🔐 Password Mutations & Wordlist Generation

🧠 Human Weakness in Password Creation

Despite system-enforced password policies, users tend to choose simple and predictable passwords. This is due to:

• Preference for convenience over security.

• Predictable patterns (e.g., names, pets, company name, hobbies).

• OSINT (Open-Source Intelligence) can help attackers guess passwords by learning user preferences.

➡️ Learn more in the OSINT: Corporate Recon module.

---

🔒 Common Password Policies

Most systems enforce rules like:

✅ Description	🔐 Password Syntax
First letter is uppercase	Password
Adding numbers	Password123
Adding a year	Password2022
Adding a month	Password02
Ending with an exclamation mark	Password2022!
Using special characters	P@ssw0rd2022!

📏 Most passwords are ≤10 characters (per WP Engine stats).

---

🔧 Strategy for Weak Password Generation

1. Start with familiar terms (≥5 characters):

   • Pet names

   • Hobbies

   • Favorite teams

   • Months, seasons, etc.

2. Add mutations to meet complexity:

   • Year

   • Special character

   • Capitalization

📌 Example (from a list with just one entry password):

z3tssu@htb[/htb]$ cat password.list
password

---

Using Hashcat for Mutations

Hashcat allows custom rule-based password generation.

🔧 Basic Syntax for Rules

Function	Description
:	Do nothing
l	Lowercase all letters
u	Uppercase all letters
c	Capitalize first letter
sXY	Replace character X with Y
$!	Add exclamation mark at the end

📁 Custom Rule File (custom.rule)

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

🔁 Each word from password.list gets mutated 15 times.

Generate the mutated list

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

📄 Sample Output (mut_password.list)

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

---

Pre-built Hashcat Rule Files

Hashcat comes with a number of pre-defined rules:

📁 Location: /usr/share/hashcat/rules/

📌 Popular Rules Include:

• best64.rule ✅

• rockyou-30000.rule

• dive.rule

• InsidePro-HashManager.rule

• unix-ninja-leetspeak.rule

• ...and many more

---

Wordlist Generation with CeWL

CeWL scrapes words from websites to generate custom wordlists.

📘 Example:

z3tssu@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

🔢 Count entries:

z3tssu@htb[/htb]$ wc -l inlane.wordlist
326

📌 Combine this with Hashcat rules for targeted and effective password guessing.

---

🧩 Summary

✅ Use common patterns and user interests. ✅ Leverage Hashcat mutation rules and CeWL for web-based term extraction. ✅ Build targeted, compact wordlists to improve password cracking efficiency.

🔗 Learn more in Cracking Passwords with Hashcat