< back to projects

phrasen|drescher (p|d) is a modular and multi processing pass phrase cracking tool. It comes with a number of plugins but a simple plugin API allows an easy development of new plugins. The main features of p|d are:

  • Modular with the use of plugins
  • Multi processing
  • Dictionary attack with or without permutations (uppercase, lowercase, l33t, etc.)
  • Incremental brute force attack with custom character maps
  • Runs on FreeBSD, NetBSD, OpenBSD, MacOS and Linux

Installation
./configure --with-plugins
make
make install	# requires root privileges

Some plugins require extra libraries. Please see src/plugins/README to find more details

Usage

Once you compiled and installed p|d, you should give it a try and run it. The first choice you'll have to make when using p|d is what plugin to use. p|d plugins are stored in the system library directory which may differ from whatever system you're running it on. If you're unsure which directory that is, you can run p|d with the -h flag and it will tell you which the current plugin directory is:

$ pd -h

You can to specify the explicit path in the environment variable `PD_PLUGINS':

$ export PD_PLUGINS=/my/plugin/directory
$ pd -h

Every plugin will have additional command line options besides the few default p|d command line options. Once you chose a plugin, you can get further plugin specific information and command line flags:

$ pd pkey

p|d offers two cracking modes it can run in. The Incremental Mode does pure brute force of potential pass phrases while in Dictionary Mode, phrases are taken from a word list:

Incremental Mode:

This mode expects an argument flag -i that specifies the explicit length or a range of words to generate. Generating 8 characters long words, for instance, can be done this way:

$ pd pkey -i 8 -K private-key

And to specify a range. E.g. from 8 characters to 12:

$ pd pkey -i 8:12 -K private-key

By default, p|d uses all human readable characters to generate the phrases and passwords. However, you can specify your own character map in an environment variable `PD_CHARMAP'. For example, in order to only use lower case characters:

$ export PD_CHARMAP="abcdefghijklmnopqrstuvwxyz"
$ pd pkey -i 6:8 -K private-key

The character map also implies the order of the characters to be used in phrases. So, if you want to do the increment in reverse order, simply do:

$ export PD_CHARMAP="zyxwvutsrqponmlkjihgfedcba"
$ pd pkey -i 6:8 -K private-key

This is generally a good idea, if you know what passwords to expect, because of the nature of the password to crack or maybe even because of password policies (E.g. "password has to begin with a character").

Dictionary Mode:

Using this mode is straight forward:

$ pd pkey -d wordlist -K private-key

For Dictionary Mode, there is a rewriting option. Words, taken from a file, can be rewritten after certain rules. E.g. converted to upper or lower case, append or prepend a number. All this is done with the `-r' flag. This is a list of possible rules:

A = all characters upper case
F = first character upper case
L = last character upper case
W = first letter of each word to upper case
a = all characters lower case
f = first character lower case
l = last character lower case
w = first letter of each word to lower case
D = prepend digit
d = append digit
e = 1337 characters
x = all rules

In order to rewrite all characters in a word to upper case and to append a digit (0 to 9) at the end:

$ pd pkey -d wordlist -r Ad -K private-key

Sometimes, dictionary words and their rewritten equivalent are identical. p|d will discard the rewritten word in this case.

Using The Plugins

pkey:

  • Cracks RSA and DRA key passphrases. The keys must be in PEM format
  • Requires libssl

The key file or a directoy containing key files must be specified with -K:

$ pd pkey -K key.pem

mssql:

  • For cracking MS SQL 2000 and 2005 salted SHA1 password hashes
  • Requires libssl

The password hash must be specified with -H. The module will detect wether the hash is a MS SQL 2000 or 2005 hash. Using the verbose flag (-v) will give more information about the hash.

$ pd mssql -H 0x01006d75a401ba0a8bfc2beab5b86efc930300d1a2561a783aac

ssh:

  • Attacks SSH accounts on a remote host
  • Supports password, keyboard-interactive and key based authentication
  • Chooses between password and keyboard-interactive if an authentication mechanism is not enforced with -p (password), -n (keyboard-interactive) or -k (public key).
  • Requires libssl and libssh2

The -t or -T flag is mandatory and specifies either a single target host or a file that contains a list of hosts. By default, the plugin will attack the root users account on port 22. These settings can be modified with the -U and -u flags for the user account and -P for the service port:

$ pd ssh -u myuser -P 2200 -T hosts.txt

You can enforce an authentication method with the -p (password), -n (keyboard-interactive) or -k (public key) flag.

Key based authentication requires the private and public keys to be stored in a folder. The public keys must have the same name as the private keys but with the extension `.pub'. Have all key file names in a file and run p|d in dictionary mode. It will then pick the key names and use them for the authentication attempts. As an example (with the keys from the metasploit project site):

$ wget -q -O- http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2 | \
  tar xvjf - -C /tmp | grep -v pub | sed s/^/\\\/tmp\\\// > key_list
$ pd ssh -k -d key_list -t 10.0.0.1

http-raw:

  • Simple HTTP form login brute forcing either via the GET or POST method
  • Supports custom headers
  • Target host is either taken from the HOST field in the request header or can be explicitely specified with the -T flag
$ cat request 
GET /user=admin&password={PASSWORD} HTTP/1.1
Host: 10.0.0.1

$ pd http-raw -R request -m "Login failed"

As for now, the plugin does not support SSL out of the box. However, there's a workaround using stunnel:

$ stunnel3 -c -d 127.0.0.1:8888 -r 10.0.0.1:443
$ pd http-raw -P 8888 -H 127.0.0.1 -R request -m "Login failed"

enc-file:

$ pd enc-file -f encrypted-file.gpg