Passwords/Usernames Mutations
Password mutation refers to the process of altering a password by making slight modifications to meet system requirements, such as adding numbers, special characters, or changing letters. It aims to comply with password policies while keeping the password easy to remember.
Example:
Original password: Rezydev
Mutated password: Rezydev2025!
Mutating with Hashcat
Hashcat uses a syntax for defining characters and words and how they can be modified.
Rules for mutation for hashcat is available here: Hashcat Rule Based Attack
Each rule is written on a new line which determines how the word should be mutated.
Mutation Rule File Example
╭─rezy@dev ~
╰─➤ cat wordlist.rule
# Hashcat Rule File Example
# Append a single character
$!
# Prepend a single character
^!
# Replace 'a' with '@'
sa@
# Convert to uppercase
uc
# Convert to lowercase
lc
# Reverse the string
r
# Replace 'e' with '3'
se3
# Append '%'
$%
# Insert '!' at position 1
i1!
Apply Mutation Rule to our password
hashcat --force passwords.txt -r wordlist.rule --stdout | sort -u > mutated_password.txt
Output
╭─rezy@dev ~
╰─➤ cat mutated_password.txt
r3zyd3v
!rezydev
r!ezydev
rezydev
rezydev!
rezydev%
Rezydev
vedyzer
Pre-written Rules
Hashcat and John both offer pre-built rule sets that are useful for password generation and cracking. One of the most commonly used rule sets is best64.rule.
╭─rezy@dev ~
╰─➤ ls /usr/share/hashcat/rules/
best64.rule Incisive-leetspeak.rule T0XlC_3_rule.rule toggles1.rule
combinator.rule InsidePro-HashManager.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule toggles2.rule
d3ad0ne.rule InsidePro-PasswordsPro.rule T0XlC_insert_HTML_entities_0_Z.rule toggles3.rule
dive.rule leetspeak.rule T0XlC-insert_space_and_special_0_F.rule toggles4.rule
generated2.rule oscommerce.rule T0XlC-insert_top_100_passwords_1_G.rule toggles5.rule
generated.rule rockyou-30000.rule T0XlC.rule unix-ninja-leetspeak.rule
hybrid specific.rule T0XlCv2.rule
╭─rezy@dev ~
╰─➤ ls /opt/JohnTheRipper/run/rules
best64.rule dive.rule OneRuleToRuleThemAll.rule passphrase-rule1.rule rockyou-30000.rule T0XlC-insert_top_100_passwords_1_G.rule T0XlCv1.rule
d3ad0ne.rule InsidePro-PasswordsPro.rule OneRuleToRuleThemStill.rule passphrase-rule2.rule specific.rule T0XlC.rule
Custom Wordlist Generator
Reference: https://github.com/Rezy-Dev/custom-wordlist
(function() {
const words = document.documentElement.innerText.match(/[a-zA-Z_-]+/g);
const uniqueWords = [...new Set(words)].sort();
document.open();
document.write(uniqueWords.join("<br>"));
document.close();
})();
Just paste the code into the developer console of any page. It will extract data and turn it into a list. Copy the result and save it for later use. This serves as an alternative to CeWL (Custom Word List generator).
CeWL (Custom Word List Generator)
CeWL (Custom Word List generator) is a Ruby tool that spiders a URL to generate word lists for password cracking, including email addresses and metadata-based usernames. It can also follow external links and supports Office and PDF metadata extraction through its FAB feature. CeWL is used in security testing and forensics investigations.
cewl -d 2 -m 5 -w wordlist.txt https://rezydev.xyz
linkedin2username
linkedin2username is an OSINT web-scraper that generates potential employee username lists from LinkedIn without requiring an API key. It logs in using valid LinkedIn credentials and extracts usernames in various formats based on employee names. The tool can also append email domains and provides a metadata CSV with names and occupations.
python3 linkedin2username.py -c targetco
python3 linkedin2username.py -c targetco -d 5 -n 'targetco.com' ## pull a shorter list and append the domain name @targetco.com to them
Note that LinkedIn will cap search results to 1000 employees max. We can use the features '--geoblast' or '--keywords' to bypass this limit.
Username Anarchy
Username Anarchy is a tool for generating usernames during penetration testing, focusing on user account enumeration and brute force attempts. It offers a plugin architecture, format-based username definitions, and substitutions to handle variations like first initials and last names. The tool uses country databases, common first and last names from sources like Facebook, and provides a list of popular forum usernames. It helps avoid account lockout thresholds by targeting weak passwords across large sets of user accounts.
We can get it's binary from: https://github.com/urbanadventurer/username-anarchy
Available Username Formats
╭─rezy@dev ~/Desktop/username-anarchy-0.6
╰─➤ ./username-anarchy -l
Plugin name Example
--------------------------------------------------------------------------------
first anna
firstlast annakey
first.last anna.key
firstlast[8] annakey
first[4]last[4] annakey
firstl annak
f.last a.key
flast akey
lfirst kanna
l.first k.anna
lastf keya
last key
last.f key.a
last.first key.anna
FLast AKey
first1 anna0,anna1,anna2
fl ak
fmlast abkey
firstmiddlelast annaboomkey
fml abk
FL AK
FirstLast AnnaKey
First.Last Anna.Key
Last Key
Example Usage
Single Username
╭─rezy@dev ~/Desktop/username-anarchy-0.6
╰─➤ ./username-anarchy Rezy Dev > wordlist.txt
╭─rezy@dev ~/Desktop/username-anarchy-0.6
╰─➤ cat wordlist.txt
rezy
rezydev
rezy.dev
rezyd
r.dev
rdev
drezy
d.rezy
devr
dev
dev.r
dev.rezy
rd
Multiple Usernames
╭─rezy@dev ~/Desktop/username-anarchy-0.6
╰─➤ ./username-anarchy -i names.txt > usernames_wordlist.txt 130 ↵
╭─rezy@dev ~/Desktop/username-anarchy-0.6
╰─➤ cat usernames_wordlist.txt
suman
sumankumar
suman.kumar
sumankum
sumakuma
sumank
s.kumar
skumar
ksuman
k.suman
kumars
kumar
kumar.s
kumar.suman
sk
ram
ramprasad
//..SNIP..//
CUPP (Common User Passwords Profiler)
CUPP (Common User Passwords Profiler) helps generate custom password lists for penetration testing and forensic investigations. It profiles users based on personal information, such as birthdays or pet names, to create weak password combinations. The tool targets easily guessed passwords like common words or alphanumeric combinations. CUPP is useful for testing password strength and identifying vulnerabilities in authentication systems.
Installation
sudo apt install cupp -y
Example Use
╭─rezy@dev ~
╰─➤ cupp -i
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: Ram
> Surname: Kumar
> Nickname: Ramu
> Birthdate (DDMMYYYY): 04112002
> Pet's name: Tiger
> Company name: XYZ Softwares
> Do you want to add some key words about the victim? Y/[N]: Y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: janakpur,computer,python,fullstack
> Do you want to add special chars at the end of words? Y/[N]: Y
> Do you want to add some random numbers at the end of words? Y/[N]:Y
> Leet mode? (i.e. leet = 1337) Y/[N]: Y
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to ram.txt, counting 39992 words.
[+] Now load your pistolero with ram.txt and shoot! Good luck!
Filtering Wordlist
If there is a password policy on a website or within an organization we find, we can filter the wordlist we have.
| Policy Requirement | Grep Regex Pattern | Explanation |
|---|---|---|
| Minimum Length (e.g., 8 characters) | grep -E '^.{8,}$' wordlist.txt | Filters words with 8 or more characters. |
| At Least One Uppercase Letter | grep -E '[A-Z]' wordlist.txt | Filters words containing at least one uppercase letter. |
| At Least One Lowercase Letter | grep -E '[a-z]' wordlist.txt | Filters words containing at least one lowercase letter. |
| At Least One Digit | grep -E '[0-9]' wordlist.txt | Filters words containing at least one digit. |
| At Least One Special Character | grep -E '[!@#$%^&*()_+-=[]{};':"\,.<>/?]' wordlist.txt | Filters words containing at least one special character (e.g., @, #, etc.). |
| No Consecutive Repeated Characters | grep -E '(.)\1' wordlist.txt | Filters out words with consecutive identical characters. |
| Exclude Common Patterns (e.g., "password") | grep -v -i 'password' wordlist.txt | Excludes words containing common patterns like "password" (case-insensitive). |
| Exclude Dictionary Words | grep -v -f dictionary.txt wordlist.txt | Excludes words matching entries in a custom dictionary file. |
| Must Contain at Least One Non-Alphanumeric Character | grep -E '[^A-Za-z0-9]' wordlist.txt | Filters words with at least one non-alphanumeric character (e.g., #, @). |
| No Spaces Allowed | grep -E '^\S+$' wordlist.txt | Filters words that do not contain spaces. |
| Must Contain at Least One Lowercase and One Uppercase Letter | grep -E '(.*[a-z].*)(.*[A-Z].*)' wordlist.txt | Filters words that contain at least one lowercase and one uppercase letter. |
| Exclude Words with Only Numbers | grep -v -E '^[0-9]+$' wordlist.txt | Excludes words composed entirely of digits. |
| Contain No Consecutive Numbers | grep -E '([0-9])\1' wordlist.txt | Excludes words with consecutive identical digits (e.g., 11, 22). |
| Allow Only Specific Special Characters | grep -E '[\.\-_]' wordlist.txt | Filters words containing only . (dot), _ (underscore), or - (dash). |
| Length Between 8 and 12 Characters | grep -E '^.{8,12}$' wordlist.txt | Filters words that are between 8 and 12 characters long. |
| Starts with a Specific Prefix (e.g., "admin") | grep -E '^admin' wordlist.txt | Filters words that start with the prefix "admin". |
| Ends with a Specific Suffix (e.g., "123") | grep -E '123$' wordlist.txt | Filters words that end with the suffix "123". |