Mentalist: Node-Based Wordlist Generation for Password Cracking
Hook
The password ‘P@ssw0rd2024!’ feels secure, but it follows predictable human patterns that make it crackable in seconds. Mentalist exploits these patterns through visual workflows that transform base words into millions of variations—exactly how humans construct passwords.
Context
Password cracking during authorized penetration tests often requires wordlists tailored to specific targets. Generic wordlists like rockyou.txt work for broad attacks, but when you’ve gathered OSINT about a target—company names, employee details, significant dates—you need wordlists that reflect how that specific person or organization constructs passwords. Humans are predictable: we substitute ‘a’ with ’@’, append years, capitalize the first letter, and add exclamation marks. Manually creating these variations is tedious; writing custom scripts requires programming knowledge.
Historically, security professionals either used command-line tools like Crunch (pattern-based generation) or CUPP (interactive profiling), or wrote one-off Python scripts. Crunch generates comprehensive but unfocused output. CUPP profiles individuals but lacks flexibility in transformation chains. Scripts work but aren’t reusable across engagements. Mentalist bridges this gap with a GUI-based node system where you construct transformation pipelines visually, then output either complete wordlists or rule files for Hashcat and John the Ripper. It’s built for the security professional who understands password psychology but doesn’t want to maintain a collection of bash scripts.
Technical Insight
Mentalist’s architecture separates the GUI layer (Tkinter) from a transformation engine that processes node chains. Each node represents a discrete operation: base word injection, character substitution, case modification, prepending/appending patterns, or inserting special characters. You chain these nodes sequentially, and Mentalist generates every permutation.
The node system is the core architectural decision. Rather than offering a single configuration screen, Mentalist treats wordlist generation as a pipeline problem. You start with a Base Words node (manual input, file upload, or built-in lists), then add transformation nodes. For example, a chain might look like: Base Words → Leetspeak Substitution → Append Years → Append Special Characters. Each node multiplies the output exponentially.
What makes Mentalist powerful is its dual-output capability. You can generate the full wordlist directly, but for large-scale operations, you export Hashcat or John the Ripper rules instead. Here’s the difference: a full wordlist might contain 50 million entries consuming gigabytes. A rule file contains the transformation logic, letting Hashcat apply those transformations on-the-fly against a base wordlist. This is computationally efficient and disk-friendly.
The built-in knowledge bases reflect real-world password analysis. The Leetspeak substitution node appears to handle common character swaps based on the tool’s purpose. The Append node appears to include years and common suffixes for concatenation patterns. There’s even a ‘Slang & Expletives’ list compiled from a variety of sources—because people genuinely use profanity in credentials, as documented in the README.
The transformation engine processes chains to apply each transformation node sequentially. For rule generation, it converts node operations into Hashcat or John the Ripper syntax compatible with those tools.
Version 2.0 modernized the codebase with Poetry for dependency management and Python 3.11+ support. The transition from PyInstaller-based executables (available for v1.0 only) to proper Python packaging reflects maturation—you install via pip or Poetry rather than downloading platform-specific binaries.
One architectural limitation noted in the README’s future work: there’s no deduplication engine for Base Words. If your transformation chains create overlapping outputs, you’ll get duplicates. The engine appears to prioritize speed over uniqueness. For targeted attacks where you need every possible variation, this is acceptable. For optimized wordlists, you’ll need to pipe output through sort -u.
The GUI itself uses Tkinter for the node workflow based on the README’s technology stack. It’s lightweight and cross-platform without requiring additional frameworks beyond Python’s standard library.
Gotcha
Mentalist appears to be GUI-focused based on its description as a ‘graphical tool’ with no documented CLI mode, which would limit automation. You likely can’t integrate it into shell scripts or CI/CD pipelines for recurring wordlist generation without GUI automation tools or reimplementing the transformation logic separately.
Wordlist size can explode quickly without warning. A base list of 100 words, combined with leetspeak substitutions, appended years, and special characters generates exponentially larger outputs. Add case permutations and you’re at hundreds of thousands of entries. The rule export mitigates this, but if you need the full wordlist, plan storage accordingly.
Tkinter dependency issues persist, especially on macOS with Homebrew Python. The README now documents installing python-tk via Homebrew, but this requires matching your Python version (python-tk@3.13, python-tk@3.12, python-tk@3.11). Users installing Python through pyenv or system Python may encounter ‘tkinter module not found’ errors. On Linux, the package name varies (python3-tk, python3-tkinter) across distributions. Windows users with official Python installers face no issues, but cross-platform deployment requires environment-specific troubleshooting.
The ‘Slang & Expletives’ list, while pragmatic for password cracking, includes offensive content as acknowledged in the README. The author apologizes to anyone offended, explaining that ‘some people use truly heinous words for their credentials and this list is meant to help crack them.’ If you’re demoing Mentalist in a corporate environment or educational setting, be aware that built-in wordlists contain NSFW terms. You can avoid this by using custom base words only, but it’s a consideration for professional contexts.
Verdict
Use Mentalist if you’re conducting authorized penetration tests with OSINT-driven targeting, especially when you understand password construction psychology but don’t want to maintain custom wordlist scripts. It excels when you know specifics about targets—company names, employee details, relevant dates—and need to rapidly generate variations reflecting human password habits. The visual node workflow reduces cognitive overhead compared to writing transformation code, and the dual output (wordlists + rules) provides flexibility for different attack scenarios. It’s particularly valuable for security professionals who work across multiple engagements and need a reusable methodology.
Skip it if you need CLI automation for integration into larger pentesting frameworks, already have comprehensive wordlists sufficient for generic attacks, or work in headless environments where installing GUI dependencies is problematic. If your password cracking is purely opportunistic (testing common credentials against large user databases), generic wordlists like rockyou.txt combined with Hashcat’s built-in rules will be faster. Also skip if you’re uncomfortable with the learning curve of understanding which transformation chains produce optimal results—Mentalist gives you power but requires knowledge of password psychology to wield effectively. For purely pattern-based generation (all 8-character combinations of lowercase + digits), Crunch’s CLI approach is more efficient.
