View Issue Details

IDProjectCategoryView StatusLast Update
0003929Kali Linux[All Projects] New Tool Requestspublic2018-01-29 17:12
Reporterins1gn1aAssigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0003929: Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser
DescriptionName: Pwdlyser
Homepage: https://www.github.com/ins1gn1a/pwdlyser
Download: https://www.github.com/ins1gn1a/pwdlyser.git
Version: v2.4.2
Description: A tool developed primarily for penetration testers and security consultants to provide a granular, yet descriptive overview of an organisation's password-use following password-cracking attacks. This tool uses Username and Password (plaintext) information from any source to provide detailed analysis on the commonly reported issues following security audits or penetration tests.

Furthermore, there are three separate output displays depending upon the requirement:
- A technical output, which displays the passwords, usernames, and reasons for being flagged in the analysis. The passwords are displayed in plaintext in this view.
- A more detailed output, showing each username/password combination, where all of the passwords are masked except for the starting and a few end characters (mask depends upon length). This can be used for technical report outputs, for IT administrators or security management.
- A more management summrary friendly report, provided in paragraph analysis of each of the sections - each section is dynamically updated and displayed depending upon the results and the input arguments used. E.g. if --admin [path] is not used, then this section is not evaluated.

This tool is regularly used for penetration testing engagements, and has been invaluable for providing detailed information for clients.

Additionally, there are some other features, such as the -w (wordlist clean) argument, that provide penetration testers to be able to 'clean' a wordlist for reuse in password cracking wordlist inputs. This is often used during engagements, and has had a positive result in providing a small percentage of additional passwords being cracked just by using the same list.
Additional InformationThe available input arguments are as follows:

  --all, -A Run all standard tests. Can be combined with -o [org-name], --summary, --admin [path]

  --admin ADMIN_PATH Import line separated list of Admin usernames to check
                        password list

  -c, --common Check against list of common passwords

  --char-analysis Perform character-level analysis

  --date Check for common date/day passwords

  -e, --entropy Output estimated entropy for the top 10 passwords (by
                        frequency used)

  --exact EXACT_SEARCH Perform a search using the exact string.

  -f FREQ_ANAL, --frequency FREQ_ANAL
                        Perform frequency analysis

  -fl FREQ_LEN, --length-frequency FREQ_LEN
                        Perform frequency analysis on password length

  -k, --keyboard-pattern
                        Identify common keyboard pattern usage within password
                        lists

  -l MIN_LENGTH, --length MIN_LENGTH
                        Display passwords that do not meet the minimum length

  -m, --mask Perform common Hashcat mask analysis


  -mc MASKS_RESULTS_COUNT, --mask-count MASKS_RESULTS_COUNT
                        (Optional) Specify the number of mask to output for
                        the -m / --masks option

  -o ORG_NAME, --org-name ORG_NAME
                        Enter the organisation name to identify any users that
                        will be using a variation of the word for their
                        password. Note: False Positives are possible

  -oR Output format set for reporting with "- " prefix

  -p PASS_LIST, --pass-list PASS_LIST
                        Enter the path to the list of passwords, either in the
                        format of passwords, or username:password.

  -S BASIC_SEARCH, --search BASIC_SEARCH
                        Run a basic search using a keyword. Non-alpha
                        characters will be stripped, i.e. syst3m will become
                        systm (although this will be compared against the same
                        stripped passwords

  -s, --shared Display any reused/shared passwords.

  -u USER_SEARCH, --user USER_SEARCH
                        Return usernames that match string (case insensitive)

  -up, --user-as-pass Check for passwords that use part of the username

  -w, --clean-wordlist Enable this flag to append cleaned (no trailing
                        numerics) to a wordlist at wordlist-cleaned.txt

  --summary Use --summary to provide a concise report-friendly
                        output.

An example of a command to provide detailed information for a report-friendly format would be:
pwdlyser -p [username-password.file] --admin [administrator-username.list] --summary -o [organisation-name-string]

This output could then be fed straight in to a penetration test report, albeit with minor tweaks should it be required for post-analysis.

The github readme examples do require a further update, as the output has changed slightly since its initial inception. However, this will be done over the next few weeks to reflect the current state of the tool.

Activities

g0tmi1k

2018-01-29 14:16

administrator   ~0008343

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool?
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [How to install] - How do you compile it?
- [How to use] - What are some basic commands/functions to demonstrate it?

ins1gn1a

2018-01-29 17:12

reporter   ~0008539

- [Name] - Pwdlyser
- [Version] - 2.5.2 (Latest on GitHub) (https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2)
- [Homepage] - https://www.github.com/ins1gn1a/pwdlyser || https://www.pwdlyser.com
- [Download] - https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2 || https://www.pwdlyser.com
- [Author] - ins1gn1a
- [Licence] - MIT License
- [Description] - The 'pwdlyser' tool is a Python-based CLI script that automates the arduous process of manually reviewing cracked passwords during password audits following security assessments or penetration tests.
- [Dependencies] - Python3,
- [Similar tools] - Pipal
- [How to install] - Script requires execution permissions, but the contained setup.py will install to necessary directory to be used in-path.
- [How to use] - pwdlyser -p [username:password file path] --all

Issue History

Date Modified Username Field Change
2017-03-23 12:42 ins1gn1a New Issue
2018-01-29 14:16 g0tmi1k Summary Password Analysis and Reporting Tool: Pwdlyser => Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser
2018-01-29 14:16 g0tmi1k Note Added: 0008343
2018-01-29 17:12 ins1gn1a Note Added: 0008539