Results 1 to 10 of 10

Thread: Wordlist "leetify" - supplimenting CUPP and others

  1. #1
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Wordlist "leetify" - supplimenting CUPP and others

    A simple perl script to "leetify" a dictionary. Using this will massively blow out your password list size, so I do not recommend using it unless you've already generated a tight dictionary via CUPP or something similar.

    I wrote this after CUPP2 was released, mostly because I wasn't seeing anything fulfilling in the leetify option, and people kept saying they would try. It is designed to permute a list and produce a proper leetify of the list - firewall becomes:

    Code:
    firewall
    f1rewall
    f1r3wall
    fir3wall
    And so on - changing a single character in the password rather than all the characters.

    A quick test, searching for f1r3wall as the password:

    Using john's default --rules manipulation for a one line test.txt dictionary produces a (sort -u) list of 49 distinct words. No correct password.

    The same manipulation from CUPP (yes to all four options) with a sort -u produces 8688 words (actually it produces 11583 words, but there are duplicates - especially with the number addition options on it). No correct password.

    The execution of this permution script produces 17,280 words - and a sort -u does not change this - Correct password found.

    The script:

    Code:
    #!/usr/bin/perl
    
    use strict;
    use warnings;
    
    my %permution = (
    	"a" => "a4@&A",
    	"b" => "bB",
    	"c" => "cC",
    	"d" => "dD",
    	"e" => "3Ee",
    	"f" => "fF",
    	"g" => "gG9",
    	"h" => "hH",
    	"i" => "iI!|1",
    	"j" => "jJ",
    	"k" => "kK",
    	"l" => "lL!71|",
    	"m" => "mM",
    	"n" => "nN",
    	"o" => "oO0",
    	"p" => "pP",
    	"q" => "qQ",
    	"r" => "rR",
    	"s" => "sS5\$",
    	"t" => "tT71+",
    	"u" => "uU",
    	"v" => "vV",
    	"w" => "wW",
    	"x" => "xX",
    	"y" => "yY",
    	"z" => "zZ2",
    );
    
    # End config
    
    while(my $word = <>) {
    	chomp $word;
    	my @string = split //, lc($word);
    	&permute(0, @string);
    }
    
    sub permute {
    	my $num = shift;
    	my @str = @_;
    	my $len = @str;
    	if($num >= $len) {
    		foreach my $char (@str) {
    			print $char;
    		}
    		print "\n";
    		return;
    	}
    	my $per = $permution{$str[$num]};
    	if($per) {
    		my @letters = split //, $per;
    		$per = "";
    		foreach $per (@letters) {
    			my $s = "";
    			for(my $i = 0; $i < $len; $i++) {
    				if($i eq 0) {
    					if($i eq $num) {
    						$s = $per;
    					} else {
    						$s = $str[0];
    					}
    				} else {
    					if($i eq $num) {
    						$s .= $per;
    					} else {
    						$s .= $str[$i];
    					}
    				}
    			}
    			my @st = split //, $s;
    			&permute(($num + 1), @st);
    		}
    	} else {
    		&permute(($num + 1), @str);
    	}
    }
    Basic configuration occurs at the top of the script. For each letter that you want to modify simply add it to the array, along with the characters it should be changed into (including its original). The array is not complete as I cut it down for some tests, and the input currently enforces a lower-case dictionary argument.

    Execution is simple:

    Code:
    perl permute.pl < dictionary.txt
    and you can pipe that wherever you wish (or sort -u it first if you do not trust your dictionary file). The code is not as neat as I could have made it, but I've never been one for writing pretty code, so if you see changes you would like to make please feel free to do so.

    I hope this is useful, especially to whomever is maintaining CUPP if they want to see how I did it and decide to add it in.

    Edit: I forgot - I haven't had a chance to try out Crunch, but from what I am seeing it goes the full brute-force method. This relies on a targeted password list file and permutes those character by character.

    Also, it does not support multiple character replacements (i.e. w becoming \/\/). I have something that does but so far I have found it to be slightly buggy and as such am not releasing it to the world.

    And... apologies for the typo in thread title (and any in the code/post).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  2. #2
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Thank you, it's so easy to edit to differing needs too!
    JTR can do this apparently but i feel like i pulled out my hair trying to get it to only output the "1337" version and the original word. - (if anyone can lhelp me learn more i'd love to know for knowledge sake)

    Will test more thoroughly on Friday, just wanted to say thanks first.

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by aliosity View Post
    Thank you, it's so easy to edit to differing needs too!
    JTR can do this apparently but i feel like i pulled out my hair trying to get it to only output the "1337" version and the original word. - (if anyone can lhelp me learn more i'd love to know for knowledge sake)
    John has the incremental option which goes the way of crunch and generates everything for a given charset (at least how I'm reading it) - from the John usage page:

    In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 26 different characters only, passwords from "a" to "zzzzzzzz" (in an optimal order):

    john -i=alpha mypasswd
    I generated my test using the --wordlist and --rules option, but it was sadly lacking. I would stick to using CUPP, but like I initially said, the leetify option wasn't working for me properly.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Yeah i've tried allsorts to get it working like that in john, it was really frustrating although i can see myself going back to get it working (not to be beaten)

    For the meantime tho your script is ideal to fill the gap in my knowlege as it seems to work flawlessly according to my tests up to 10 characters.

    I must say I especially like the way it starts from the beginning of the string.

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    And here is a quick update to the script, I actually stumbled on this while I was running some tests of the dirtier script (it was sort of obvious when I looked at it), so now it supports multiple-character replacements (one way: w becomes \/\/ but not \/\/ becomes w). If you modify the top hash, it must be either all an array, or all a single string - see the difference between the a values and the b values.

    Code:
    #!/usr/bin/perl
    
    use strict;
    use warnings;
    
    my %permution = (
    	"a" => [ "a", "4", "@", "&", "A" ],
    	"b" => "bB",
    	"c" => "cC",
    	"d" => "dD",
    	"e" => "3Ee",
    	"f" => "fF",
    	"g" => "gG9",
    	"h" => "hH",
    	"i" => "iI!|1",
    	"j" => "jJ",
    	"k" => "kK",
    	"l" => "lL!71|",
    	"m" => "mM",
    	"n" => "nN",
    	"o" => "oO0",
    	"p" => "pP",
    	"q" => "qQ",
    	"r" => "rR",
    	"s" => "sS5\$",
    	"t" => "tT71+",
    	"u" => "uU",
    	"v" => "vV",
    	"w" => ["w", "W", "\\/\\/"],
    	"x" => "xX",
    	"y" => "yY",
    	"z" => "zZ2",
    );
    
    # End config
    
    while(my $word = <>) {
    	chomp $word;
    	my @string = split //, lc($word);
    	&permute(0, @string);
    }
    
    sub permute {
    	my $num = shift;
    	my @str = @_;
    	my $len = @str;
    
    	if($num >= $len) {
    		foreach my $char (@str) {
    			print $char;
    		}
    		print "\n";
    		return;
    	}
    
    	my $per = $permution{$str[$num]};
    
    	if($per) {
    		my @letters = ();
    		if(ref($per) eq 'ARRAY') {
    			@letters = @$per;
    		} else {
    			@letters = split //, $per;
    		}
    		$per = "";
    
    		foreach $per (@letters) {
    			my $s = "";
    			for(my $i = 0; $i < $len; $i++) {
    				if($i eq 0) {
    					if($i eq $num) {
    						$s = $per;
    					} else {
    						$s = $str[0];
    					}
    				} else {
    					if($i eq $num) {
    						$s .= $per;
    					} else {
    						$s .= $str[$i];
    					}
    				}
    			}
    			my @st = split //, $s;
    			&permute(($num + 1), @st);
    		}
    	} else {
    		&permute(($num + 1), @str);
    	}
    }
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #6
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Gitsnik, all -- Sorry in advance if bumping a 5 month old thread is taboo, but only now have I found time to use the script above.

    Wow! It has breathed new life into old password files! Yes, it increases their size by huge amounts, but piping output into pyrit then cowpatty helps.

    I've modified my local version of the script, and am pretty happy with what I'm seeing thus far. Keep up the good work!

    Curious... In the permutation section, why is lower-case e placed after the substitutions?
    Code:
    ...
    my %permution = (
    	"a" => [ "a", "4", "@", "&", "A" ],
    	"b" => "bB",
    	"c" => "cC",
    	"d" => "dD",
    	"e" => "3Ee",
    ...
    Perhaps just an oversight; and besides the script works just fine either way, as far as I can tell.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    e is placed there because I was typing them out by hand. Feel free to shift it if you prefer them to show up first.

    Remember to keep all the lower case characters in the array - rather than keeping tabs on what the original character string was it is a little more efficient and just overwrites it as it goes along. It's all about recursion and such.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    11

    Default

    First off, I would like to thank Gitsnik for sharing this script with us! I have been thinking about making one myself, but now I don't have to. Additionally, this has given me a good reason to learn a little bit more about perl!

    I don't have a ton of experience with perl, but I was curious about the ampersands before the function calls. The prominent google hit yielded this (which seems to be the concensus among all the other top hits as well):

    www<dot>perlfoundation<dot>org/perl5index.cgi?subroutines_called_with_the_ampersa nd :
    Calling subroutines with ampersands is a sign of ancient Perl. This page aims to describe why this style was once common, what's wrong with it, and what you can do to fix up your legacy source code."
    ...
    "Note that this is "just" a style improvement. It is very unlikely to increase the performance of your program noticeably, if at all."
    Not trying to be offend anyone, I just thought it was an informative and an interesting thing to note.

    and..here is an even more exhaustive version of the script (with the ampersands removed, for lulz):

    Code:
    #!/usr/bin/env perl
    
    use strict;
    use warnings;
    
    my %permution = (
    	"a" => [ "a", "A", "4", "@", "&"],
    	"b" => "bB8",
    	"c" => "cC",
    	"d" => [ "d", "D", "|)" ],
    	"e" => "eE3",
    	"f" => "fF",
    	"g" => "gG9",
    	"h" => "hH",
    	"i" => "iI!|1",
    	"j" => "jJ",
    	"k" => [ "k", "K", "|<" ],
    	"l" => [ "l", "L", "!", "7", "1", "|", "|_" ],
    	"m" => [ "m", "M", "/\\/\\" ],
    	"n" => [ "n", "N", "|\\|" ],
    	"o" => [ "o", "O", "0", "()" ],
    	"p" => "pP",
    	"q" => "qQ",
    	"r" => [ "r", "R", "|2" ],
    	"s" => "sS5\$",
    	"t" => "tT71+",
    	"u" => "uU",
    	"v" => [ "v", "V", "\\/" ],
    	"w" => ["w", "W", "\\/\\/" ],
    	"x" => "xX",
    	"y" => "yY",
    	"z" => "zZ2",
    );
    
    # End config
    
    
    
    
    while (my $word = <>) {
    	chomp $word;
    	my @string = split //, lc($word);
    	permute(0, @string);
    }
    
    sub permute {
    	my $num = shift;
    	my @str = @_;
    	my $len = @str;
    
    	if ($num >= $len) {
    		foreach my $char (@str) {
    			print $char;
    		}
    		print "\n";
    		return;
    	}
    
    	my $per = $permution{$str[$num]};
    
    	if ($per) {
    		my @letters = ();
    		if (ref($per) eq 'ARRAY') {
    			@letters = @$per;
    		} else {
    			@letters = split //, $per;
    		}
    		$per = "";
    
    		foreach $per (@letters) {
    			my $s = "";
    			for (my $i = 0; $i < $len; ++$i) {
    				if ($i eq 0) {
    					if ($i eq $num) {
    						$s = $per;
    					} else {
    						$s = $str[0];
    					}
    				} else {
    					if ($i eq $num) {
    						$s .= $per;
    					} else {
    						$s .= $str[$i];
    					}
    				}
    			}
    			my @st = split //, $s;
    			permute(($num + 1), @st);
    		}
    	} else {
    		permute(($num + 1), @str);
    	}
    }

    Thanks again to OP Gitsnik!

  9. #9
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by robot View Post
    First off, I would like to thank Gitsnik for sharing this script with us!
    You're welcome Sometimes you see something missing and want to add to it, and sometimes it's actually useful!
    Quote Originally Posted by robot View Post
    Not trying to be offend anyone, I just thought it was an informative and an interesting thing to note.
    You can take the old habits and tell me they're wrong, but they're still old habits

    If you are noticing a speed improvement in the permution script based on those ampersands being removed, you should be taking a solid look at your computer to see what is wrong with it, the speed reduction is minimal at best, even on some higher end applications (though there are times when it is a good thing), and I find it rather useful to delineate user defined functions versus imported ones.

    Pleased you like it, feel free to continue to enhance!
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  10. #10
    Just burned his ISO imported_digitelle's Avatar
    Join Date
    Dec 2009
    Posts
    15

    Default

    Pretty nice. I ran it with a single word "cartoon"
    Code:
    perl leetify.pl < cartoon.txt > cartoon2.txt
    cartoon2.txt contained a list of 1800 words including the original, cartoon.
    Of course modifying the permution letter options exponentially increases the word amount generated.

    Well done Gitsnik, nicely done.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •