Welcome back, my aspiring cyber warriors!
In my book "Getting Started Becoming a Master Hacker" and an earlier post, I encouraged you to develop custom password lists before you attempt to brute force passwords. Most often, users create passwords that are simple, common, and follow simple patterns that are easy for them to remember. If you understand the strategy of the password creators, the better your chances of cracking or guessing their passwords.
There is a tool built into Kali that can shed light on the strategies people use to create their passwords. This tool was developed by Robin Wood of ceWL fame.
Of course, I hope it goes without saying that this does not apply on every password and user, but remember we only have to crack one password to take down the entire network.
Step #1: pipal Help
Let's begin by taking a look at the pipal help screen.
kali > pipal -h
As you can see, the pipal syntax is simple. In most cases, we only need to invoke pipal with the number of top results we want to view and the filename of the containing the passwords.
pipal <-t number of top results><filename of the passwords>
Step #2: Test pipal on sample password lists
If you navigate to https://www.hackers-arise.com/passwords you will find some useful password lists. One is from a password dump from Comcast users (Comcast is the largest cable TV and Internet provider in the US) from a few years back. In this file you will find nearly 600,000 unencrypted passwords. Let's start by using this list to see how people are creating their passwords.
Make certain to download this list to your Kali system. I have downloaded this list to a flash drive and then connected the flash drive to my Kali VM. To bein the password analysis, simply enter;
kali > pipal -t 10 "comcast passwords.txt"
As you can see above, pipal took just 30 seconds to analyze this password file. It then displayed the top 10 passwords indicating that "password" was the most common, "bluebird" was #2, and "12345678" was third. Also, note that the 10th most common password was "comcast1". It has been my observation that people often use the name of the service in their passwords usually followed by a number. This makes it easier for them to remember and easier to crack.
If we scroll down the results, we can find data on the character sets used. On this list, 45% of the passwords use a lower case alphabetic characters and numbers and 39% use just lower case alphabetic characters.
Scrolling down a bit further, we can see the top 10 base words. These are dictionary words that are the base of the password, but may be followed by numbers or special characters.
We can also see that nearly 50% use an 8 character password. This makes it much simpler to crack the password as the potential password list can be limited to just passwords with 8 characters making our job much simpler and faster.
Further down the output, we see that the most common pattern is to place 2 digits at the end of the base word (almost 13%). In nearly 11% of those cases, the final digit is "1".
The pipal output also includes the probability of 2 and 3 numbers appended to the base word ("23" is the most common for 2 digits and "123" for 3 digits).
In addition, pipal displays key information on the character sets used by the passwords.
Step #3: Analyze the Top 10,000 Passwords
Next, let's analyze the top 10,000 passwords found in data dumps in 2018. Once again you can find this list at www.hackers-arise.com/password. Download it to your Kali and place it in the root folder. Then, simply enter;
kali > pipal -t 10 top_10000_passwords.txt
As we can see above, the results are slightly different the Comcast password list. The top 10 passwords are very simple and predictable. The top 10 base words include;
When we scroll down further, we find that-- similar to our comcast password list-- the most common last digit is 1 with nearly 24% using it as the last digit in their password.
Similar to the comcast list, the most common last 2 digits we "23" and the most common last 3 digits were "123".
The pipal analysis also indicates that this list's character sets are predominantly all lower case alphabetic characters (nearly 46%) and lower case alphabetic characters with numbers (43%).
It's important to develop a strategy when attempting to crack passwords unless, of course, you have a GPU farm, a botnet or a supercomputer. Otherwise, you will wasting time and money that are unnecessary. This analysis of two password lists reveals that people use simple strategies for creating their passwords. If you understand this strategy you can dramatically increase the probability of cracking most passwords and dramatically reduce your time and resources to do so. Keep in mind that you only need to crack one password on a network to compromise the entire network.