# 🔐 Password Mutations & Wordlist Generation ### 🧠 Human Weakness in Password Creation Despite system-enforced password policies, users tend to choose **simple and predictable passwords**. This is due to: * Preference for convenience over security. * Predictable patterns (e.g., names, pets, company name, hobbies). * OSINT (Open-Source Intelligence) can help attackers guess passwords by learning user preferences. ➡️ Learn more in the [OSINT: Corporate Recon](https://academy.hackthebox.com/module/details/85) module. *** ### 🔒 Common Password Policies Most systems enforce rules like: | ✅ Description | 🔐 Password Syntax | | ------------------------------- | ------------------ | | First letter is uppercase | `Password` | | Adding numbers | `Password123` | | Adding a year | `Password2022` | | Adding a month | `Password02` | | Ending with an exclamation mark | `Password2022!` | | Using special characters | `P@ssw0rd2022!` | 📏 **Most passwords are ≤10 characters** (per WP Engine stats). *** ### 🔧 Strategy for Weak Password Generation 1. Start with familiar terms (≥5 characters): * Pet names * Hobbies * Favorite teams * Months, seasons, etc. 2. Add mutations to meet complexity: * Year * Special character * Capitalization 📌 Example (from a list with just one entry `password`): ```bash z3tssu@htb[/htb]$ cat password.list password ``` *** ## Using Hashcat for Mutations Hashcat allows custom rule-based password generation. 🔧 **Basic Syntax for Rules** | Function | Description | | -------- | ------------------------------- | | `:` | Do nothing | | `l` | Lowercase all letters | | `u` | Uppercase all letters | | `c` | Capitalize first letter | | `sXY` | Replace character X with Y | | `$!` | Add exclamation mark at the end | 📁 **Custom Rule File (custom.rule)** ```bash : c so0 c so0 sa@ c sa@ c sa@ so0 $! $! c $! so0 $! sa@ $! c so0 $! c sa@ $! so0 sa@ $! c so0 sa@ ``` 🔁 Each word from `password.list` gets mutated 15 times. ### **Generate the mutated list** {% code overflow="wrap" %} ```bash hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list ``` {% endcode %} 📄 **Sample Output (mut\_password.list)** ``` password Password passw0rd Passw0rd p@ssword P@ssword P@ssw0rd password! Password! passw0rd! p@ssword! Passw0rd! P@ssword! p@ssw0rd! P@ssw0rd! ``` *** ### Pre-built Hashcat Rule Files Hashcat comes with a number of pre-defined rules: 📁 **Location**: `/usr/share/hashcat/rules/` 📌 **Popular Rules Include**: * `best64.rule` ✅ * `rockyou-30000.rule` * `dive.rule` * `InsidePro-HashManager.rule` * `unix-ninja-leetspeak.rule` * ...and many more *** ## Wordlist Generation with CeWL CeWL scrapes words from websites to generate custom wordlists. 📘 Example: {% code overflow="wrap" %} ```bash z3tssu@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist ``` {% endcode %} 🔢 Count entries: ```bash z3tssu@htb[/htb]$ wc -l inlane.wordlist 326 ``` 📌 Combine this with Hashcat rules for **targeted and effective password guessing**. *** ### 🧩 Summary ✅ Use **common patterns** and user interests.\ ✅ Leverage **Hashcat mutation rules** and **CeWL for web-based term extraction**.\ ✅ Build **targeted, compact wordlists** to improve password cracking efficiency. 🔗 Learn more in [Cracking Passwords with Hashcat](https://academy.hackthebox.com/module/details/52)