PACK AND PIPAL – A COMPARISON
During testing we frequently come across passwords and in most cases, though not all, they are encrypted. Like in the real world, we will attempt to decrypt these passwords using password cracking tools. There are many options for password cracking tools but we have recently done some analysis on two of the more common tools in use to figure out how to get the best out of them. This blog takes a look at “Password Analysis and Cracking Kit” aka PACK and PIPAL for analysing passwords.
It’s what you do with it that counts
It is worth highlighting at the start that both PACK and PIPAL state that the aim of their tool is to help the user in cracking passwords. They can’t crack passwords on their own, the user needs to direct the tools to get the best results. Understanding how the tools work is therefore crucial to getting the most out of them.
Overview of the tools
PACK is developed in Python, and its main functionality is to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. For interaction and functionality with PACK, the tool consists of 4 main files.
“statsgen.py” – Provides basic statistics such as password length, character-sets used, password complexity, simple masks, advanced masks. A wordlist is required as an argument for this file.
“maskgen.py” – Provides the ability to craft pattern-based mask attacks. This file will display output for masks generated, masks coverage, masks runtime. A list of compatible masks is required, that can be generated from “statsgen.py”.
“policygen.py” – Generates masks that follow the password complexity rules (i.e. domain password policy). It does not require any previous files, only the configurable options that are available.
“rulegen.py” – Analyses a password/wordlist to automatically detect rules. Spell checking is provided by using spell-checking engines such as Aspell, MySpell etc. When analysing a wordlist, the top 10 rules and words are displayed and the following four output base files are created, “analysis.word”, “analysis-sorted.word”, analysis.rule”, “analysis-sorted.rule”, These provide either unsorted and ununique words or rules, or occurrence sorted and unique words or rules.
Pipal is developed in Ruby, and is only compatible with Ruby version(s) 1.9.x. PIPAL functions slightly differently to PACK. PIPAL has options to be configured, however they are in the form of symbolic link files, rather than options for each file like PACK. The user interacts with the following three parts.
“pipal.rb” – This is the main Ruby file used to run the PIPAL tool.
“checkers” – These are files that perform the analysis on passwords. Symbolic link(s) are required.
“splitters” – These are files that take each line in the file and apply a custom splitter. Symbolic link(s) are required.
The user enables “checkers” by creating a symbolic link(s) within a directory named “checkers_enabled” to the files that are available in the “checkers_available” directory. This provides a modular and almost “plugin” approach to the tool for analysis. Each “checker” is a part of the overall analysis and the tool was redesigned to function in this manner. To use a splitter, you have to create a symbolic link of the file you want to use to a file called “custom_splitter.rb” in the main PIPAL directory. For example, the “pipe_pass_user” splitter can be used if the lines contain the format – “password|username”. At the moment, only a single splitter can be used at once.
Comparison on functionality
Time Limited Engagements
Frequently our engagements are time limited and therefore the amount of time available to us to crack a password is limited. PIPAL requires a long time to parse large wordlists. For example, the “rockyou” wordlist will take at least a few days for PIPAL to analyse on a basic laptop specification. PACK however, is faster at generating output, regardless of the input size. In addition, PACK has a time management feature built in. When using the maskgen.py file you can specify a target time for each mask using the ‘targettime’ option.
For PIPAL there are no options to customise processing power but the user is able to create custom masks. PACK however, has a number of options for tailoring the use of the tool. The tool does not use your current system hardware as an indicator for the analysis, it uses a “pps” option (Passwords per Second) for calculating results. By tweaking the functionality of this option and the ‘targettime’ option you can gather more accurate output from the tool, and this is key to the functionality of PACK, otherwise the results bare less meaning. We found that this can be done by editing the default “pps” value in “maskgen.py” (line 39) to something more suitable. If you are going to use PACK often, then you can generate your own benchmarks for the “pps” value by using Hashcat on your system. This will provide you with the most accurate output from the ‘targettime’.
In PACK the user is able to filter the individual masks, such as the minimum and maximum password length. The “checkmasks” option is extremely useful for a quick analysis of a mask you wish to use against your hash list. You can supply an argument in the form of a mask and determine which type of coverage (passwords found) it has on the wordlist.
Creating custom masks allows the user to control the attack and reduce the amount of processing time required. Both PIPAL and PACK are good for creating custom masks, but in different ways. PIPAL is more useful for creating custom masks that contain text, not just plain brute-forcing options. PACK is great for creating custom rules based on wordlists or a sample set of cracked passwords. However, it requires more intelligent pattern detections for custom mask attacks.
The code for both tools is modular based and provides many options. The tools have a “plugin” feel to them (especially PIPAL with its “checkers”). This greatly enhances the functionality, and allows the tools to be further built upon without disrupting the overall source code. Some of the features can be enabled and disabled to customise output.
Support and compatibility
Both tools use common scripting languages, “Python” and “Ruby”. This provides compatibility with most operating systems. Included with both tools are valid input files for Hashcat, which is a real bonus for brute-force attacks and rule based attacks.
The patterns within PIPAL are more intelligent and as a result, provide better information for decision making than those within PACK.
For analysing rules in PACK, the user can take advantage of the “threads” option that will customise the processing power. The user can then change the output base file names using the “basename” option for relevancy. PACK is great for creating custom rules based on wordlists or a sample set of cracked passwords. The rule generation in PACK though can take a while if there is a large wordlist.
PIPAL includes passwords that match the default Active Directory complexity, which is a useful feature. It also has username and email checkers built in that can check whether usernames exist in passwords. This uses the Levenshtein string metric between the two sequences.
However, PIPAL requires a long time to parse large wordlists. For example, the “rockyou” wordlist will take at least a few days for PIPAL to analyse on a basic laptop specification. PIPAL also has encoding problems parsing special characters, in practice it skips each word it finds with a special character and can be a limitation on the accuracy of later results and success.
In addition, the zip codes used within PIPAL are only relevant to USA derived data sets, and can be classed as false positives when dealing with non USA data. This is due to the understanding of how the expression works. They also take up a lot of time whilst processing lists.
For PACK the top 10 Passwords and base words are not included. This is a basic feature that should ideally be included. However, the PACK policy generator is great for identifying masks that match a company’s password policy.
As discussed at the start, it is the application of the tool that holds true value not the tool itself. In our opinion, identifying the use case first and then matching this to the best tool to meet that requirement will be of most value. Take time to understand how PIPAL and PACK work and customise their configuration to meet your own needs as this will increase the value and accuracy of the output and directly increase your overall success rate in terms of cracking passwords. At the end of the day this is the aim of using such tools. In our short analysis we found that PIPAL is a more intelligent tool. However, the length of time it can take can be a real disadvantage in a time limited engagement. PACK’s functionality is more practical to actively being involved in the cracking process, as you can create custom masks based on certain rules, and actively calculate your time more efficiently. In reality of course, both have their strengths and weaknesses and as a result, the circumstances will dictate the use of the tool.