A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services.
phrasen|drescher is a modular and multi processing pass phrase cracking tool.
Key Features
In version 1.1 it comes with two plugins with the purposes to:
- crack pass phrases of RSA or DSA keys
- crack MS SQL 2000/2005 SHA1 hashes
- remote SSHv2 account brute forcing
- HTTP login form account cracking
A simple plugin API allows an easy development of new plugins.
Further features are:
- Modular
- Multi Processing
- Dictionary attack with or without permutations (uppercase, lowercase, l33t, etc.)
- Bruteforce attacks for custom character sets
- Runs on FreeBSD, NetBSD, OpenBSD, MacOS and Linux
Usage
phrasen|drescher 1.1.1 - the passphrase cracker Copyright (C) 2008 Nico Leidecker; http://www.leidecker.info Usage: ./pd plugin [options] Available plugins: http-raw mssql rsa-dsa ssh General Options: h : print this message v : verbose mode i from[:to] : incremental mode beginning with word length `from' and going to `to' d file : run dictionary based with words from `file' w number : number of worker threads (default is one) r rules : specify rewriting rules for the dictionary mode: A = all characters upper case F = first character upper case L = last character upper case W = first letter of each word to upper case a = all characters lower case f = first character lower case l = last character lower case w = first letter of each word to lower case D = prepend digit d = append digit e = 1337 characters x = all rules Environment Variables:: PD_PLUGINS : the directory containing plugins PD_CHARMAP : the characters for the incremental mode are taken from a character list. A customized list can be specified in the environment variable
Examples
Plugin Handling
The default plugin directory is ./plugins. However you can specify a custom path:
$ export PD_PLUGINS=/my/plugin/directory $ pd phrasen|drescher 1.1.1 - the passphrase cracker Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com Usage: pd plugin [options] Please choose a plugin first or use -h for more help Available plugins: rsa-dsa mssql ssh http-raw Set the plugin directory in the environment variable PD_PLUGINS if required.
Dictionary Mode
You can perform a simple dictionary attack on a RSA private key pass phrase using the corresponding module like this:
$ phrasendrescher rsa-dsa -d dict.txt -K ~/.ssh/id_rsa phrasen|drescher 1.1.1 - the passphrase cracker Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com match: (0) ~/.ssh/id_rsa [test123] finished! bye, bye...
Dictionary Mode With Permutations
If you want to permute your dictionary there are loads of options (see Usage page), e.g:
$ phrasendrescher rsa-dsa -r aF -d dict.txt -K ~/.ssh/id_rsa phrasen|drescher 1.1.1 - the passphrase cracker Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com match: (0) ~/.ssh/id_rsa [test123] finished! bye, bye...
Here the ‘a’ rule converts each word to lower case and the ‘F’ rule uses initial caps for each word.
Brute Force Mode
You can specify a custom character set for a brute force attack. Here we choose quick a small character set, so the attack will actually finish:
$ PD_CHARMAP="tes1234" phrasendrescher rsa-dsa -i 1:7 -K ~/.ssh/id_rsa phrasen|drescher 1.1.1 - the passphrase cracker Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com match: (0) ~/.ssh/id_rsa [test123] finished! bye, bye...