Hashcat’s latest keymap walking tool, “KwProcessor”, quickly and easily generates password lists based on keymap walking techniques. In this article, the first of several password cracking themed articles, we will take a quick look at how to use this tool.
Keymap walking passwords are popular amongst many organizations as they are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.
You can create a complex password in this manner by using the shift key and including numbers in the pattern, as seen below:
Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”.
This would create the password, “zaq12ws”. If we alternately used the shift key, we would get the password, “ZaQ1@wS” which is a little more complex.
What makes keymap walking so successful (until now) is that an attacker would need to know the starting key, direction, direction changes, if any special key is used and when, and of course the ending key. Hashcat’s new KwProcessor tool makes creating keymap walking wordlists very easy to do.
Installing KwProcessor (kwp)
We will be using Kali Linux as the operating system. At the time of this writing kwp is not installed by default. So, we will need to download and install it.
From a Kali Terminal prompt:
- git clone https://github.com/hashcat/kwprocessor.git
- cd kwprocessor
- and then type, “make”
As seen below:
You can type, “./kwp -V” to check that it installed correctly and display the software version.
Keymaps and Routes
To crack keymap walking passwords you will need two things, a layout of the keyboard keys and a list of routes to take to create the wordlists. In the kwp program directory you will find the “keymaps” and “routes” folders:
The Keymaps folder contains the keyboard layout for multiple languages:
The routes folder has 7 preconfigured keymap walks or routes that can be used to generate passwords:
We can use these preconfigured routes or create our own using command line switches.
Type, “./kwp –help” to see the available options:
Creating a KWP Wordlist
To create a simple kwp wordlist, we will use the English keymap and the 2-10 max 3 directional change route file. This can be accomplished by running the command below:
./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route
This causes kwp to create multiple keymap walk combinations, of 2-11 characters with a maximum of 3 direction changes:
The output of the command is sent directly to the screen, so to create the actual wordlist file, you would need to output the command to a text file.
./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route > basickwp.txt
You can then use the resultant text file as a wordlist in Hashcat.
To create a more complex wordlist, use one of the larger route files:
./kwp basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > largekwp.txt
Foreign Language Keywalks
If you need to crack foreign language keywalks, just use one of the foreign language keymap files. So, to create a Russian keywalk wordlist:
./kwp basechars/full.base keymaps/ru.keymap routes/2-to-16-max-3-direction-changes.route > rukwp.txt
And the resultant file:
If we have a password hashlist that contains any of the words that were generated, it will crack them. This is shown in the Hashcat result example below:
In this article we covered how to use the new Hashcat kwp tool to quickly create keymap walking wordlists. We also saw how easy it is to change the keymap language, which can come in handy if you are cracking international passwords. For more information on KWP, check out the Hashcat Github page.
If you are interested in learning more about cracking password with Hashcat, more is on the way in upcoming articles. Also, check out my Basic Security Testing with Kali Linux book that covers a lot of basic password cracking topics, plus a whole lot more!