Feature Request: Add flag for automatic password case permutation (Lower/Title Case) #1060
Description
Please Describe The Problem To Be Solved
During engagements, it is very common to encounter "User as Password" scenarios or simple weak passwords where the only variation is the capitalization of the first letter (e.g., password, Password, admin, Admin).
Currently, to test these variations using NetExec, the user must run the command multiple times with different flags (e.g., once with -p john and once with -p John) or create a temporary wordlist containing case variants.
This is inefficient when trying to quickly spray a single credential or check for "User = Password" misconfigurations where the Active Directory username found by for example rid brute forcing might be capitalized (e.g., John) but the password might be lowercase (john), or vice versa.
Scope:
- In-Scope: Adding a flag that takes the input provided via
-pand attempts the lowercase string and the title-cased string. - Out-of-Scope: Complex rule-based mangling (like Hashcat rules) or exhaustive permutation (e.g.,
jOhN).
(Optional): Suggest A Solution
I suggest adding a boolean flag, for example --auto-case, that automatically expands the provided password(s) into a list of lowercase and title-cased variations.
Proposed Logic:
When -u <user> -p <password> --auto-case is run:
- Add
<password>.lower()(All lowercase) to the queue. - Add
<password>.capitalize()(First letter uppercase, rest lowercase) to the queue.
Examples:
- Input:
-u John -p John --auto-case- Attempts:
John(Literal),john(Lower).
- Attempts:
- Input:
-u John -p john --auto-case- Attempts:
john(Literal),John(Capitalized).
- Attempts:
Caveats and Considerations:
- Lockout Policy: This increases the number of authentication attempts per user (2 attempts instead of 1). Users should be aware of this regarding account lockouts, though it is generally low volume.