PACK 介绍

PACK是为了在密码帮助开裂竞争“破解我,如果你能”的Defcon黑客大会2010年这个工具包的目标是通过分析常见的方式,人们以帮助准备“比暴力破解好”的口令攻击的过程中,发生开发创建密码后的分析阶段,统计数据库可以被用于产生攻击掩码,如oclHashcat工具。注:该工具本身无法破解密码,而且还帮助其他工具破解更多的密码更快。

资料来源:http://thesprawl.org/projects/pack/
PACK 首页
PACK 源代码版本库

包含在PACK里的工具

statsgen - 生成统计字典文件

root@kali:~# statsgen -h
Usage: statsgen [options] passwords.txt

Type --help for more options

Options:
    --version           show program's version number and exit
    -h, --help          show this help message and exit
    -o password.masks, --output=password.masks
                        Save masks and stats to a file
    --hiderare          Hide statistics covering less than 1% of the sample
    -q, --quiet         Don't show headers.

Password Filters:
    --minlength=8       Minimum password length
    --maxlength=8       Maximum password length
    --charset=loweralpha,numeric
                        Password charset filter (comma separated)
    --simplemask=stringdigit,allspecial
                        Password mask filter (comma separated)

maskgen - 生成hashcat掩码

:~# maskgen -h
Usage: maskgen [options] masksfile.csv

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --minlength=8         Minimum password length
  --maxlength=8         Maximum password length
  --mintime=MINTIME     Minimum time to crack
  --maxtime=MAXTIME     Maximum time to crack
  --complexity=COMPLEXITY
                        maximum password complexity
  --occurence=OCCURENCE
                        minimum times mask was used
  --checkmask=?u?l ?l ?l ?l ?l ?d
                        check mask coverage
  --showmasks           Show matching masks
  --pps=1000000000      Passwords per Second

policygen - 生成hashcat掩码

:~# policygen -h
Usage: policygen [options]

Type --help for more options

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --length=8            Password length
  -o masks.txt, --output=masks.txt
                        Save masks to a file
  --pps=1000000000      Passwords per Second
  -v, --verbose

  Password Policy:
    Define the minimum (or maximum) password strength policy that you
    would like to test

    --mindigits=1       Minimum number of digits
    --minlower=1        Minimum number of lower-case characters
    --minupper=1        Minimum number of upper-case characters
    --minspecial=1      Minimum number of special characters
    --maxdigits=3       Maximum number of digits
    --maxlower=3        Maximum number of lower-case characters
    --maxupper=3        Maximum number of upper-case characters
    --maxspecial=3      Maximum number of special characters

statsgen 用法示例

生成的统计信息的密码与包含在单词表RockYou(rockyou.txt)10(–minlength=10 –maxlength=10)的长度:

root@kali:~# statsgen --minlength=10 --maxlength=10 rockyou.txt
                       _
     StatsGen 0.0.3   | |
      _ __   __ _  ___| | _
     | '_ \ / _` |/ __| |/ /
     | |_) | (_| | (__|   <
     | .__/ \__,_|\___|_|\_\
     | |                    
     |_| iphelix@thesprawl.org

[*] Analyzing passwords in [rockyou.txt]
[+] Analyzing 14% (2013695/14344391) of passwords
    NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords

[*] Length:
[+]                        10: 100% (2013695)

[*] Character-set:
[+]             loweralphanum: 41% (836160)
[+]                   numeric: 23% (478196)
[+]                loweralpha: 20% (416939)
[+]      loweralphaspecialnum: 02% (59911)
[+]         loweralphaspecial: 02% (55761)
[+]             mixedalphanum: 02% (54198)
[+]             upperalphanum: 02% (47430)
[+]                upperalpha: 00% (19723)
[+]                mixedalpha: 00% (15460)
[+]                       all: 00% (9015)
[+]         mixedalphaspecial: 00% (6856)
[+]                specialnum: 00% (6685)
[+]      upperalphaspecialnum: 00% (3698)
[+]         upperalphaspecial: 00% (3459)
[+]                   special: 00% (204)

[*] Password complexity:
[+]                     digit: min(0) max(10)
[+]                     lower: min(0) max(10)
[+]                     upper: min(0) max(10)
[+]                   special: min(0) max(10)

[*] Simple Masks:
[+]               stringdigit: 37% (750938)
[+]                     digit: 23% (478196)
[+]                    string: 22% (452122)
[+]               digitstring: 03% (78963)
[+]                 othermask: 03% (67762)
[+]         stringdigitstring: 02% (59783)
[+]       stringspecialstring: 01% (33173)
[+]        stringspecialdigit: 01% (25293)
[+]             stringspecial: 01% (22207)
[+]          digitstringdigit: 00% (17290)
[+]        stringdigitspecial: 00% (12563)
[+]      specialstringspecial: 00% (3463)
[+]        digitspecialstring: 00% (2406)
[+]             specialstring: 00% (1773)
[+]        digitstringspecial: 00% (1621)
[+]        specialstringdigit: 00% (1468)
[+]        specialdigitstring: 00% (1225)
[+]         digitspecialdigit: 00% (1185)
[+]              digitspecial: 00% (1183)
[+]       specialdigitspecial: 00% (515)
[+]              specialdigit: 00% (362)
[+]                   special: 00% (204)

[*] Advanced Masks:
[+]      ?d?d?d?d?d?d?d?d?d?d: 23% (478196)
[+]      ?l?l?l?l?l?l?l?l?l?l: 20% (416939)
[+]      ?l?l?l?l?l?l?l?l?d?d: 10% (213109)
[+]      ?l?l?l?l?l?l?d?d?d?d: 07% (160592)
[+]      ?l?l?l?l?l?l?l?l?l?d: 06% (129823)
[+]      ?l?l?l?l?l?l?l?d?d?d: 04% (87611)
[+]      ?l?l?l?l?d?d?d?d?d?d: 01% (33277)

policygen 用法示例

生成Hashcat掩码为8(-length=8)和含有至少1个大写字母的长度(-minupper 1)和至少 1位数(-mindigit 1),保存到文件(-o complexity.hcmask):

:~# policygen --length=8 --minupper 1 --mindigit 1 -o complexity.hcmask
[*] Password policy:
[+] Password length: 8
[+] Minimum strength: lower: 0, upper: 1, digits: 1, special: 0
[+] Maximum strength: lower: 8, upper: 8, digits: 8, special: 8
[*] Total Masks:  65536 Runtime: [76d|1834h|110078m|6604680s]
[*] Policy Masks: 52670 Runtime: [40d|977h|58659m|3519568s]
:~# head complexity.hcmask
?l?l?l?l?l?l?u?d
?l?l?l?l?l?l?d?u
?l?l?l?l?l?u?l?d
?l?l?l?l?l?u?u?d
?l?l?l?l?l?u?d?l
?l?l?l?l?l?u?d?u
?l?l?l?l?l?u?d?d
?l?l?l?l?l?u?d?s
?l?l?l?l?l?u?s?d
?l?l?l?l?l?d?l?u