Base words (feature request)

Question

Base words (feature request)

Lexus89 opened this issue 2 years ago · comments

Hi @digininja First of all thank you for all the hard work you put in this tool. Pipal does a great job analyzing passwords. What I noticed is that the top 10 base words are not really the "base" words. For example, it sometimes happens that "p@ssw0rd" and "p@ssword' are (yes also separately) mentioned as a base word, while you would think in the basis it should be "password" (the others are variations).

Perhaps an idea to merge the functionality of deleet with pipal (https://github.com/digininja/deleet)? It could really improve the value of the output.

Robin Wood · Answer 1 · Wed Aug 10 2022 22:31:47 GMT+0800 (China Standard Time)

That seems like a reasonable idea, I would just need to fix on a single set of substitutions otherwise it would get too complex. Substituting 1 for i or l , as long as it is consistent, I don't think would really matter. Swapping 1 for i and saying the base word for 1inked1n is inkedin isn't going to give the correct base, but the human looking at it would be able to understand the mistake and the context. I'll see what I can get added, I'll probably do it as a new plug in rather than modify the existing so not too break the way it currently works

…

On Wed, 10 Aug 2022, 14:40 Lexus89, ***@***.***> wrote: Hi @digininja <https://github.com/digininja> First of all thank you for all the hard work you put in this tool. Pipal does a great job analyzing passwords. What I noticed is that the top 10 base words are not really the "base" words. For example, it sometimes happens that ***@***.***" and ***@***.***' are (yes also separately) mentioned as a base word, while you would think in the basis it should be "password" (the others are variations). Perhaps an idea to merge the functionality of deleet with pipal ( https://github.com/digininja/deleet)? It could really improve the value of the output. — Reply to this email directly, view it on GitHub <#59>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWOHR2D6FERYAL5QULTVYOWMNANCNFSM56ESRGTA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Lexus89 · Answer 2 · Fri Aug 04 2023 21:20:37 GMT+0800 (China Standard Time)

Very very late reply - perhaps usable for someone having this issue as well - a comparison to dictionary words may help determining what substitutions were used (for deleet). Convert back to the potential original words, search in a custom dictionary file, and the one found is likely to have the correct base word.

Robin Wood · Answer 3 · Fri Aug 04 2023 21:36:25 GMT+0800 (China Standard Time)

I've just checked and I've not done anything significant to this code for 10 years! It has probably been about that long since I last touched Ruby for anything more than a few line script.

I'll see if I can remember how any of it works and make some changes.

Lexus89 · Answer 4 · Fri Aug 04 2023 23:30:07 GMT+0800 (China Standard Time)

I've just checked and I've not done anything significant to this code for 10 years! It has probably been about that long since I last touched Ruby for anything more than a few line script.

I'll see if I can remember how any of it works and make some changes.

Haha no worries, I didn't even expect a reply as it was so long ago (I do hope it has not been 10 years already haha! Time flies). Just wanted to share the idea, even if for archiving purposes ;)

Robin Wood · Answer 5 · Fri Aug 04 2023 23:34:34 GMT+0800 (China Standard Time)

It wasn't that long since you did the original comment, but looking at the code dates, it has been that long since any major updates.

…

On Fri, 4 Aug 2023 at 16:30, Lexus89 ***@***.***> wrote: I've just checked and I've not done anything significant to this code for 10 years! It has probably been about that long since I last touched Ruby for anything more than a few line script. I'll see if I can remember how any of it works and make some changes. Haha no worries, I didn't even expect a reply as it was so long ago (I do hope it has not been 10 years already haha! Time flies). Just wanted to share the idea, even if for archiving purposes ;) — Reply to this email directly, view it on GitHub <#59 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWPZQ2KVZH3266K6YNLXTUIQVANCNFSM56ESRGTA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Robin Wood · Answer 6 · Fri Aug 04 2023 23:54:49 GMT+0800 (China Standard Time)

Try the new deleet_checker in here:

https://github.com/digininja/pipal/tree/deleet

Robin Wood · Answer 7 · Sun Aug 06 2023 04:30:10 GMT+0800 (China Standard Time)

I've tided up that code, done a few more little fixes, and pushed it all into the main branch.

Hopefully it is all working correctly, any problems, let me know.

Lexus89 · Answer 8 · Mon Aug 07 2023 17:09:24 GMT+0800 (China Standard Time)

Thanks a lot! Looking at the output of deleet, it might bring more concrete results when deleet is focusing on the base word output instead of the raw passwords. With some luck this will return 'potato' as the main base word, which can be used for creating new (client tailored) word lists. When deleet-ing those they can also be merged again (p0t4t, p0t@t, etc. => single 'potat' statistic).

Password list

potato123!
123!potato
potato!
$potato$
p0t4t0
pot@t0
p0t@to2023!

Top 10 base words

potato = 4 (57.14%)
p0t4t = 1 (14.29%)
pot@t = 1 (14.29%)
p0t@to = 1 (14.29%)

Top 10 passwords (from deleet)

potato = 2 (28.57%)
potatoi2e! = 1 (14.29%)
i2e!potato = 1 (14.29%)
potato! = 1 (14.29%)
$potato$ = 1 (14.29%)
potato2o2e! = 1 (14.29%)

There will be some weird cases like 'p0tat0' => 'potat' (due to ltrim/rtrim), which would make things a bit more complicated, but I am hoping the overall result will be more in line with what to feed to the password cracker. With larger results a print all instead of top X could also be useful.

My apologies for these ideas, I tend to overcomplicate things.. :)

Robin Wood · Answer 9 · Mon Aug 07 2023 17:38:13 GMT+0800 (China Standard Time)

I'll have a look at doing base words instead of the main word, shouldn't be too hard to do. You can change the top X with the cap parameter so you get everything.

…

On Mon, 7 Aug 2023 at 10:09, Lexus89 ***@***.***> wrote: Thanks a lot! Looking at the output of deleet, it might bring more concrete results when deleet is focusing on the base word output instead of the raw passwords. With some luck this will return 'potato' as the main base word, which can be used for creating new (client tailored) word lists. When deleet-ing those they can also be merged again (p0t4t, ***@***.***, etc. => single 'potat' statistic). Password list potato123! 123!potato potato! $potato$ p0t4t0 ***@***.*** ***@***.***! Top 10 base words potato = 4 (57.14%) p0t4t = 1 (14.29%) ***@***.*** = 1 (14.29%) ***@***.*** = 1 (14.29%) Top 10 passwords (from deleet) potato = 2 (28.57%) potatoi2e! = 1 (14.29%) i2e!potato = 1 (14.29%) potato! = 1 (14.29%) $potato$ = 1 (14.29%) potato2o2e! = 1 (14.29%) There will be some weird cases like 'p0tat0' => 'potat' (due to ltrim/rtrim), which would make things a bit more complicated, but I am hoping the overall result will be more in line with what to feed to the password cracker. With larger results a print all instead of top X could also be useful. My apologies for these ideas, I tend to overcomplicate things.. :) — Reply to this email directly, view it on GitHub <#59 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWOKWGU5B76GJMJPLT3XUCWFBANCNFSM56ESRGTA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Robin Wood · Answer 10 · Wed Aug 16 2023 00:24:35 GMT+0800 (China Standard Time)

I've just pushed a change that will deleet the base word rather than the main word.

This:

p@ssword
P@ssw0rd1
123Pas5word22
123P@ssw0rd1
fish
pa55word

Used to go to:

password = 2 (33.33%)
passwordi = 1 (16.67%)
i2epassword22 = 1 (16.67%)
i2epasswordi = 1 (16.67%)
fish = 1 (16.67%)

Now goes to:

password = 5 (83.33%)
fish = 1 (16.67%)

Lexus89 · Answer 11 · Wed Aug 16 2023 18:52:15 GMT+0800 (China Standard Time)

The base words are detected a lot better now, really useful thanks a lot! Small thing I noticed; sometimes it also prints an empty base word ("" = x%), probably because the string is empty after deleet-ing, but that doesn't really matter it's good enough for me ;)

Robin Wood · Answer 12 · Wed Aug 16 2023 19:11:31 GMT+0800 (China Standard Time)

I'll get that fixed. I wonder if that effects the other base word checker as well, I'll have a look at the same time.

…

On Wed, 16 Aug 2023, 11:52 Lexus89, ***@***.***> wrote: The base words are detected a lot better now, really useful thanks a lot! Small thing I noticed; sometimes it also prints an empty base word ("" = x%), probably because the string is empty after deleet-ing, but that doesn't really matter it's good enough for me ;) — Reply to this email directly, view it on GitHub <#59 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWI3FUMTHQABZOQHIR3XVSQ6TANCNFSM56ESRGTA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Robin Wood · Answer 13 · Fri Aug 18 2023 22:54:41 GMT+0800 (China Standard Time)

I've just pushed a fix for this.