Problem/Motivation

DtR has a wordlist of common bad passwords which it tries, but it also makes a few guesses at user passwords based on the simple info available about the account e.g.

https://git.drupalcode.org/project/drop_the_ripper/-/blob/2.0.x/Commands...

https://git.drupalcode.org/project/drop_the_ripper/-/blob/2.0.x/drop_the...

/**
 * Make a few guesses about a user's password.
 *
 * @param object $user
 *   A (basic) user object.
 *
 * @return array
 *   Guesses at the user's password.
 */
function _dtr_user_guesses($user) {
  $guesses = array();
  $guesses[] = $user->name;
  $guesses[] = $user->name . date('Y');
  $guesses[] = $user->mail;
  if (preg_match('/(.*)@(.*)\..*/', $user->mail, $matches)) {
    // Username portion of mail.
    $guesses[] = $matches[1];
    // First part of domain.
    $guesses[] = $matches[2];
  }
  return array_unique(array_filter($guesses));
}

I've seen these be correct surprisingly often.

What other guesses might we try?

I've been meaning to add $user->name . (date('Y') -1); for a while...

I think I'd like to keep the number of guesses fairly low but a few more wouldn't hurt.

For example probably not a brute force approach adding digits to the username, although perhaps that's not such a terrible idea as an option?

There's already the --no-guessing option to disable guessing if someone wants to do that for any reason.

Comments

mcdruid created an issue. See original summary.

mcdruid’s picture

mcdruid commented
Issue summary: View changes
mcdruid’s picture

mcdruid commented
Issue summary: View changes
mcdruid’s picture

mcdruid commented
Issue summary: View changes
mcdruid’s picture

mcdruid commented

...probably not a brute force approach adding digits to the username, although perhaps that's not such a terrible idea as an option?

I think trying a few sequential digits on the end of the username is worth a shot.

It's hard to come up with really good metrics for how common these things are, but looking at rockyou gives us a rough idea.

IIUC how high up the wordlist a given password comes reflects how common it was in the breach, so smaller numbers on the left means the password was more popular:

$ for nums in 1 12 123 1234 12345 ; do grep -n ^[a-z]*$nums$ rockyou.txt | head ; echo ; done
28:password1
126:princess1
184:angel1
219:babygirl1
234:iloveyou1
248:jesus1
280:monkey1
381:myspace1
384:michael1
432:nicole1

579:love12
1366:sexy12
1484:baby12
1803:password12
1956:angel12
2195:pink12
2321:soccer12
2467:princess12
2971:blue12
3112:babygirl12

10:abc123
332:love123
528:red123
1105:sexy123
1226:pink123
1230:hello123
1311:baby123
1368:angel123
1384:password123
1531:blue123

1023:abcd1234
1077:1234
3033:abc1234
3079:love1234
3329:asdf1234
4566:qwer1234
7810:blue1234
8146:sexy1234
8375:me1234
8659:red1234

2:12345
1379:a12345
4810:j12345
5962:m12345
6675:k12345
7090:s12345
7626:abc12345
7708:c12345
9042:b12345
9277:q12345

This is not very scientific but I'm going to take that to mean it's not really worth going further than 123.

It wouldn't be hard to add all of these suffixes, but that goes against the idea of keeping the number of guesses low.

I'm somewhat inclined to only add "1" and "123" as "12" doesn't seem as popular.

Getting even less scientific I think I'll add an exclamation mark suffix as this is anecdotally popular, and a basic check against other special characters bears this out (a couple of nasty words redacted in the results):

$ grep -n '^[a-z]*\!$' rockyou.txt | head
985:iloveyou!
2170:password!
3255:rockyou!
3282:f***you!
4481:hello!
5087:iloveu!
5299:princess!
5819:iloveme!
5948:yahoo!
6053:b*tch!

$ grep -n '^[a-z]*\*$' rockyou.txt | head
14703:iloveyou*
18465:princess*
22902:password*
35527:angel*
46844:soccer*
58378:kisses*
63699:monkey*
65403:sunshine*
66154:hottie*
66550:butterfly*

$ grep -n '^[a-z]*\%$' rockyou.txt | head
1173091:water%
1196542:twenty%
1218662:tigger%
1275475:smile%
1289157:sh*t%
1335383:ronaldo%
1407955:password%
1476429:moonpie%
1525057:marie%
1640782:kamari%

I think I'll leave it at that as I don't want to add a lot of extra guesses.

Perhaps at some point we could add another option to add a load of patterns based on popular rules / patterns used by John the Ripper / HashCat etc..

Drop the Ripper has the advantage this it knows some info about the user already e.g. username, mail so we're in quite a good position to try a couple of basic variations.

  • mcdruid committed 28a5014a on 7.x-2.x 
    Issue #3219538: Add more password guesses based on user info
mcdruid’s picture

mcdruid commented

I've not added to the tests to check the new guesses.

Leaving this open for that if nothing else.

  • mcdruid committed c7b3b080 on 2.0.x 
    Issue #3219538: Add more password guesses based on user info

  • mcdruid committed ffc7ad58 on 2.0.x 
    Issue #3219538: Add tests for new guess(es)

  • mcdruid committed 086afea8 on 7.x-2.x 
    Issue #3219538: Add tests for new guess(es)

  • mcdruid committed 447ff5e7 on 7.x-2.x 
    Issue #3219538: Add more password guesses based on user info

  • mcdruid committed b373a98a on 2.0.x 
    Issue #3219538: Add more password guesses based on user info