View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003929||Kali Linux||[All Projects] New Tool Requests||public||2017-03-23 12:42||2018-01-29 17:12|
|Target Version||Fixed in Version|
|Summary||0003929: Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser|
Description: A tool developed primarily for penetration testers and security consultants to provide a granular, yet descriptive overview of an organisation's password-use following password-cracking attacks. This tool uses Username and Password (plaintext) information from any source to provide detailed analysis on the commonly reported issues following security audits or penetration tests.
Furthermore, there are three separate output displays depending upon the requirement:
- A technical output, which displays the passwords, usernames, and reasons for being flagged in the analysis. The passwords are displayed in plaintext in this view.
- A more detailed output, showing each username/password combination, where all of the passwords are masked except for the starting and a few end characters (mask depends upon length). This can be used for technical report outputs, for IT administrators or security management.
- A more management summrary friendly report, provided in paragraph analysis of each of the sections - each section is dynamically updated and displayed depending upon the results and the input arguments used. E.g. if --admin [path] is not used, then this section is not evaluated.
This tool is regularly used for penetration testing engagements, and has been invaluable for providing detailed information for clients.
Additionally, there are some other features, such as the -w (wordlist clean) argument, that provide penetration testers to be able to 'clean' a wordlist for reuse in password cracking wordlist inputs. This is often used during engagements, and has had a positive result in providing a small percentage of additional passwords being cracked just by using the same list.
|Additional Information||The available input arguments are as follows:|
--all, -A Run all standard tests. Can be combined with -o [org-name], --summary, --admin [path]
--admin ADMIN_PATH Import line separated list of Admin usernames to check
-c, --common Check against list of common passwords
--char-analysis Perform character-level analysis
--date Check for common date/day passwords
-e, --entropy Output estimated entropy for the top 10 passwords (by
--exact EXACT_SEARCH Perform a search using the exact string.
-f FREQ_ANAL, --frequency FREQ_ANAL
Perform frequency analysis
-fl FREQ_LEN, --length-frequency FREQ_LEN
Perform frequency analysis on password length
Identify common keyboard pattern usage within password
-l MIN_LENGTH, --length MIN_LENGTH
Display passwords that do not meet the minimum length
-m, --mask Perform common Hashcat mask analysis
-mc MASKS_RESULTS_COUNT, --mask-count MASKS_RESULTS_COUNT
(Optional) Specify the number of mask to output for
the -m / --masks option
-o ORG_NAME, --org-name ORG_NAME
Enter the organisation name to identify any users that
will be using a variation of the word for their
password. Note: False Positives are possible
-oR Output format set for reporting with "- " prefix
-p PASS_LIST, --pass-list PASS_LIST
Enter the path to the list of passwords, either in the
format of passwords, or username:password.
-S BASIC_SEARCH, --search BASIC_SEARCH
Run a basic search using a keyword. Non-alpha
characters will be stripped, i.e. syst3m will become
systm (although this will be compared against the same
-s, --shared Display any reused/shared passwords.
-u USER_SEARCH, --user USER_SEARCH
Return usernames that match string (case insensitive)
-up, --user-as-pass Check for passwords that use part of the username
-w, --clean-wordlist Enable this flag to append cleaned (no trailing
numerics) to a wordlist at wordlist-cleaned.txt
--summary Use --summary to provide a concise report-friendly
An example of a command to provide detailed information for a report-friendly format would be:
pwdlyser -p [username-password.file] --admin [administrator-username.list] --summary -o [organisation-name-string]
This output could then be fed straight in to a penetration test report, albeit with minor tweaks should it be required for post-analysis.
The github readme examples do require a further update, as the output has changed slightly since its initial inception. However, this will be done over the next few weeks to reflect the current state of the tool.
To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):
- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool?
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [How to install] - How do you compile it?
- [How to use] - What are some basic commands/functions to demonstrate it?
- [Name] - Pwdlyser
- [Version] - 2.5.2 (Latest on GitHub) (https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2)
- [Homepage] - https://www.github.com/ins1gn1a/pwdlyser || https://www.pwdlyser.com
- [Download] - https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2 || https://www.pwdlyser.com
- [Author] - ins1gn1a
- [Licence] - MIT License
- [Description] - The 'pwdlyser' tool is a Python-based CLI script that automates the arduous process of manually reviewing cracked passwords during password audits following security assessments or penetration tests.
- [Dependencies] - Python3,
- [Similar tools] - Pipal
- [How to install] - Script requires execution permissions, but the contained setup.py will install to necessary directory to be used in-path.
- [How to use] - pwdlyser -p [username:password file path] --all
|2017-03-23 12:42||ins1gn1a||New Issue|
|2018-01-29 14:16||g0tmi1k||Summary||Password Analysis and Reporting Tool: Pwdlyser => Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser|
|2018-01-29 14:16||g0tmi1k||Note Added: 0008343|
|2018-01-29 17:12||ins1gn1a||Note Added: 0008539|