A new tool: RndPasswd

[Kalunga]

Hy Guys, I developed a new small tool to generate random passwords. I want to share it with you. Maybe it can be part of the next Backtrack edition :-)

A brutal force attack can take days or months to complete if a big password is used. If you have luck, you can speed-up the time to match the password with this program. RndPasswd generates random passwords to be used trough the unix or linux pipe.

Here is the source code in C. You can compile it with "gcc -o RndPasswd RndPasswd.c":

Code:

// RndPasswd - Created by Kalunga (kalunga@inbox.com)

#include <stdio.h>

void showHelp()
{
	printf("\nRndPasswd - Created by Kalunga (kalunga@inbox.com)\n\n");
	printf("A brutal force attack can take days or months to complete if a big\n");
	printf("password is used. If you have luck, you can speed-up the time to match\n");
	printf("the password with this program.\n\n");
	printf("RndPasswd generates random passwords to be used trough the unix or linux pipe.\n\n");
	printf("Usage: RndPasswd MIN MAX\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX vowels consonants numbers symbols upper\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX off\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX vowels consonants numbers symbols upper off\n\n");
	printf("MIN:   Is the minimum length of the password to be generated.\n");
	printf("MAX:   Is the maximal length of the password to be generated.\n\n");
	printf("       MIN must be less or equal MAX and both must be an integer number\n");
	printf("       between 1 and 64.\n\n");
	printf("Vowels, consonants, numbers, symbols and upper:\n\n");
	printf("       Defines how often these characters would be part of the password (in %%).\n\n");
	printf("       They must be an integer number between 0 and 100 (without the char %%).\n\n");
	printf("       All five must be given or omitted.\n\n");
	printf("       If omitted, the defaults are 35%% vowels, 55%% consonants, 8%% numbers,\n");
	printf("       2%% symbols and 10%% uppercase.\n\n");
	printf("       Vowels + consonants + numbers + symbols must be equal 100.\n");
	printf("       (Uppercase don't count, since they are vowels or consonants)\n\n");
	printf("       The symbols used are !@#$%%^&*()-_+=~`[]{}|\\:;\"\'<>,.\?/ (and space).\n\n");
	printf("       You can use the supplied program CharCount to find out how often these\n");
	printf("       characters appear in your language. The values used by default come\n");
	printf("       from a big dictionary password file with words from many languages.\n\n");
	printf("off:   Because many passwords have a first uppercase letter and a number at end,\n");
	printf("       the program automatic increase the chances of this to happen in 50%%.\n");
	printf("       If you give \"off\" to this argument, this feature will be switched off.\n\n");
	printf("Examples:\n\n");
	printf("       RndPasswd 4 8\n");
	printf("       Generate passwords between 4 and 8 characters using defaults percentages.\n\n");
	printf("       RNDPasswd 10 10\n");
	printf("       Generate passwords always with 10 characters using defaults percentages.\n\n");
	printf("       RndPasswd 6 10 0 0 100 0 0\n");
	printf("       Generate passwords between 6 and 10 characters, but only numbers.\n\n");
	printf("       RndPasswd 8 16 10 50 25 15 40\n");
	printf("       Generate passwords between 8 and 16 characters, where the chances for\n");
	printf("       vowels to appear are 10%%, consonants are 50%%, numbers are 25%%,\n");
	printf("       symbols are 15%% and uppercase are 40%%.\n\n");
	printf("       RndPasswd 8 16 10 50 25 15 40 off\n");
	printf("       Generate passwords between 8 and 16 characters, as described above, but\n");
	printf("       switch off the increase in frequency for the first character to be\n");
	printf("       uppercase and for the last two characters to be a number.\n\n");
	printf("       RndPasswd 6 8 off\n");
	printf("       Generate passwords between 6 and 8 characters and switch off the increase\n");
	printf("       in frequency for the first character to be uppercase and for the last two\n");
	printf("       characters to be a number.\n\n");
	printf("       RndPasswd 8 12 | aircrack-ng -w - -b aa:bb:cc:dd:ee:ff log-01.cap\n");
	printf("       Used with aircrack-ng.\n\n");
	printf("       RndPasswd 8 12 | pyrit -r log-01.cap -i - attack_passthrough\n");
	printf("       Used with pyrit.\n\n");
}

int main(int argc, char **argv)
{
	char b;
	int i, j, min, max, len, rnd, v, c, n, s, u, flag=0;
	char vowels[]="aeiou";
	char consonants[]="bcdfghjklmnpqrstvwxyz";
	char numbers[]="0123456789";
	char symbols[]="!@#$%^&*()-_+=~`[]{}|\\:;\"\'<>,.\?/ ";
	srand(time(NULL));

	// Verify the arguments
	if(argc!=3 && argc!=4 && argc!=8 && argc!=9)
	{
		showHelp();
		return -1;
	}

	// Read and test the arguments
	min=atoi(argv[1]);
	max=atoi(argv[2]);

	if(min<1 || max<1 || min>64 || max>64)
	{
		showHelp();
		return -1;
	}

	if(min>max)
	{
		showHelp();
		return -1;
	}

	if (argc==4 && strcmp(argv[3],"off"))
	{
		showHelp();
		return -1;
	}

	if (argc==9 && strcmp(argv[8],"off"))
	{
		showHelp();
		return -1;
	}

	if (argc==4 || argc==9)
		flag=1;

	if (argc==8 || argc==9)
	{
		v=atoi(argv[3]);
		c=atoi(argv[4]);
		n=atoi(argv[5]);
		s=atoi(argv[6]);
		u=atoi(argv[7]);
	}
	else
	{
		v=35;
		c=55;
		n=8;
		s=2;
		u=10;
	}

	if (v<0   || c<0   || n<0   || s<0   || u<0 ||
	    v>100 || c>100 || n>100 || s>100 || u>100)
	{
		showHelp();
		return -1;
	}

	if (v+c+n+s!=100)
	{
		showHelp();
		return -1;
	}

	// Generate the passwords
	for(;;) // 'i' was used here to tests
	{
		len=(rand()%(max-min+1))+min;
		for (j=0;j<len;j++)
		{
			rnd=rand()%100;
			if (rnd<v)
				b=vowels[rand()%5];
			else if (rnd>=v && rnd<v+c)
				b=consonants[rand()%21];
			else if (rnd>=v+c && rnd<v+c+n)
				b=numbers[rand()%10];
			else if (rnd>=v+c+n)
				b=symbols[rand()%33];
			if (flag==0 && j==0 && rnd<v+c && rand()%100<u+50)
				b=b+'A'-'a';
			else if (rnd<v+c && rand()%100<u)
				b=b+'A'-'a';
			if (flag==0 && j>=len-2 && rand()%100<n+50)
				b=numbers[rand()%(10)];
			printf("%c",b);
		}
		printf("\n");
	}

	printf("\n");
	return 0;
}

Here is also a program to be used to count characters. You can also compile it with "gcc -o CharCount CharCount.c":

Code:

// CharCount - Created by Kalunga (kalunga@inbox.com)

#include <stdio.h>

int main(int argc, char **argv)
{
	FILE *f;
	char byte;
	unsigned int total=0, vowels=0, consonants=0, numbers=0, symbols=0, upperCase=0, spaces=0, other=0;

	// Verify the arguments
	if(argc != 2)
	{
		printf("\nUsage: CharCount file.txt\n\n");
		return -1;
	}

	// Open the file and test it
	
	f=fopen(argv[1],"rb");
	if (f==NULL)
	{
		printf("\nError opening %s\n\n",argv[1]);
		return -1;
	}
	
	// Read the bytes and print

	while (!feof(f))
	{
		fread(&byte,1,1,f); // Read the next byte from the file
		if (byte=='a' || byte=='e' || byte=='i' || byte=='o' || byte=='u')
			vowels++;
		else if (byte=='A' || byte=='E' || byte=='I' || byte=='O' || byte=='U')
		{
			vowels++;
			upperCase++;
		}
		else if (byte>'a' && byte <='z')
			consonants++;
 		else if (byte>'A' && byte<='Z')
		{
			consonants++;
			upperCase++;
		}
		else if (byte>='0' && byte<='9')
			numbers++;
		else if (byte=='!' || byte=='@' || byte=='#' || byte=='$' || byte=='%'
		      || byte=='^' || byte=='&' || byte=='*' || byte=='(' || byte==')'
		      || byte=='-' || byte=='_' || byte=='+' || byte=='=' || byte=='~'
		      || byte=='`' || byte=='[' || byte==']' || byte=='{' || byte=='}'
		      || byte=='|' || byte=='\\' || byte==':' || byte==';' || byte=='\"'
		      || byte=='\'' || byte=='<' || byte=='>' || byte==',' || byte=='.'
		      || byte=='\?' || byte=='/')
			symbols++;
		else if (byte==' ')
			spaces++;
		else other++;
		total++;
	}

	total=total-other;
	printf("\nVowels:     %d [%.2f%%]\n",vowels,(float)vowels*100/total);
	printf("Consonants: %d [%.2f%%]\n",consonants,(float)consonants*100/total);
	printf("*UpperCase: %d [%.2f%%]\n",upperCase,(float)upperCase*100/total);
	printf("Numbers:    %d [%.2f%%]\n",numbers,(float)numbers*100/total);
	printf("Symbols:    %d [%.2f%%]\n",symbols,(float)symbols*100/total);
	printf("Spaces:     %d [%.2f%%]\n",spaces,(float)spaces*100/total);
	printf("\n* Upper case characters don't count to the total.\n");

	// Close the file
	
	fclose(f);
	printf("\n");
	return 0;
}

[aerokid240]

Hy Guys, I developed a new small tool to generate random passwords. I want to share it with you. Maybe it can be part of the next Backtrack edition :-)

A brutal force attack can take days or months to complete if a big password is used. If you have luck, you can speed-up the time to match the password with this program. RndPasswd generates random passwords to be used trough the unix or linux pipe.

Here is the source code in C. You can compile it with "gcc -o RndPasswd RndPasswd.c":

Code:

// RndPasswd - Created by Kalunga (kalunga@inbox.com)

#include <stdio.h>

void showHelp()
{
	printf("\nRndPasswd - Created by Kalunga (kalunga@inbox.com)\n\n");
	printf("A brutal force attack can take days or months to complete if a big\n");
	printf("password is used. If you have luck, you can speed-up the time to match\n");
	printf("the password with this program.\n\n");
	printf("RndPasswd generates random passwords to be used trough the unix or linux pipe.\n\n");
	printf("Usage: RndPasswd MIN MAX\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX vowels consonants numbers symbols upper\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX off\n");
	printf("          or\n");
	printf("       RndPasswd MIN MAX vowels consonants numbers symbols upper off\n\n");
	printf("MIN:   Is the minimum length of the password to be generated.\n");
	printf("MAX:   Is the maximal length of the password to be generated.\n\n");
	printf("       MIN must be less or equal MAX and both must be an integer number\n");
	printf("       between 1 and 64.\n\n");
	printf("Vowels, consonants, numbers, symbols and upper:\n\n");
	printf("       Defines how often these characters would be part of the password (in %%).\n\n");
	printf("       They must be an integer number between 0 and 100 (without the char %%).\n\n");
	printf("       All five must be given or omitted.\n\n");
	printf("       If omitted, the defaults are 35%% vowels, 55%% consonants, 8%% numbers,\n");
	printf("       2%% symbols and 10%% uppercase.\n\n");
	printf("       Vowels + consonants + numbers + symbols must be equal 100.\n");
	printf("       (Uppercase don't count, since they are vowels or consonants)\n\n");
	printf("       The symbols used are !@#$%%^&*()-_+=~`[]{}|\\:;\"\'<>,.\?/ (and space).\n\n");
	printf("       You can use the supplied program CharCount to find out how often these\n");
	printf("       characters appear in your language. The values used by default come\n");
	printf("       from a big dictionary password file with words from many languages.\n\n");
	printf("off:   Because many passwords have a first uppercase letter and a number at end,\n");
	printf("       the program automatic increase the chances of this to happen in 50%%.\n");
	printf("       If you give \"off\" to this argument, this feature will be switched off.\n\n");
	printf("Examples:\n\n");
	printf("       RndPasswd 4 8\n");
	printf("       Generate passwords between 4 and 8 characters using defaults percentages.\n\n");
	printf("       RNDPasswd 10 10\n");
	printf("       Generate passwords always with 10 characters using defaults percentages.\n\n");
	printf("       RndPasswd 6 10 0 0 100 0 0\n");
	printf("       Generate passwords between 6 and 10 characters, but only numbers.\n\n");
	printf("       RndPasswd 8 16 10 50 25 15 40\n");
	printf("       Generate passwords between 8 and 16 characters, where the chances for\n");
	printf("       vowels to appear are 10%%, consonants are 50%%, numbers are 25%%,\n");
	printf("       symbols are 15%% and uppercase are 40%%.\n\n");
	printf("       RndPasswd 8 16 10 50 25 15 40 off\n");
	printf("       Generate passwords between 8 and 16 characters, as described above, but\n");
	printf("       switch off the increase in frequency for the first character to be\n");
	printf("       uppercase and for the last two characters to be a number.\n\n");
	printf("       RndPasswd 6 8 off\n");
	printf("       Generate passwords between 6 and 8 characters and switch off the increase\n");
	printf("       in frequency for the first character to be uppercase and for the last two\n");
	printf("       characters to be a number.\n\n");
	printf("       RndPasswd 8 12 | aircrack-ng -w - -b aa:bb:cc:dd:ee:ff log-01.cap\n");
	printf("       Used with aircrack-ng.\n\n");
	printf("       RndPasswd 8 12 | pyrit -r log-01.cap -i - attack_passthrough\n");
	printf("       Used with pyrit.\n\n");
}

int main(int argc, char **argv)
{
	char b;
	int i, j, min, max, len, rnd, v, c, n, s, u, flag=0;
	char vowels[]="aeiou";
	char consonants[]="bcdfghjklmnpqrstvwxyz";
	char numbers[]="0123456789";
	char symbols[]="!@#$%^&*()-_+=~`[]{}|\\:;\"\'<>,.\?/ ";
	srand(time(NULL));

	// Verify the arguments
	if(argc!=3 && argc!=4 && argc!=8 && argc!=9)
	{
		showHelp();
		return -1;
	}

	// Read and test the arguments
	min=atoi(argv[1]);
	max=atoi(argv[2]);

	if(min<1 || max<1 || min>64 || max>64)
	{
		showHelp();
		return -1;
	}

	if(min>max)
	{
		showHelp();
		return -1;
	}

	if (argc==4 && strcmp(argv[3],"off"))
	{
		showHelp();
		return -1;
	}

	if (argc==9 && strcmp(argv[8],"off"))
	{
		showHelp();
		return -1;
	}

	if (argc==4 || argc==9)
		flag=1;

	if (argc==8 || argc==9)
	{
		v=atoi(argv[3]);
		c=atoi(argv[4]);
		n=atoi(argv[5]);
		s=atoi(argv[6]);
		u=atoi(argv[7]);
	}
	else
	{
		v=35;
		c=55;
		n=8;
		s=2;
		u=10;
	}

	if (v<0   || c<0   || n<0   || s<0   || u<0 ||
	    v>100 || c>100 || n>100 || s>100 || u>100)
	{
		showHelp();
		return -1;
	}

	if (v+c+n+s!=100)
	{
		showHelp();
		return -1;
	}

	// Generate the passwords
	for(;;) // 'i' was used here to tests
	{
		len=(rand()%(max-min+1))+min;
		for (j=0;j<len;j++)
		{
			rnd=rand()%100;
			if (rnd<v)
				b=vowels[rand()%5];
			else if (rnd>=v && rnd<v+c)
				b=consonants[rand()%21];
			else if (rnd>=v+c && rnd<v+c+n)
				b=numbers[rand()%10];
			else if (rnd>=v+c+n)
				b=symbols[rand()%33];
			if (flag==0 && j==0 && rnd<v+c && rand()%100<u+50)
				b=b+'A'-'a';
			else if (rnd<v+c && rand()%100<u)
				b=b+'A'-'a';
			if (flag==0 && j>=len-2 && rand()%100<n+50)
				b=numbers[rand()%(10)];
			printf("%c",b);
		}
		printf("\n");
	}

	printf("\n");
	return 0;
}

Here is also a program to be used to count characters. You can also compile it with "gcc -o CharCount CharCount.c":

Code:

// CharCount - Created by Kalunga (kalunga@inbox.com)

#include <stdio.h>

int main(int argc, char **argv)
{
	FILE *f;
	char byte;
	unsigned int total=0, vowels=0, consonants=0, numbers=0, symbols=0, upperCase=0, spaces=0, other=0;

	// Verify the arguments
	if(argc != 2)
	{
		printf("\nUsage: CharCount file.txt\n\n");
		return -1;
	}

	// Open the file and test it
	
	f=fopen(argv[1],"rb");
	if (f==NULL)
	{
		printf("\nError opening %s\n\n",argv[1]);
		return -1;
	}
	
	// Read the bytes and print

	while (!feof(f))
	{
		fread(&byte,1,1,f); // Read the next byte from the file
		if (byte=='a' || byte=='e' || byte=='i' || byte=='o' || byte=='u')
			vowels++;
		else if (byte=='A' || byte=='E' || byte=='I' || byte=='O' || byte=='U')
		{
			vowels++;
			upperCase++;
		}
		else if (byte>'a' && byte <='z')
			consonants++;
 		else if (byte>'A' && byte<='Z')
		{
			consonants++;
			upperCase++;
		}
		else if (byte>='0' && byte<='9')
			numbers++;
		else if (byte=='!' || byte=='@' || byte=='#' || byte=='$' || byte=='%'
		      || byte=='^' || byte=='&' || byte=='*' || byte=='(' || byte==')'
		      || byte=='-' || byte=='_' || byte=='+' || byte=='=' || byte=='~'
		      || byte=='`' || byte=='[' || byte==']' || byte=='{' || byte=='}'
		      || byte=='|' || byte=='\\' || byte==':' || byte==';' || byte=='\"'
		      || byte=='\'' || byte=='<' || byte=='>' || byte==',' || byte=='.'
		      || byte=='\?' || byte=='/')
			symbols++;
		else if (byte==' ')
			spaces++;
		else other++;
		total++;
	}

	total=total-other;
	printf("\nVowels:     %d [%.2f%%]\n",vowels,(float)vowels*100/total);
	printf("Consonants: %d [%.2f%%]\n",consonants,(float)consonants*100/total);
	printf("*UpperCase: %d [%.2f%%]\n",upperCase,(float)upperCase*100/total);
	printf("Numbers:    %d [%.2f%%]\n",numbers,(float)numbers*100/total);
	printf("Symbols:    %d [%.2f%%]\n",symbols,(float)symbols*100/total);
	printf("Spaces:     %d [%.2f%%]\n",spaces,(float)spaces*100/total);
	printf("\n* Upper case characters don't count to the total.\n");

	// Close the file
	
	fclose(f);
	printf("\n");
	return 0;
}

How does the program generating random giberish help you in brute-forcing a long password? Have you heard of the program crunch or how does your program extend the capabilities of crunch? I'm just trying to understand better, in what sittuation will your program benifit someone or how it differs from other known brute-force programs.

[Kalunga]

How does the program generating random giberish help you in brute-forcing a long password? Have you heard of the program crunch or how does your program extend the capabilities of crunch? I'm just trying to understand better, in what sittuation will your program benifit someone or how it differs from other known brute-force programs.

Crunch only works in sequence. I mean, it starts with AAAAA and ends with ZZZZZ, covering all combinations in between. My program don't do that. It only generates random characters with the provided length. If you have "luck", you will find the password. A long password can take months to crack, if attacked in sequence like by Crunch. With my program, maybe (I said maybe) you will find the password faster. It's not a killer tool. It's only one more to try if anything else fail.

By controlling the frequency of vowels, consonants, numbers, symbols and uppercase characters, you can improve the chances to math a password. So you can generate only numbers, or only lowercase characters, or only uppercase, and so on.

[Bl4cks4b3r]

Crunch only works in sequence. I mean, it starts with AAAAA and ends with ZZZZZ, covering all combinations in between. My program don't do that. It only generates random characters with the provided length. If you have "luck", you will find the password. A long password can take months to crack, if attacked in sequence like by Crunch. With my program, maybe (I said maybe) you will find the password faster. It's not a killer tool. It's only one more to try if anything else fail.

By controlling the frequency of vowels, consonants, numbers, symbols and uppercase characters, you can improve the chances to math a password. So you can generate only numbers, or only lowercase characters, or only uppercase, and so on.

I have created Sbrgen which will generate random passwords, and ALL passwords if chosen. I believe Tha Doct0r has done this as well.

[v1kt0r]

Is this tool takes care of non-repetition of randomly generated passwords?

[Kalunga]

Is this tool takes care of non-repetition of randomly generated passwords?

No, it doesn't. Verifying every generated password only would make the random process slow and the chances that a password being generated twice is very, very small.

[thad0ctor]

As Bl4cks4b3r said I wrote a bash script that parses crunch's output to remove a customize-able amount of duplicate characters, and customize-able amount of sequential characters as well as to specify a length and charset as well I believe

granted its not its own program so its a bit slower but it sure helps a bit. I'm not sure if I created a passthrough option for it in my script yet but its certainly doable for my next version