed to aid me in a password cracking competition Crack Me If You Can during Defcon 2010.

    During a few practice runs using bruteforce password cracking utilities (e.g. ighashgpu), I was surprised by how predictable were user selected passwords on social network sites. Further analysis into several leaked password dumps, like RockYou, has yielded many common password selection patterns (e.g. string of letters followed by one or two digits). There was a need for a tool to automate the analysis of such password dumps to come up with input rules for rule based password crackers such as oclHashcat. PACK meets this goal by generating a fine tuned list of password masks that can be used as an input for password cracking tools. The Password Analysis and Cracking Kit is also capable of generating several statistical reports based on password lengths, character-sets, patterns and passwords masks of passwords in a provided list.

    While the aforementioned attack works great for a typical website, simple mask analysis is not sufficient for corporate password policies with a minimum password complexity. To speed up attacks against such targets, PACK includes a separate utility that can generate a set of input masks that include only passwords that comply with provided password complexity (e.g. one special, one digit, one upper characters). Depending on how restrictive is your target's password policy, you can often reduce the total cracking runtime in half by using this utility. Alternatively you can invert mask generation rules and specifically target non-compliant passwords.

    The tool and complete documentation are available in the Projects section.


    password analysis and cracking kit

    Download PACK-0.0.4.tar.gz
    Size 68.8 KB
    DateAugust 8th, 2013

    PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists and enhancing cracking of passwords using password pattern detection. It can be used to reverse word mangling rules, generate source words, optimize password masks, craft policy attacks, etc. for the Hashcat family of tools. The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient. Read more.

    08 aug
    smarter password cracking with pack

    Last week I gave a talk during the Password '13 security conference on various password analysis and pattern detection attacks using the Password Analysis and Cracking Kit. You can download slides for the presentation here.

    The conference itself was an absolute blast with great organization by Per Thorsheim and Jeremi Gosney. The conference gathered a fascinating crowd which spawned hours of great discussions on password security, cryptography, politics and everything in between. However, I especially enjoyed meeting in real life with many members of Team Hashcat.

    Team Hashcat had another great run at the CMIYC during Defcon where we placed 2nd. As always I ended up spending most of the conference in the hotel room or the chill room at Defcon, but that's part of the fun doing contests. Russia-based team Inside-Pro placed first by scoring more points on harder hashes, молодцы ребята!

    Today, I have finally finished writing documentation for the many changes and adding the final polish to the next release of PACK 0.0.4. There should be noticeable performance bumps for all of the tools in the toolkit especially Rulegen which is now finally using multiple CPU cores. You should also try out the completely rewritten 'maskgen' which is now capable of generating highly optimized mask collections for use with Hashcat suite of tools (see presentation slides above for more details). Enjoy and most importantly have fun with password cracking! Read more.

    automatic password rule analysis and generation

    The field of password cracking has evolved by leaps an bounds over the last decade with the introduction of new cracking techniques, more advanced software and significantly faster hardware. One area which I find most fascinating is rule-based cracking. An attacker can develop a set of word mangling rules (e.g. substitute all 'a's to '@'s, upper-case every third letter, etc.) in order to attack non-random passwords which use slightly modified dictionary words. The purpose of this research is to develop an automated method of analyzing a large body of leaked passwords in order to come up with a list of frequently used words and rules to make up passwords. Read more.

    bbs: the documentary

    A historical documentary on the subject of BBSs and the underground culture of the 1980s. The documentary includes more than 200 interviews with some of the most influential figures of the BBS era. It is split up into 8 sections ranging from BBS Artscene and FidoNet to Hacking/Phreaking/Anarchy/Cracking underground. Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.