Using PassGAN for effective password cracking
Learn how red team operators can leverage PassGAN to generate realistic password lists.
Traditional password-cracking tools like HashCat and John the Ripper employ predefined rules and heuristics to generate password lists. While effective to an extent, these methods rely heavily on human intuition and require continuous updates to address new password creation patterns.
In the paper titled PassGAN: A Deep Learning Approach for Password Guessing, the authors introduce a method that leverages Generative Adversarial Networks (GANs) to autonomously learn the distribution and patterns of real passwords from data breaches and generate high-quality password lists.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Generative Adversarial Networks (GANs) are a type of deep learning model designed for generating new data that closely resembles real examples. Introduced by Ian Goodfellow in 2014, GANs consist of two neural networks: a generator and a discriminator, which work against each other in a competitive manner. The generator creates fake samples (e.g., images, text, or passwords), while the discriminator evaluates whether the samples are real or generated. Over time, both networks improve— the generator learns to produce more realistic data, and the discriminator becomes better at distinguishing real from fake inputs. This adversarial process enables GANs to generate highly realistic outputs without explicit rule-based programming.
PassGAN leverages GANs to learn patterns and structures from leaked password datasets. Instead of relying on predefined rules, it autonomously generates password lists that mimic real-world user behavior. This makes it highly effective for identifying weak or predictable passwords, particularly during red team engagements.
For example, during a red team engagement, the team could use PassGAN to analyze previously leaked password datasets relevant to the target industry or region. By training the GAN on this data, the team can produce password lists tailored to the specific patterns and tendencies of the target user base. This targeted approach can reveal vulnerabilities that generic password-cracking methods might miss.
Consider the following:
A red team is tasked with testing an organization’s password security. They obtain a publicly available password breach dataset (e.g., from Have I Been Pwned or RockYou) that contains passwords similar to those used by employees in the targeted industry.
The red team feeds the dataset into PassGAN, allowing it to learn the patterns and structures of real-world passwords.
Once trained, PassGAN generates a list of probable passwords that users might create based on learned patterns. These passwords are saved into a text file (e.g.
generated_passwords.txt
).The red team then uses this password list with tools like HashCat to crack hashes obtained during the engagement.
Additionally, PassGAN's autonomous learning capability reduces the need for continuous manual updates to password-cracking rules, enabling red teams to adapt swiftly to evolving password trends. This adaptability is crucial in maintaining an up-to-date and a robust arsenal.
If you want to try out PassGAN check this implementation by Branndon Dorsey.
Red Team Notes
The PassGAN: A Deep Learning Approach for Password Guessing paper presents in interesting use case of leveraging generative models in assessing password security during red team engagements.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.