Offensive Security Tool: Psudohash

Reading Time: 2 Minutes

Psudohash

Psudohash by t3l3machus is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word’s letters with symbols or numbers, using char-case variations, adding a common padding before or after the word, and more. It is keyword-based and highly customizable. Generating custom, targeted and specific password lists as part of your assessment in various brute-forcing techniques on multiple services maximizes speed and raises the percentages much faster when it comes to such types of services.

Pentesting Corporate Environments

System administrators and other employees often use a mutated version of the Company’s name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:

The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):

transformations = [
               {‘a’ : ‘@’},
               {‘b’ : ‘8’},
               {‘e’ : ‘3’},
               {‘g’ : [‘9’, ‘6’]},
               {‘i’ : [‘1’, ‘!’]},
               {‘o’ : ‘0’},
               {‘s’ : [‘$’, ‘5’]},
               {‘t’ : ‘7’}
]

Individuals

When it comes to people, we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like “!@#”. Well, guess what?

Installation

git clone https://github.com/t3l3machus/psudohash

cd ./psudohash

chmod +x psudohash.py

Usage

./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]

The help dialog [ -h, –help ] includes usage details and examples.

Usage Tips

1. Combining options –years and –append-numbering with a –numbering-limit ≥ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.
2. If you add custom padding values and/or modify the predefined common padding values in the source code, in combination with multiple optional parameters, there is a small chance of duplicate words occurring. psudohash includes word filtering controls but for speed’s sake, those are limited.

Clone the repo from here: GitHub Link