Weak admin password detection

README.md

@@ -85,6 +85,17 @@ Flush all URL's that were cached by varnish.
 
 By default this command loads Magento's sitemap collection from which you can choose what sitemaps you want to crawl. If the store URL does not match the URL's in the sitemap you will be prompted several options (compare, replace, continue). For instance the old and new URL can be compared in a performance report. Additionally a sitemap can be loaded by specifying a path or URL. 
 
+### Checking for weak admin credentials ###
+
+    n98-magerun hypernode:crack:admin-passwords -r best64 vendors
+
+Check your site for weak admin credentials by attempting to brute force the password with popular password / variations.
+
+### Checking for weak admin credentials ###
+
+    n98-magerun hypernode:crack:api-keys -r best64 vendors
+
+This command words exactly the same as the `hypernode:crack:admin-passwords` except it attempts to crack the api_key of SOAP / XML-RPC users. All arguments are the same, check the commands `--help` for details.
 
 Packaging
 --------

composer.json

@@ -33,6 +33,7 @@
   },
   "require-dev": {
     "phpunit/phpunit": "~4.8",
+    "mikey179/vfsStream": "1.6.4",
     "n98/magerun": "dev-master"
   },
   "autoload": {

config/rules/best64.rule

@@ -0,0 +1,102 @@
+## nothing, reverse, case... base stuff
+:
+r
+u
+T0
+
+## simple number append
+$0
+$1
+$2
+$3
+$4
+$5
+$6
+$7
+$8
+$9
+
+## special number append
+$0 $0
+$0 $1
+$0 $2
+$1 $1
+$1 $2
+$1 $3
+$2 $1
+$2 $2
+$2 $3
+$6 $9
+$7 $7
+$8 $8
+$9 $9
+$1 $2 $3
+
+## high frequency append
+$e
+$s
+
+## high frequency overwrite at end
+] $a
+] ] $s
+] ] $a
+] ] $e $r
+] ] $i $e
+] ] ] $o
+] ] ] $y
+] ] ] $1 $2 $3
+] ] ] $m $a $n
+] ] ] $d $o $g
+
+## high frequency prepend
+^1
+^e ^h ^t
+
+## high frequency overwrite at start
+o0d
+o0m o1a
+
+## leetify
+so0
+si1
+se3
+
+## simple extracts
+D2
+D2 D2
+D3
+D4
+
+## undouble word
+'5 D3
+'5 $1
+
+## removes suffixes from 'strongified' passwords in dict
+]
+] ]
+] ] ]
+] ] ] d
+] ] D1 ]
+
+## rotates
++5 ] } } } } '4
+x02 { { { { { {
+} ] ] {
+} } -0 x12
+} } }
+} } } } '4
+} } } } } '5
+} } } } } } Y4 '4 d
+
+## unknown
+*04 +0 '4
+*05 x03 d '3 p1
++0 +0 +0 +0 +0 +0 +0 +0
++0 +0 +0 x12
+Z4 '8 x42
+Z5 '6 x31 ] p1
+Z5 *75 '5 { x02
+d x28 Y4 '4 d
+f *A5 '8 x14
+p2 '7 p1 x58
+x14 d p2 '6

config/wordlists/1.txt

@@ -0,0 +1 @@
+123456

config/wordlists/100.txt

@@ -0,0 +1,100 @@
+123456
+12345
+123456789
+password
+iloveyou
+princess
+1234567
+rockyou
+12345678
+abc123
+nicole
+daniel
+babygirl
+monkey
+lovely
+jessica
+654321
+michael
+ashley
+qwerty
+111111
+iloveu
+000000
+michelle
+tigger
+sunshine
+chocolate
+password1
+soccer
+anthony
+friends
+butterfly
+purple
+angel
+jordan
+liverpool
+justin
+loveme
+fuckyou
+123123
+football
+secret
+andrea
+carlos
+jennifer
+joshua
+bubbles
+1234567890
+superman
+hannah
+amanda
+loveyou
+pretty
+basketball
+andrew
+angels
+tweety
+flower
+playboy
+hello
+elizabeth
+hottie
+tinkerbell
+charlie
+samantha
+barbie
+chelsea
+lovers
+teamo
+jasmine
+brandon
+666666
+shadow
+melissa
+eminem
+matthew
+robert
+danielle
+forever
+family
+jonathan
+987654321
+computer
+whatever
+dragon
+vanessa
+cookie
+naruto
+summer
+sweety
+spongebob
+joseph
+junior
+softball
+taylor
+yellow
+daniela
+lauren
+mickey
+princesa