├── images └── exampleimages.png ├── example_deny_list.txt ├── LICENSE ├── README.md ├── .gitignore └── badlister.py /images/exampleimages.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dievus/BadLister/HEAD/images/exampleimages.png -------------------------------------------------------------------------------- /example_deny_list.txt: -------------------------------------------------------------------------------- 1 | password 2 | admin 3 | administrator 4 | root 5 | January 6 | February 7 | March 8 | April 9 | May 10 | June 11 | July 12 | August 13 | September 14 | October 15 | November 16 | December 17 | spring 18 | summer 19 | fall 20 | autumn 21 | winter 22 | qwerty 23 | qwertyuiop 24 | 1qazxsw23edc 25 | 1qazxsw2 26 | xsw2zaq1 27 | xsw21qaz 28 | 2023 29 | 2024 30 | 2025 31 | 2026 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Joe Helle 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BadLister - A Wordlist Generator for Password Deny List Filtration 2 | 3 | [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/M4M03Q2JN) 4 | 5 | 6 |

7 | 8 |

9 | 10 | I regularly do internal, external, and web application penetration tests where clients struggle with users utilizing common passwords, but do not know how to develop a list to prevent them. 11 | 12 | BadLister is a simple solution for generating these lists. A default list is already available, "example_deny_list.txt," which provides common strings we see in passwords, such as months, years, common password runs, and other common words and numbers. BadLister will parse the word list provided by the user, and return strings output with "leetspeak," or word combinations where numbers or letters in a string are substituted with special characters and numbers similar to the original string. Depending on the list provided, the results can be quite large, and it is important to customize each list to the associated business. 13 | 14 | As an example, if your company is "Acme Corp Inc.," which is located in Ohio, you may want to include "Acme," "Ohio," and "Buckeyes" in the word list. All too often passwords contain the company name, state, city, or local sports team, and these passwords are incredibly easy to predict or crack. 15 | 16 | ## Usage 17 | To run the tool, simply run `python3 badlister.py` and input a filename when prompted to. The tool was developed in Windows, which makes directory parsing a bit of a pain, so it is recommended to include the word list in the same directory as badlister.py. Once BadLister has been run, a new file named `denylist_passwords.txt` can be utilized in whichever way the user wishes. Additionally, the user can output the file contents to terminal, if desired, by pressing `y` when asked. 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/latest/usage/project/#working-with-version-control 110 | .pdm.toml 111 | .pdm-python 112 | .pdm-build/ 113 | 114 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 115 | __pypackages__/ 116 | 117 | # Celery stuff 118 | celerybeat-schedule 119 | celerybeat.pid 120 | 121 | # SageMath parsed files 122 | *.sage.py 123 | 124 | # Environments 125 | .env 126 | .venv 127 | env/ 128 | venv/ 129 | ENV/ 130 | env.bak/ 131 | venv.bak/ 132 | 133 | # Spyder project settings 134 | .spyderproject 135 | .spyproject 136 | 137 | # Rope project settings 138 | .ropeproject 139 | 140 | # mkdocs documentation 141 | /site 142 | 143 | # mypy 144 | .mypy_cache/ 145 | .dmypy.json 146 | dmypy.json 147 | 148 | # Pyre type checker 149 | .pyre/ 150 | 151 | # pytype static type analyzer 152 | .pytype/ 153 | 154 | # Cython debug symbols 155 | cython_debug/ 156 | 157 | # PyCharm 158 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 159 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 160 | # and can be added to the global gitignore or merged into this file. For a more nuclear 161 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 162 | #.idea/ 163 | -------------------------------------------------------------------------------- /badlister.py: -------------------------------------------------------------------------------- 1 | import itertools 2 | 3 | 4 | def banner(): 5 | print( 6 | """ 7 | 8 | ██████ █████ ██████ ██ ██ ███████ ████████ ███████ ██████ 9 | ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ 10 | ██████ ███████ ██ ██ ██ ██ ███████ ██ █████ ██████ 11 | ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ 12 | ██████ ██ ██ ██████ ███████ ██ ███████ ██ ███████ ██ ██ 13 | 14 | A wordlist generator for generating common password strings 15 | v1.0 16 | Another tool created by TheMayor 17 | """ 18 | ) 19 | 20 | 21 | def leetspeak_generator(word): 22 | # years = ['1950', '1951', '1952', '1953', '1954', '1955', '1956', '1957', '1958', '1959', '1960', '1961', '1962', '1963', '1964', '1965', '1966', '1967', '1968', '1969', '1970', '1971', '1972', '1973', '1974', '1975', '1976', '1977', '1978', '1979', '1980', '1981', '1982', '1983', '1984', '1985', '1986', '1987', '1988', '1989', '1990', '1991', '1992', '1993', '1994', '1995', '1996', '1997', '1998', '1999', '2000', '2001', '2002', '2003', '2004', '2005', '2006', '2007', '2008', '2009', '2010', '2011', '2012', '2013', '2014', '2015', '2016', '2017', '2018', '2019', '2020', '2021', '2022', '2023', '2024', '2025', '2026', '2027', '2028', '2029', '2030'] 23 | leet_dict = { 24 | "a": [ 25 | "4", 26 | "@", 27 | ], 28 | "b": ["8"], 29 | "c": ["<", "("], 30 | "e": ["3"], 31 | "g": ["9", "6"], 32 | "h": ["#"], 33 | "i": ["1", "!", "|"], 34 | "l": ["|", "1", "7"], 35 | "o": ["0"], 36 | "s": ["$", "5"], 37 | "t": ["+", "7"], 38 | "z": ["2"], 39 | } 40 | 41 | leet_combinations = [] 42 | for char in word: 43 | if char.lower() in leet_dict: 44 | leet_combinations.append(leet_dict[char.lower()] + [char.upper()]) 45 | else: 46 | leet_combinations.append([char]) 47 | 48 | return [ 49 | "".join(combination) for combination in itertools.product(*leet_combinations) 50 | ] 51 | 52 | 53 | def generate_leetspeak_combinations(word_list): 54 | leetspeak_combinations = [] 55 | 56 | for word in word_list: 57 | leetspeak_combinations.append(word) 58 | 59 | leet_plain = "".join(word) 60 | leetspeak_combinations.extend(leetspeak_generator(leet_plain)) 61 | 62 | return leetspeak_combinations 63 | 64 | 65 | if __name__ == "__main__": 66 | # banner() 67 | # Get the file name from the user 68 | try: 69 | file_name = input("Enter the file name containing the list of words: ") 70 | 71 | with open(file_name, "r") as file: 72 | word_list = [line.strip() for line in file.readlines()] 73 | output_file_name = "denylist_passwords.txt" 74 | leetspeak_combinations = generate_leetspeak_combinations(word_list) 75 | print(f"\nNumber of words generated: {len(leetspeak_combinations)}\n") 76 | with open(output_file_name, "w") as output_file: 77 | output_file.write("\n".join(leetspeak_combinations)) 78 | # Generate leetspeak combinations 79 | leetspeak_combinations = generate_leetspeak_combinations(word_list) 80 | print(f"Leetspeak combinations saved to '{output_file_name}'\n") 81 | output_list = input( 82 | "[!] Do you want to output combinations to terminal? (y/n)? " 83 | ) 84 | if output_list.lower() == "y": 85 | # Print leetspeak combinations 86 | print("\nLeetspeak List:") 87 | print("\n".join(leetspeak_combinations)) 88 | else: 89 | print("\nQuitting!") 90 | quit() 91 | except KeyboardInterrupt: 92 | print( 93 | "\n\nYou either fat fingered this, or something else. Either way, Quitting!" 94 | ) 95 | except FileNotFoundError: 96 | print(f"\n[-] Error: File '{file_name}' not found. Retry with a valid file.\n") 97 | exit() 98 | --------------------------------------------------------------------------------