0003929: Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0003929	Kali Linux	New Tool Requests	public	2017-03-23 12:42	2020-02-11 16:56

Reporter	ins1gn1a	Assigned To	g0tmi1k
Priority	normal	Severity	feature	Reproducibility	N/A
Status	closed	Resolution	won't fix

Summary	0003929: Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser
Description	Name: Pwdlyser Homepage: https://www.github.com/ins1gn1a/pwdlyser Download: https://www.github.com/ins1gn1a/pwdlyser.git Version: v2.4.2 Description: A tool developed primarily for penetration testers and security consultants to provide a granular, yet descriptive overview of an organisation's password-use following password-cracking attacks. This tool uses Username and Password (plaintext) information from any source to provide detailed analysis on the commonly reported issues following security audits or penetration tests. Furthermore, there are three separate output displays depending upon the requirement: A technical output, which displays the passwords, usernames, and reasons for being flagged in the analysis. The passwords are displayed in plaintext in this view. A more detailed output, showing each username/password combination, where all of the passwords are masked except for the starting and a few end characters (mask depends upon length). This can be used for technical report outputs, for IT administrators or security management. A more management summrary friendly report, provided in paragraph analysis of each of the sections - each section is dynamically updated and displayed depending upon the results and the input arguments used. E.g. if --admin [path] is not used, then this section is not evaluated. This tool is regularly used for penetration testing engagements, and has been invaluable for providing detailed information for clients. Additionally, there are some other features, such as the -w (wordlist clean) argument, that provide penetration testers to be able to 'clean' a wordlist for reuse in password cracking wordlist inputs. This is often used during engagements, and has had a positive result in providing a small percentage of additional passwords being cracked just by using the same list.
Additional Information	The available input arguments are as follows: --all, -A Run all standard tests. Can be combined with -o [org-name], --summary, --admin [path] --admin ADMIN_PATH Import line separated list of Admin usernames to check password list -c, --common Check against list of common passwords --char-analysis Perform character-level analysis --date Check for common date/day passwords -e, --entropy Output estimated entropy for the top 10 passwords (by frequency used) --exact EXACT_SEARCH Perform a search using the exact string. -f FREQ_ANAL, --frequency FREQ_ANAL Perform frequency analysis -fl FREQ_LEN, --length-frequency FREQ_LEN Perform frequency analysis on password length -k, --keyboard-pattern Identify common keyboard pattern usage within password lists -l MIN_LENGTH, --length MIN_LENGTH Display passwords that do not meet the minimum length -m, --mask Perform common Hashcat mask analysis -mc MASKS_RESULTS_COUNT, --mask-count MASKS_RESULTS_COUNT (Optional) Specify the number of mask to output for the -m / --masks option -o ORG_NAME, --org-name ORG_NAME Enter the organisation name to identify any users that will be using a variation of the word for their password. Note: False Positives are possible -oR Output format set for reporting with "- " prefix -p PASS_LIST, --pass-list PASS_LIST Enter the path to the list of passwords, either in the format of passwords, or username:password. -S BASIC_SEARCH, --search BASIC_SEARCH Run a basic search using a keyword. Non-alpha characters will be stripped, i.e. syst3m will become systm (although this will be compared against the same stripped passwords -s, --shared Display any reused/shared passwords. -u USER_SEARCH, --user USER_SEARCH Return usernames that match string (case insensitive) -up, --user-as-pass Check for passwords that use part of the username -w, --clean-wordlist Enable this flag to append cleaned (no trailing numerics) to a wordlist at wordlist-cleaned.txt --summary Use --summary to provide a concise report-friendly output. An example of a command to provide detailed information for a report-friendly format would be: pwdlyser -p [username-password.file] --admin [administrator-username.list] --summary -o [organisation-name-string] This output could then be fed straight in to a penetration test report, albeit with minor tweaks should it be required for post-analysis. The github readme examples do require a further update, as the output has changed slightly since its initial inception. However, this will be done over the next few weeks to reflect the current state of the tool.

g0tmi1k 2018-01-29 14:16 administrator ~0008343	To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us): [Name] - The name of the tool [Version] - What version of the tool should be added? --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag) [Homepage] - Where can the tool be found online? Where to go to get more information? [Download] - Where to go to get the tool? [Author] - Who made the tool? [Licence] - How is the software distributed? What conditions does it come with? [Description] - What is the tool about? What does it do? [Dependencies] - What is needed for the tool to work? [Similar tools] - What other tools are out there? [How to install] - How do you compile it? [How to use] - What are some basic commands/functions to demonstrate it?

ins1gn1a 2018-01-29 17:12 reporter ~0008539	[Name] - Pwdlyser [Version] - 2.5.2 (Latest on GitHub) (https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2) [Homepage] - https://www.github.com/ins1gn1a/pwdlyser \|\| https://www.pwdlyser.com [Download] - https://github.com/ins1gn1a/Pwdlyser/releases/tag/2.5.2 \|\| https://www.pwdlyser.com [Author] - ins1gn1a [Licence] - MIT License [Description] - The 'pwdlyser' tool is a Python-based CLI script that automates the arduous process of manually reviewing cracked passwords during password audits following security assessments or penetration tests. [Dependencies] - Python3, [Similar tools] - Pipal [How to install] - Script requires execution permissions, but the contained setup.py will install to necessary directory to be used in-path. [How to use] - pwdlyser -p [username:password file path] --all

g0tmi1k 2020-02-11 16:56 administrator ~0012249	Project now 404's

Date Modified	Username	Field	Change
2017-03-23 12:42	ins1gn1a	New Issue
2018-01-29 14:16	g0tmi1k	Summary	Password Analysis and Reporting Tool: Pwdlyser => Pwdlyser - Password Analysis and Reporting Tool: Pwdlyser
2018-01-29 14:16	g0tmi1k	Note Added: 0008343
2018-01-29 17:12	ins1gn1a	Note Added: 0008539
2020-02-11 16:56	g0tmi1k	Note Added: 0012249
2020-02-11 16:56	g0tmi1k	Assigned To	=> g0tmi1k
2020-02-11 16:56	g0tmi1k	Status	new => closed
2020-02-11 16:56	g0tmi1k	Resolution	open => won't fix