Skip to main content

brutalist is a python3-based command line tool for all platforms that can be used to generate quick and large word lists from one or more sample passwords provided by the user.

Project description

Platform: ALL Dependencies: python3+ Version: 1.7.1 Follow @rubynorails on Twitter

brutalist

brutalist

brutalist is a python3-based command line tool for all platforms that can be used to generate quick and large word lists from one or more sample passwords provided by the user.

Use case:

Let's say you come across an outdated password in an old credential dump, but the user has since updated their password (password) to P@$$w0rd123!. If fed the word password, brutalist can generate up to a few million unique custom combinations for that specific word. brutalist uses various methods of leet speak substitution, as well as other common special character substitutions, suffixes, and special character additions -- all while keeping the order of the original characters in the password.

Notes:

Running without the --limit-special, --limit-numbers, or --limit options decreases the number of results to something manageable.

Running with the --leet option increases the number of results exponentially to something quite large.

The time it takes to return the results depends on the initial password length.

Install from PyPI:

pip3 install --upgrade brutalist

Install via Homebrew on MacOS:

brew install phx/brutalist/brutalist

Install via Git:

  1. git clone https://github.com/phx/brutalist
  2. cd brutalist
  3. sudo cp brutalist /usr/local/bin/

You can just as easily execute it where it stands or manually copy it elsewhere in your $PATH.

Run:

Usage: brutalist <[password] | -p [password] | -i [input file]> <[extended options]>

Options:
       [no params]                             takes input from stdin.
       [string]                                first argument is used as password.
       -p | --password                         second argument is used as password.
       -i | -f | --file [input file]           file is used as input.

Extended Options:
       -c | --limit-special | --limit-chars    limits special characters to '!@#$%*-+_'
       -n | --limit-numbers                    only includes common 1 and 2 digit suffixes + special
       -l | --limit                            limits both 3 digit numbers and special characters
            --leet                             includes all leet speak combinations (will increase size)

Examples

  • stdinfrom pipe, stdout to a file: cat small_list.txt | brutalist > huge_list.txt
  • stdin from input redirection, stdout to a file: brutalist < small_list.txt > huge_list.txt
  • input file as argument, write to both file and stdout: brutalist -f /path/to/small_list.txt | tee huge_list.txt

Runtime samples for using the password example "password":

---------------------------------------------------------
$ time echo password | brutalist
...
real    0m30.776s
user    0m23.589s
sys     0m4.892s
...
$ echo password | brutalist | wc -l
 7643680
---------------------------------------------------------
$ time echo password | brutalist --leet
...
real    1m1.169s
user    0m41.930s
sys     0m9.094s
...
$ echo password | brutalist | wc -l
 13198680
---------------------------------------------------------
$ time echo password | brutalist --limit-special
...
real    0m16.423s
user    0m11.681s
sys     0m2.582s
...
$ echo password | brutalist --limit-special | wc -l
 3821840
---------------------------------------------------------
$ time echo password | brutalist --limit-numbers
...
real    0m0.633s
user    0m0.439s
sys     0m0.109s
...
$ echo password | brutalist --limit-numbers | wc -l
  134160
---------------------------------------------------------
$ time echo password | brutalist --limit
...
real    0m0.352s
user    0m0.234s
sys     0m0.059s
...
$ echo password | brutalist --limit | wc -l
   68800
---------------------------------------------------------

10 random samples from password example "boot":

$ time echo boot | ./brutalist.py --leet | sort -R | head -10
13oOT225)
3oO7721)
BOO7791.
130Ot814%
b0O+538.
B0OT059&
13Oot786=
3OOt899)
3OO+631!
B0O+313]

real    1m40.766s
user    1m41.305s
sys    0m0.491s

Background

I started out in C before realizing that Python would do a much better job, and it's still pretty fast when it comes to generating these word lists.

I wrote this over the course of a few hours because it was something I had been thinking about that solved a particular use-case I had come across on multiple occasions, and while BurpSuite Pro offers some similar functionality, you have to fool around with it every time to get something close to what you want, as opposed to just running a simple command using brutalist .

Contribution

If you want to contribute or help clean up and optimize some code, feel free to submit a pull request.

Disclaimer

By downloading and running this software, you agree to only use it for ethical purposes and also agree to be held fully liable and accountable for any damage or harm caused by using brutalist.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

brutalist-1.4-py3-none-any.whl (18.7 kB view details)

Uploaded Python 3

File details

Details for the file brutalist-1.4-py3-none-any.whl.

File metadata

  • Download URL: brutalist-1.4-py3-none-any.whl
  • Upload date:
  • Size: 18.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.5.0 pkginfo/1.7.0 requests/2.25.0 requests-toolbelt/0.9.1 tqdm/4.61.0 CPython/3.9.5

File hashes

Hashes for brutalist-1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 47e4eb80c6ef4433a4dfbed211d45410910fdf1ea7ad67586b2b561c69a87b9d
MD5 e8918675993aa679a2d54ec9cea83dfc
BLAKE2b-256 3d171a8ffe49e8f077d8ce8ad6f07a7f686188993da158d0d0882f8807d9449b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page