Modern password wordlist creation usually implies concatenating multiple data sources.
Ideally, most probable passwords should stand at start of the wordlist, so most common passwords are cracked instantly.
With existing dedupe tools you are forced to choose if you prefer to preserve the order OR handle massive wordlists.
Unfortunately, wordlist creation requires both:
So i wrote duplicut in highly optimized C to address this very specific need 🤓 💻
git clone https://github.com/nil0x42/duplicut
cd duplicut/ && make
./duplicut wordlist.txt -o clean-wordlist.txt
-
Features:
- Handle huge wordlists, even those whose size exceeds available RAM.
- Line max length based filtering (-l option).
- Ascii printable chars based filtering (-p option).
- Press any key to get program status at runtime.
-
Implementation:
- Written in pure C code, designed to be fast.
- Compressed hashmap items on 64 bit platforms.
- Multithreading support
- [TODO]: Use huge memory pages to increase performance.
-
Limitations:
- Any line longer than 255 chars is ignored.
- Heavily tested on Linux x64, mostly untested on other platforms.
A simple uint64 is enough to index lines in the hashmap, by packing
size information within line pointer's extra bits:
If whole file can't fit in memory, file is treated as a list of
virtual chunks, and each one is tested against next chunks.
So complexity is equal to th triangle number:
If you find a bug, or something doesn't work as expected, please compile duplicut in debug mode and post an issue with attached output:
# debug level can be from 1 to 4
make debug level=1
./duplicut [OPTIONS] 2>&1 | tee /tmp/duplicut-debug.log