Wordlist generator

[leftler]

I need a little help. I locked myself out of my TPM module of my Compaq nw8440, I set a password and forgot what i used. I know that the password is a combination of 2-3 of words from a bank of 10 that I normally use.

What I am looking for is something that would take that bank of 10 words and generate a complete wordlist of all the combinations and doing some special things like adding capitalization. I will leave the question on implementing the wordlist for the programming forum after my 3 days are past for registering.

Thank you for your time,
Leftler

[KMDave]

Well you could use the search function to find something already in place as well as writing it yourself. The programming forum nor any other is there to spoonfeed you the answers.

If you don't know anything about programing then it is the opportunity to learn how to do it. Take it as a task, go ahead, pick a language or get a recommendation on one if you are not sure, we will help you with that but not write you an entire program to do what you are looking for.

[Virchanza]

I know that the password is a combination of 2-3 of words from a bank of 10 that I normally use.

If I understand you correctly, you have a bank of 10 words as follows:

Code:

dog cat monkey fish cow zebra lion tiger pig rat

And you have a password which is a combination of 2 or 3 of these words, so here would be some possible passwords:

Code:

dogpigmonkey
fishcatrat
tigercowdog
zebramonkeypig

What I am looking for is something that would take that bank of 10 words and generate a complete wordlist of all the combinations and doing some special things like adding capitalization. I will leave the question on implementing the wordlist for the programming forum after my 3 days are past for registering.

For the capitalisation part, go to http://virjacode.com and scroll down to "Uppercase-lowercase Combinator".

[Virchanza]

Actually I've got some time to kill and this little algorithm seems like fun. I've got two questions to ask:

1) Can a word be used more than once? (e.g. password = monkeymonkeymonkey)
2) What way are the words appended together? (e.g. "monkey monkey" or "monkey-monkey" or "monkeymonkey")

[KMDave]

Even if you create the algorithm Virchanza keep it for yourself please

Else people will start to ask you all the time if you could code something for you. Nothing will be learned on their part.

[Virchanza]

I see where you're coming from Dave, but this code would be a little bit advanced for a beginner to put together by themselves.

Firstly, the person would have to be familiar with a programming language, and secondly the person would need to have enough experience and practise in programming to be able to think about how to throw this together.

If I was to teach someone how to write this code from the ground up... well it would take a while. If somebody has an interest in programming, then I'm sure they'd like to give this a go by themselves (just like how I myself found it fun), but if they don't want to try anything for themselves then they weren't ever gonna be a programmer anyway.

I have the code finished, it took me 10 minutes or so. I really don't think I'd be doing harm in helping this person out by giving them the code. If they really have an interest in programming, I'm sure they'll have a look through the code and try to see how it works. And if they don't look through it, then screw it they weren't gonna be a programmer anyway.

As for people asking me to code stuff for them in future... well if I'm in the mood and I think it might be fun then sure I'll give it a go. But if the code is so simple that a beginner should be able to do it, or if I simply just couldn't be arsed doing it, then I'll say No.

What do you think? I really don't think it'd be any harm to provide this code, it wouldn't be any different from just like saying "Hey you can download this password generator program that will do it for you". At the very least, they'll get some experience compiling a C program

[KMDave]

Well I fully understand your point of view. I am sometimes picking up requests like simple scripts/programs because I am in the mood for it.

As I explained before on the other hand it will take away a chance for people to learn.

Yes it is not a Hello World application but still quite simple. People who are serious about pentesting should have some scripting/programming knowledge. Everyone starts somewhere, we have to learn permanently. I for myself prefer to have something to program which is not out of a book but a real life example (as the wordlist stuff here). And it is one of the easier manipulation stuff.

Well I usually assume that people are here for learning stuff and not for being spoonfed. I know that that is rarely the case. But if people just invest the time to write a simple request like "hey, can you give me the link to a tutorial/ write this and that for me/ ..." then I just take the time to reply that I don't want to.

I have no problems helping out people if they show that they are willing to learn and understand but I don't like to just spoonfeed people. There are enough out there being too lazy to use their brain.

Just my point of view.

[xorred]

Use that - http://awlg.org/index.gen

[Virchanza]

Firstly, here's the C code for the program that makes the different combinations:

Code:

#include <string.h>
#include <stdio.h>
#include <assert.h>

char const *const bank[] =
{
"dog",
"cat",
"monkey",
"fish",
"cow",
"zebra",
"lion",
"tiger",
"pig",
"rat"
};

#define RADIX (sizeof bank  /  sizeof *bank)

#define MAX_DIGIT (RADIX - 1)

#define STR_SEPARATOR ("")

char const *GetCombo(unsigned const a,unsigned const b,unsigned const c)
{
    assert(a <= MAX_DIGIT);
    assert(b <= MAX_DIGIT);
    assert(c <= MAX_DIGIT);

    static char combo_str[126];

    strcpy(combo_str,bank[a]);
    strcat(combo_str,STR_SEPARATOR);
    strcat(combo_str,bank[b]);
    strcat(combo_str,STR_SEPARATOR);
    strcat(combo_str,bank[c]);
}

int main(void)
{
    unsigned words[3] = { 0,0,0 };

    for (;;)
    {
        if (   words[0] != words[1]
            && words[1] != words[2]
            && words[0] != words[2] )
        {
            puts(GetCombo(words[0],words[1],words[2]));
        }

        if (++words[0] <= MAX_DIGIT)
            continue;

        words[0] = 0;
        if (++words[1] <= MAX_DIGIT)
            continue;

        words[1] = 0;
        if (++words[2] <= MAX_DIGIT)
            continue;

        break;
    }
}

You need to create a file called "bank.c", and copy the above into that file and save it.

Next, here's the C code for the program that does all the uppercase-lowercase combinations:

Code:

#include <stdint.h>
#include <ctype.h>    /* tolower, toupper, isalpha */
#include <stdio.h>    /* puts */
#include <string.h>   /* strlen */
#include <stddef.h>   /* size_t  */
#include <stdlib.h>   /* exit */

void PrintCombos(char *const str)
{
    size_t const lenSizeT = strlen(str);

    if (lenSizeT >= 32)
    {
        puts("String too long, bailing out.");
        exit(0);
    }

    uint_fast8_t const len = lenSizeT;

    uint_fast8_t amount_letters;

    uint_fast32_t cases, letters;

    /* For example:

                "tEsT74kT"
         cases = 01010001
       letters = 11110011
    */

    uint_fast32_t mask;
    uint_fast8_t char_index;

    for (letters = 0, amount_letters = 0, mask = 1, char_index = 0;
                                                 len != char_index;
                                           mask <<= 1, ++char_index)
    {
        if (isalpha(str[char_index]))
        {
            ++amount_letters;
            letters |= mask;
        }
    }

    uint_fast32_t const one_past_max_count = (uint_fast32_t)1 << amount_letters;

    for (cases = 0; one_past_max_count != cases; ++cases)
    {
        uint_fast32_t mask_letters;

        for (mask = 1, mask_letters = 1, char_index = 0; one_past_max_count != mask; mask <<= 1,
                                                                                     mask_letters <<= 1,
                                                                                     ++char_index)
        {
            while(!(letters & mask_letters))
            {
                mask_letters <<= 1;
                ++char_index;
                if (char_index >= len) return;
            }
            
            if (cases & mask) str[char_index] = toupper((char unsigned)str[char_index]);
                         else str[char_index] = tolower((char unsigned)str[char_index]);

        }

        puts(str);
    }
}

int main(int argc, char **argv)
{
    if (1 == argc)
    {
        puts("Uppercase-lowercase Combinator\n"
             "------------------------------\n\n"
             "Usage:\n"
             "    cases [word]\n\n"
             "Put the word between inverted commas if it contains spaces, e.g.:\n"
             "    cases \"monkey dog\"\n\n"
             "To create a dictionary file, do:\n"
             "    cases \"monkey dog\" > whatever.txt\n\n");

        return 0;
    }

    if (2 != argc)
    {
        puts("Bad commandline arguments, bailing out.");
        return 0;
    }

    PrintCombos(argv[1]);

    return 0;
}

You need to create a file called "uplow.c", and copy the above into that file and save it.

Next, you must compile both programs separately:

Code:

gcc bank.c -o bank
gcc uplow.c -o uplow

Next you want to take every password that gets outputted from "bank", and pass this password as an argument to the program "uplow". You use the Linux program called "xargs" to do this. Something like:

Code:

./bank | xargs ./uplow

I've been playing around with xargs but I can get this to work... I dunno what's wrong with it.

Anyhow, once you get xargs to play friendly, you pipe the output to a password file:

Code:

./bank | xargs ./uplow > mylist.txt

[imported_vvpalin]

Doesn't CUPP do this? '

Ive never played with it but it was my understanding this is what it was made for.