Pipal is a tool that allows you to perform analysis on a list of words. As a blue-teamer, it would probably benefit you to know what kind of patterns your users are using for their passwords. Once you identify their patterns, you can train them on why this is bad and deter them from using predictable patterns.
If you followed along in Active Directory Password Audit in Kali, you can generate a list of passwords pretty easily:
john --show --format=NT ad.ntds | grep : | cut -d: -f2 | grep -e '[^\s]' > pws.txt
This command will dump all the passwords that John was able to crack into a text file named pws.txt
. If you don’t have any passwords handy, we’ll grab one out of every 50 lines from rockyou:
awk 'NR == 1 || NR % 50 == 0' /usr/share/wordlists/rockyou.txt > pws.txt
Next, run Pipal against our dataset:
pipal pws.txt
Here’s something similar to what you’ll see, broken down into sections:
Basic Results
Total entries = 286885
Total unique entries = 286888
Top 10 passwords
123456 = 1 (0.0%)
hannah = 1 (0.0%)
princesa = 1 (0.0%)
patricia = 1 (0.0%)
september = 1 (0.0%)
celtic = 1 (0.0%)
bowwow = 1 (0.0%)
jordan23 = 1 (0.0%)
dolphins = 1 (0.0%)
chris1 = 1 (0.0%)
Top 10 base words
love = 187 (0.07%)
june = 96 (0.03%)
angel = 94 (0.03%)
alex = 90 (0.03%)
baby = 81 (0.03%)
july = 77 (0.03%)
blue = 70 (0.02%)
sexy = 68 (0.02%)
chris = 64 (0.02%)
april = 63 (0.02%)
The basic results above are fairly self-explanatory. The ‘Top 10 passwords’ in a wordlist like rockyou are useless, as a wordlist has no duplicates in it. If you’re running pipal against your own password list, you’ll see more meaningful data here. You’ll likely have ‘Winter2018’ or similar in that list.
Top 10 base words gets more interesting. For all items in the list, any non-alphabetic character is stripped from the beginning and end of the password. Whatever is left, is the “base word”. So, in the case of rockyou, ‘love’ is the most common base word, occuring 187 times.
Password length (length ordered)
2 = 12 (0.0%)
3 = 34 (0.01%)
4 = 367 (0.13%)
5 = 5234 (1.82%)
6 = 38993 (13.59%)
7 = 49920 (17.4%)
8 = 59321 (20.68%)
9 = 43795 (15.27%)
10 = 40377 (14.07%)
11 = 17272 (6.02%)
12 = 11034 (3.85%)
13 = 7302 (2.55%)
14 = 5065 (1.77%)
15 = 3302 (1.15%)
16 = 2381 (0.83%)
17 = 737 (0.26%)
18 = 489 (0.17%)
19 = 303 (0.11%)
20 = 270 (0.09%)
21 = 130 (0.05%)
22 = 116 (0.04%)
23 = 96 (0.03%)
24 = 85 (0.03%)
25 = 61 (0.02%)
26 = 36 (0.01%)
27 = 27 (0.01%)
28 = 22 (0.01%)
29 = 17 (0.01%)
30 = 18 (0.01%)
31 = 13 (0.0%)
32 = 10 (0.0%)
33 = 2 (0.0%)
34 = 6 (0.0%)
36 = 1 (0.0%)
37 = 1 (0.0%)
38 = 2 (0.0%)
39 = 2 (0.0%)
41 = 1 (0.0%)
42 = 2 (0.0%)
43 = 1 (0.0%)
44 = 1 (0.0%)
45 = 1 (0.0%)
46 = 1 (0.0%)
51 = 1 (0.0%)
52 = 1 (0.0%)
55 = 1 (0.0%)
58 = 1 (0.0%)
59 = 1 (0.0%)
62 = 1 (0.0%)
67 = 1 (0.0%)
71 = 2 (0.0%)
98 = 1 (0.0%)
131 = 1 (0.0%)
188 = 1 (0.0%)
220 = 1 (0.0%)
241 = 1 (0.0%)
255 = 10 (0.0%)
262 = 1 (0.0%)
Password length (length ordered) shows you how many times passwords occurred for a given length. In rockyou, there’s 10 passwords with 255 characters, but only one with 262 characters.
Password length (count ordered)
8 = 59321 (20.68%)
7 = 49920 (17.4%)
9 = 43795 (15.27%)
10 = 40377 (14.07%)
6 = 38993 (13.59%)
11 = 17272 (6.02%)
12 = 11034 (3.85%)
13 = 7302 (2.55%)
5 = 5234 (1.82%)
14 = 5065 (1.77%)
15 = 3302 (1.15%)
16 = 2381 (0.83%)
17 = 737 (0.26%)
18 = 489 (0.17%)
4 = 367 (0.13%)
19 = 303 (0.11%)
20 = 270 (0.09%)
21 = 130 (0.05%)
22 = 116 (0.04%)
23 = 96 (0.03%)
24 = 85 (0.03%)
25 = 61 (0.02%)
26 = 36 (0.01%)
3 = 34 (0.01%)
27 = 27 (0.01%)
28 = 22 (0.01%)
30 = 18 (0.01%)
29 = 17 (0.01%)
31 = 13 (0.0%)
2 = 12 (0.0%)
32 = 10 (0.0%)
255 = 10 (0.0%)
34 = 6 (0.0%)
33 = 2 (0.0%)
38 = 2 (0.0%)
39 = 2 (0.0%)
42 = 2 (0.0%)
71 = 2 (0.0%)
36 = 1 (0.0%)
37 = 1 (0.0%)
41 = 1 (0.0%)
43 = 1 (0.0%)
44 = 1 (0.0%)
45 = 1 (0.0%)
46 = 1 (0.0%)
51 = 1 (0.0%)
52 = 1 (0.0%)
55 = 1 (0.0%)
58 = 1 (0.0%)
59 = 1 (0.0%)
62 = 1 (0.0%)
67 = 1 (0.0%)
98 = 1 (0.0%)
131 = 1 (0.0%)
188 = 1 (0.0%)
220 = 1 (0.0%)
241 = 1 (0.0%)
262 = 1 (0.0%)
|
|
|
||
||
||
||
||
||
||
||
||
||
||
|||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901
Password length (count ordered) is the same data, but it starts with the length that occurs most (8 characters, no surprise), to the least occurring length. This data also includes an ascii histogram.
One to six characters = 44640 (15.56%)
One to eight characters = 153881 (53.64'%)
More than eight characters = 133004 (46.36%)
Only lowercase alpha = 74648 (26.02%)
Only uppercase alpha = 4708 (1.64%)
Only alpha = 79356 (27.66%)
Only numeric = 47012 (16.39%)
First capital last symbol = 778 (0.27%)
First capital last number = 12971 (4.52%)
Single digit on the end = 23639 (8.24%)
Two digits on the end = 41076 (14.32%)
Three digits on the end = 17254 (6.01%)
Last number
0 = 15223 (5.31%)
1 = 25262 (8.81%)
2 = 17748 (6.19%)
3 = 19081 (6.65%)
4 = 14808 (5.16%)
5 = 15352 (5.35%)
6 = 14852 (5.18%)
7 = 15509 (5.41%)
8 = 14170 (4.94%)
9 = 14218 (4.96%)
|
|
|
| |
|||
|||
|||||||| |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789
Above, you’re presented with facts about the data you’ve fed into pipal. Given this data, you can see that over half of the passwords in rockyou are between 1 and 8 characters, and that almost 15% of all passwords have two digits at the end.
Last digit
1 = 25262 (8.81%)
3 = 19081 (6.65%)
2 = 17748 (6.19%)
7 = 15509 (5.41%)
5 = 15352 (5.35%)
0 = 15223 (5.31%)
6 = 14852 (5.18%)
4 = 14808 (5.16%)
9 = 14218 (4.96%)
8 = 14170 (4.94%)
Last 2 digits (Top 10)
23 = 4815 (1.68%)
12 = 3535 (1.23%)
07 = 3122 (1.09%)
11 = 3078 (1.07%)
01 = 2960 (1.03%)
06 = 2788 (0.97%)
13 = 2754 (0.96%)
10 = 2666 (0.93%)
21 = 2581 (0.9%)
08 = 2555 (0.89%)
Last 3 digits (Top 10)
123 = 2662 (0.93%)
007 = 929 (0.32%)
234 = 715 (0.25%)
000 = 640 (0.22%)
101 = 611 (0.21%)
006 = 591 (0.21%)
008 = 573 (0.2%)
005 = 453 (0.16%)
666 = 441 (0.15%)
456 = 434 (0.15%)
Last 4 digits (Top 10)
1234 = 541 (0.19%)
2007 = 515 (0.18%)
2006 = 463 (0.16%)
2008 = 434 (0.15%)
1991 = 329 (0.11%)
2005 = 323 (0.11%)
1994 = 322 (0.11%)
1990 = 318 (0.11%)
1989 = 309 (0.11%)
1995 = 308 (0.11%)
Last 5 digits (Top 10)
12345 = 224 (0.08%)
23456 = 154 (0.05%)
56789 = 70 (0.02%)
54321 = 36 (0.01%)
00000 = 33 (0.01%)
34567 = 20 (0.01%)
67890 = 20 (0.01%)
45678 = 18 (0.01%)
91987 = 17 (0.01%)
21984 = 17 (0.01%)
Character sets
loweralphanum: 121201 (42.25%)
loweralpha: 74648 (26.02%)
numeric: 47012 (16.39%)
upperalphanum: 8089 (2.82%)
loweralphaspecialnum: 7666 (2.67%)
mixedalphanum: 7641 (2.66%)
loweralphaspecial: 5928 (2.07%)
upperalpha: 4708 (1.64%)
mixedalpha: 3159 (1.1%)
mixedalphaspecialnum: 903 (0.31%)
mixedalphaspecial: 832 (0.29%)
specialnum: 755 (0.26%)
upperalphaspecialnum: 496 (0.17%)
upperalphaspecial: 428 (0.15%)
special: 16 (0.01%)
Character set ordering
stringdigit: 106540 (37.14%)
allstring: 82515 (28.76%)
alldigit: 47012 (16.39%)
othermask: 16617 (5.79%)
digitstring: 13189 (4.6%)
stringdigitstring: 9031 (3.15%)
stringspecialdigit: 3127 (1.09%)
stringspecialstring: 2953 (1.03%)
stringspecial: 2688 (0.94%)
digitstringdigit: 2600 (0.91%)
specialstringspecial: 374 (0.13%)
specialstring: 223 (0.08%)
allspecial: 16 (0.01%)
Above, more interesting facts about the data. 42% of the passwords in rockyou contain only lowercase letters and numbers, and 37.14% of them are ordered as a string followed by a digit.
Summary
Pipal is a tool that, when supplied with the right input, can provide some pretty amazing insights into patterns that appear in passwords. If you took the steps to crack your user’s passwords as described in Active Directory Password Audit in Kali, you can use Pipal to tell you why those passwords are being cracked. Using what pipal tells you, you can in turn train your users on what not to do with their passwords.