GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → tasooshi → brutas

tasooshi / brutas

Licence: other
Wordlists and passwords handcrafted with ♥

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitywordlistenumerationpentestingpasswordspassword-crackingredteam

Projects that are alternatives of or similar to brutas

Payloadsallthethings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: ✭ 32,909 (+102740.63%)
Mutual labels:  enumeration, redteam
Bopscrk
Tool to generate smart and powerful wordlists
Stars: ✭ 273 (+753.13%)
Mutual labels:  wordlist, password-cracking
Ldap search
Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
Stars: ✭ 78 (+143.75%)
Mutual labels:  enumeration, redteam
Passcat
Passwords Recovery Tool
Stars: ✭ 164 (+412.5%)
Mutual labels:  passwords, redteam
Wpa2 Wordlists
A collection of wordlists dictionaries for password cracking
Stars: ✭ 597 (+1765.63%)
Mutual labels:  wordlist, passwords
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (+1093.75%)
Mutual labels:  enumeration, redteam
Ntlmrecon
Enumerate information from NTLM authentication enabled web endpoints 🔎
Stars: ✭ 252 (+687.5%)
Mutual labels:  enumeration, redteam
Powershell Red Team
Collection of PowerShell functions a Red Teamer may use to collect data from a machine
Stars: ✭ 155 (+384.38%)
Mutual labels:  enumeration, redteam
Passphrase Wordlist
Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords
Stars: ✭ 556 (+1637.5%)
Mutual labels:  wordlist, password-cracking
Kaonashi
Wordlist, rules and masks from Kaonashi project (RootedCON 2019)
Stars: ✭ 353 (+1003.13%)
Mutual labels:  wordlist, password-cracking
Pantagrule
large hashcat rulesets generated from real-world compromised passwords
Stars: ✭ 146 (+356.25%)
Mutual labels:  passwords, password-cracking
Dirsearch
A Go implementation of dirsearch.
Stars: ✭ 164 (+412.5%)
Mutual labels:  wordlist, enumeration
Hashview
A web front-end for password cracking and analytics
Stars: ✭ 601 (+1778.13%)
Mutual labels:  passwords, password-cracking
Wadcoms.github.io
WADComs is an interactive cheat sheet, containing a curated list of Unix/Windows offensive tools and their respective commands.
Stars: ✭ 431 (+1246.88%)
Mutual labels:  enumeration, redteam
cracke-dit
cracke-dit ("Cracked It") makes it easier to perform regular password audits against Active Directory environments.
Stars: ✭ 102 (+218.75%)
Mutual labels:  passwords, password-cracking
Duplicut
Remove duplicates from MASSIVE wordlist, without sorting it (for dictionary-based password cracking)
Stars: ✭ 352 (+1000%)
Mutual labels:  wordlist, password-cracking
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+22543.75%)
Mutual labels:  wordlist, enumeration
roboxtractor
Extract endpoints marked as disallow in robots files to generate wordlists.
Stars: ✭ 40 (+25%)
Mutual labels:  wordlist, enumeration
Semigroups
The GAP package Semigroups
Stars: ✭ 21 (-34.37%)
Mutual labels:  enumeration
Shelly
Automatic Reverse Shell Generator
Stars: ✭ 38 (+18.75%)
Mutual labels:  redteam
View All Similar Projects ➔

brutas

Wordlists and passwords handcrafted with

A pretty comprehensive set of password dictionaries and wordlists designed for quick wins in red teaming scenarios or general blackbox pentesting.

Introduction

Why these password lists are different? The goal here is not to crack every password possible, it is to move forward inside a network. And if cracking is really needed then the bigger lists can be used, however, the assumption here is that it will be done in a reasonable time span and with limited resources (like a VM, hijacked host etc).

A brief introduction to brutas-passwords-# lists:

  • the number of passwords grows with the consecutive file number;
  • passwords are not sorted according to the probability, they are combined into groups of probability instead;
  • each consecutive file does not contain passwords from any of the previous sets.

NOTE: Due to Github limits not all lists are precompiled. You need to run main.ExtendedPasswords, main.BigPasswords and main.HttpWordsSuffixes yourself to generate the complete set (see the tutorial below). The compiled sets are also hosted here (may not be up to date):

Statistics

Based on leaks in two categories (social networks and technical forums), the current (2022/05/20) effectiveness is:

No. of passwords Social networks (~1M) Technical forums (~450K)
brutas-passwords-1-xxs.txt (*) 100 2.16% 2.75%
brutas-passwords-2-xs.txt (*) 6,549 3.05% 3.63%
brutas-passwords-3-s.txt (*) 24,805 3.99% 4.32%
brutas-passwords-4-m.txt 922,624 3.59% 5.05%
brutas-passwords-5-l.txt 33,278,126 13.91% 17.10%
brutas-passwords-6-xl.txt 162,843,765 6.93% 9.24%
brutas-passwords-7-xxl.txt 10,051,549,134 26.08% 34.21%
Suitable for online bruteforcing (*) 9.20% (99,197) 10.70% (48,885)
To be used for offline cracking 50.51% (544,617) 65.64% (299,699)
TOTAL 59.71% (643,891) 76.34% (348,757)

So, the basic three lists (~31K passwords) provide 10% success on average with these fairly diverse and big samples. From my experience, password spraying with the top 100 is guaranteed to yield interesting results. And most often a couple accounts is enough to move forward in almost any network.

How does it compare to rockyou.txt?

The famous rockyou.txt dictionary contains 14,344,392 passwords (at least in the Kali Linux "edition"). Against the same sets the results are:

No. of passwords Social networks (~1M) Technical forums (~450K)
rockyou.txt 14,344,392 34.99% (377384) 39.55% (180665)

It seems that with half of the passwords from the first five groups the rockyou.txt dictionary is much more effective. How come? Let's see what happens if we mix them:

No. of passwords Social networks (~1M) Technical forums (~450K)
rockyou.txt + brutas-1-3.txt 14,375,845 44.19% (476578) 50.25% (229550)
rockyou.txt + brutas-1-5.txt 48,576,595 61.90% (667459) 72.94% (333231)
  • 44.19% (social networks) - 34.99% (rockyou) = 9.20% (= 9.20%, brutas-1-3)
  • 50.25% (technical forums) - 39.55% (rockyou) = 10.70% (= 10.70%, brutas-1-3)
  • 61.90% (social networks) - 34.99% (rockyou) = 26.91% (~= 26.70%, brutas-1-5)
  • 72.94% (technical forums) - 39.55% (rockyou) = 33.39% (~= 32.85%, brutas-1-5)

The answer is clear: these sets are somewhat complementary, or rather brutas-passwords-* was designed with a different goal in mind than what you would find in the leaks from popular sites. For example, rockyou.txt is missing 23,246 passwords from the brutas-1-3.txt combo (which is 31,453 in total). To name just a few: P$SSW)RD, Admin123! or !root!. So, if you want to bruteforce or spray in a more corporate environment (i.e. with password policies in place), use brutas. For best results in general cracking, combine it with typical leaks. And with the bigger brutas lists the "predictable sophistication" grows significantly.

Basic usage

The combined lists brutas-passwords-{1,2,3,4}-*.txt seem to be most effective for general purpose and reasonably fast password cracking. Start with the smallest one and move forward. The lists brutas-passwords-{1,2}-*.txt are designed for a quick win in large networks. If you need something really minimalistic, try using brutas-passwords-1-xxs.txt solely - my highly opinionated view of the top 100.

However, I recommend experimenting on your own and rebuilding these sets depending on the target. You may want to incorporate your native language keywords, too. For example, file or a domain name combined with brutas-passwords-numbers.txt turns out to be pretty effective on encrypted archives and wireless networks. As with everything, a little social engineering comes handy to understand the local approach to the "password policy".

Password lists

  • brutas-passwords-*.txt - wordlists combined with passwords generated using keywords, hashcat rules and string partials (see brutas/scripts/main/__init__.py for details)
  • brutas-passwords-classics.txt - typical admin passwords based on roles (test, admin), words (password, secret) or "funny" ones (like letmein or trustno1)
  • brutas-passwords-patterns.txt - close key combinations or simple phrases (e.g. abcd) combined with capitalization, numbers, repetitions etc.
  • brutas-passwords-top.txt - is a list composed of most popular user passwords found in leaks, doesn't contain close keys or any more sophisticated combinations
  • brutas-passwords-unique.txt - passwords which are complex enough to be used as independent passwords and are rarely mixed with any extra characters, usually related to pop-culture or sports (e.g. apollo13, 9inchnails, ronaldo7)
  • brutas-passwords-numbers.txt - a small list of numbers used in passwords (e.g. dates, math constants)
  • brutas-passwords-custom.txt - example of running main.CustomPasswords with keyword love, the result of parsing keywords/brutas-custom.txt with all available rules plus some extra combinations, ordering etc.

Other lists

  • brutas-http-files-extensions-common.txt - common file extensions
  • brutas-http-files-extensions-less.txt - less common extensions
  • brutas-http-words-*.txt - HTTP paths/params useful in fuzzing Web applications, generated with main.HttpWords *)
  • brutas-http-words-suffixes-*.txt - HTTP paths/params double words extended with common suffixes (e.g. VisibleContentId, hidden-content-ref) *)
  • brutas-ports-tcp-http.txt - common and not that obvious HTTP ports
  • brutas-ports-tcp-internal.txt - list of TCP services that may come up internally
  • brutas-ports-tcp-public.txt - list of public TCP ports, useful for host discovery
  • brutas-subdomains-1-small.txt - a fairly reasonable list for host discovery composed of common conventions, self-hosted software etc.
  • brutas-subdomains-2-large.txt - extended list with some extra pre-/postfixes like host-srv, f.host or host10
  • brutas-usernames.txt - most common usernames
  • brutas-usernames-small.txt - a short list of usernames

*) Some of the pairs in these lists are duplicates or make no sense (e.g. postsPosts or syndication-editor, although you never know...) This is an expected trade-off. Considering the number of requests usually sent, this is acceptable for now.

Keywords

  • keywords/brutas-lang-int-common.txt - set of most frequent English (and not only) words used in passwords internationally (also from literature, pop culture etc)
  • keywords/brutas-lang-int-less.txt - less frequent English words used in passwords by native speakers
  • keywords/brutas-lang-* - other languages based mostly on leaks
  • keywords/brutas-all-lang.txt - all languages combined
  • keywords/brutas-subdomains.txt - keywords and rules used to generate lists for subdomains
  • keywords/brutas-subdomains-extra.txt - additional prefixes for subdomain discovery
  • keywords/brutas-wifi.txt - bits and pieces useful in generating passwords for wireless networks
  • keywords/brutas-custom.txt - file used with main.Custom generator
  • keywords/brutas-http-{words, verbs}.txt - files used with main.HttpWords and main.HttpWordsSuffixes generators, might be used standalone

Bits

  • There are various "parts" in the bits directory which you may find helpful in building your own sets.

Building

The build process is automated and handled by the script located in ./scripts/build.py:

usage: build.py [-h] -p PATH [-t TEMPORARY_DIR] [-o OUTPUT_DIR] [--min-length MIN_LENGTH] [--cores CORES] [--memory MEMORY] [--debug]

Brutas build script

options:
  -h, --help            show this help message and exit
  -p PATH, --path PATH  Class path. [Choices: main.Subdomains, main.HttpWords, main.HttpWordsSuffixes, main.BasicPasswords, main.ExtendedPasswords, main.BigPasswords, main.CustomPasswords, main.MergeAll]
  -t TEMPORARY_DIR, --temporary-dir TEMPORARY_DIR
                        Temporary directory path. [Default: auto]
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Output directory path. [Default: .]
  --min-length MIN_LENGTH
                        Minimal length for a password when merging lists. [Default: 4]
  --cores CORES         Number of cores to be used for sorting. [Default: auto]
  --memory MEMORY       Percentage of memory to be used for sorting. [Default: 80%]
  --debug               Enable debug level logging

Requirements

  • Python 3.10 (tested)
  • hashcat
  • hashcat-utils
  • GNU tools: cat, awk, comm, sort, uniq

Configuration

You can store your local configuration in scripts/local_config.py. For example, you may want to disable some rules (or add your own?), or change paths to hashcat-utils binaries.

Rebuilding the basic lists

% ./scripts/build.py -p main.BasicPasswords

Building all password lists using external drive for temporary files and output

% ./scripts/build.py -p main.BasicPasswords -t /media/user/External/tmp -o /media/user/External

% ./scripts/build.py -p main.ExtendedPasswords -t /media/user/External/tmp -o /media/user/External

% ./scripts/build.py -p main.BigPasswords -t /media/user/External/tmp -o /media/user/External

Generating password list using custom keywords

% ./scripts/build.py -p main.CustomPasswords

Using specific language

There are two options:

  1. either overwrite brutas-lang-int-*.txt files;
  2. or use the main.CustomPasswords class with keywords copied to keywords/brutas-custom.txt.

The first one would cause the build to use the specific language as the base, while other languages would still be used (starting with brutas-passwords-6-xl.txt list). The second option would ignore the normal build process and use the full set of rules on the keywords/brutas-custom.txt file. You should expect a massive output in that case.

Some stats and hints

Setup:

  • 2.6 GHz Intel Core i7
  • 16GB of RAM
  • SSD drive
  • Temporary directory shared between builds

main.BasicPasswords

  • generates brutas-passwords-{2,3,4}-*.txt
  • Total time: 3 minutes
  • Temporary directory size: ~190MB
  • Output files size: ~10MB
  • Total output size: ~10MB

main.ExtendedPasswords

  • generates brutas-passwords-{5,6}-*.txt
  • Total time: 9 minutes
  • Temporary directory size: ~6,4GB
  • Output files size: ~2,64GB
  • Total output size: ~2,65GB

main.BigPasswords

  • generates brutas-passwords-7-xxl.txt
  • Total time: 19 hours
  • Temporary directory size: ~300GB
  • Output files size: ~132GB
  • Total output size: ~134,7GB

main.CustomPasswords

  • Building password list with main.CustomPasswords and keywords/brutas-custom.txt containing 5.5k of lines generates approx. 560GB of data and requires around 680GB for temporary files (an extra drive is recommended due to heavy I/O).
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].