Password Attackspasswordanalysiscrackinghashcatmasksstatistics

pack

Password analysis and cracking kit that analyzes wordlists to generate statistics and Hashcat masks for efficient password cracking. Aids in 'better than bruteforce' attacks by identifying common password patterns.

Description

PACK was developed for the 'Crack Me If You Can' password cracking competition at Defcon 2010. The toolkit analyzes common password creation methods from wordlists, generating statistical databases used to create targeted attack masks for tools like oclHashcat. It does not crack passwords itself but enhances other tools' efficiency.

Key components include statsgen for password statistics by length, charset, complexity, and masks; policygen for generating masks based on password policies; maskgen for filtering and sorting masks; rulegen for rule generation from passwords; and others like dictstat (deprecated). Use cases include preparing for password cracking contests, optimizing Hashcat attacks, and testing password policy compliance.

The tool processes large wordlists like rockyou.txt to reveal patterns such as prevalent character sets (e.g., loweralphanum, numeric) and simple masks (e.g., stringdigit), enabling focused attacks that cover high-probability patterns faster than brute force.

How It Works

PACK analyzes wordlists to categorize passwords by length, character sets (loweralpha, numeric, etc.), complexity (min/max counts of digit/lower/upper/special), simple masks (e.g., stringdigit), and advanced masks (e.g., ?l?l?l?l?l?l?d?d). Statsgen filters by min/max length or charset, producing relative statistics. Policygen generates all compliant Hashcat masks for defined policies (e.g., length=8, minupper=1, mindigit=1). Maskgen sorts/filter by runtime, complexity, occurrence using passwords-per-second rates. Rulegen derives transformation rules from passwords using edit distance and spell-checking.

Installation

bash

sudo apt install pack

Flags

--minlength=10Minimum password length filter for statsgen

--maxlength=10Maximum password length filter for statsgen

--length=8Password length for policygen

--minupper 1Minimum number of uppercase characters for policygen

--mindigit 1Minimum number of digits for policygen

-o complexity.hcmaskSave masks to a file for policygen

--targettime=86400Target time of all masks in seconds for maskgen

--outputmasks=masks.hcmaskSave masks to a file for maskgen

--mindigit=1Minimum number of digits for policygen

--minlower=1Minimum number of lower-case characters for policygen

Examples

Generate statistics for passwords with length 10 from rockyou.txt, showing length, charset, complexity, simple masks, and advanced masks distributions

statsgen --minlength=10 --maxlength=10 rockyou.txt

Generate Hashcat masks for length 8 passwords with at least 1 uppercase and 1 digit, saving to complexity.hcmask

policygen --length=8 --minupper 1 --mindigit 1 -o complexity.hcmask

Generate masks from pass0.masks with target runtime of 86400 seconds, saving to masks.hcmask

maskgen pass0.masks --targettime=86400 -o masks.hcmask

Generate rules, words, and stats from passwords.txt with basename rockyou

rulegen passwords.txt -b rockyou

Filter statsgen to passwords using only loweralpha and numeric charsets from rockyou.txt

statsgen --charset=loweralpha,numeric rockyou.txt

Generate masks for length 8 with min 1 digit, uppercase, and special character

policygen --length=8 --mindigit=1 --minupper=1 --minspecial=1

Filter masks from pass0.masks for length 8-8 with minimum runtime 3600 seconds

maskgen pass0.masks --minlength=8 --maxlength=8 --mintime=3600

Updated 2026-04-16kali.org ↗