kwprocessor and princeprocessor

I ran across this tool while doing Rastalabs. It’s kwprocessor, designed to help build keyboard walks for wordlists. It is actually pretty easy to use and can produce some quality wordlists for keywalks, and given how common those are in the operational environment it’s a good tool to have.

Installation is easy, just run “make”. In order to build for a Windows environment, ensure mingw-w64 is installed and run “make windows”. This will produce both 32 and 64 bit executables for Windows. I didn’t have much luck using the Windows version, the output was not what you would expect. I suspect this is due to formatting issues of the inputs to kwp (discussed below) but did not test that.

The help function is available using the –help flag, and it shows you how to format the command and manipulate the output. There are two basic options in the help: keyboard and keywalk. The keyboard options specify which characters will be included. The keywalk options specify the directions the keywalks will be generated in.

The default values are specified on the right, and for the boolean values (the keyboards and keywalks) anything with a 1 is run by default. By default the command outputs to STDOUT, so you can redirect the output to a file if you are looking to add to an existing file rather than create one from scratch. Changes to the defaults must be specified individually, so a typical command might look like this:

./kwp -s 1 -3 1 -4 0 -7 1 -9 1 basechars/full.base keymaps/en-us.keymap routes/4-to-4-exhaustive-route -o /opt/test_wordlists/list1.txt

There are three required parameters for running kwp: basechars, keymap, and route. Basechars are just that, the base characters that the keyboard walk will start from. There are two built-in options: full.base and tiny.base.  The tiny base seems extremely small, but given how often passwords comprised of keyboard walks begin with these characters it is easy to see how it would be effective.

Several different keymaps are provided. Keymaps are files containing maps of locations of keys on language-specific keyboard layouts. A few common languages are given, but the format is simple enough that if necessary it could be changed. The keymap is the foundation that the list is built from, so choosing the correct keymap is critical.

Routes are the last, maybe most important, parameter to pass the command. Atom, the creator of kwprocessor, breaks routes down better than I ever could in the github readme. An important note on routes is that the two largest routes, 2-to-16-max-4-direction-changes.route and 2-to-32-max-5-direction-changes.route, don’t work for me on Linux. On Windows I was able to get the routes to work, however the previously mentioned formatting issues rendered the wordlist unusable. I think some troubleshooting could solve the format issue, but it isn’t necessary.

A good strategy for best using the tool is not to create the largest wordlist possible, but rather to create smaller wordlists and combinate them into larger wordlists. A real world example of a keyboard walk I have seen is 1qaz@WSX. This is a fairly simple password actually, but is the kind of thing administrators would use to be easily remembered and meet all the password complexity requirements. Creating a list that would contain this password would probably be enormous and tricky to generate, and requires jumps. Better to create lists of smaller words that can be more easily combined. I started by creating a custom basechars file to ensure that I am only starting from the left side of the keyboard.

Next I created a wordlist that would include all the four character walks from the left side of the keyboard that make sense. To me anyway and based on my experience, there’snot much science behind my process here.

My objective is to get the smallest possible wordlist to ensure that the list remains usable with a combinator. I have some results here from several different passes through kwprocessor in order to minimize the list and finally sorted to remove any duplicates.

Atom has another tool, princeprocessor, which can help to combine words. This is something I’m still working on, and princeprocessor takes some trial and error to avoid making enormous wordlists. But I was able to make it work and generate a wordlist of eight character keywalks which would include keywalks not easily generated by kwprocessor due to the key jumps.

This created a list that had our example password above, but also wasn’t small enough that we would be able to work with it on fairly limited hardware.

This is only a start. My objective is to use these tools to be able to generate on the fly 16 character keyboard walks that can be used on mid-range hardware to crack admin hashes. The problem is that the possible number of combinations goes up so quickly that it would make this very difficult for large wordlists. You can see the keyspace in princeprocessor for yourself prior to running the tool.

The next steps are to further reduce the size of the initial wordlist, take out uncommon or unlikely characters, take out words that wouldn’t meet common password complexity requirements. This is an ongoing project but one that I feel will ultimately be worthwhile on red team missions. The more refined I can get the initial list, the better the end product will be.