When you have used and try all your dictionaries and the passwords still does not give up... then you need to extend your attack ( assuming the dictionary is prima sort ). The ways that hashcat offers are several. There is the dictionary attack, which we discussed at the very beginning (POST#1). We have also combination attack, mask-attack, hybrid-attack and association-attack . In addition, the hashcat offers a rule-based attack. As well as the Toggle-Case Attack , which is also carried out using rules.
In this post we will discuss the dictionary attack using rules.
Cracking with rules.
We can use the rules in both dictionary-attack mode [-0] and hybrid-attack mode [-6,-7]. As with dictionaries, there is quite a large list of publicly available hashcat rules that significantly improve the percentage of cracked passwords. You can write the rules yourself, it is not super complicated, we will devote a separate post to this. What are rules really? Wikipedia hashcat, defines them quite clearly:
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a **programming language** designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
This gives us many possibilities to manipulate our dictionaries on the fly and create completely new candidates based on the dictionary content, which translates into the number of candidates and the chances of success. In short, we squeeze as much as we can out of our dictionaries, which, with the use of rules, become just a starting base for generating candidates.
Built-ins
Let's start by familiarising ourselves with the rules supplied from hashcat or what are known as built-ins - it's quite a useful list.
passphrase-rule
Very interesting and useful rules, that is actualy a set of two rule files passphrase-rule1.rule and passphrase-rule2.rule.
Author's description:
The rule files are designed to both "shape" the password and to mutate it. Shaping is based on the idea that human beings follow fairly predictable patterns when choosing a password, such as capitalising the first letter of each word and following the phrase with a number or special character. Mutations are also fairly predictable, such as replacing letters with visually-similar special characters.
passphrase-rule1.rule in action:
passphrase-rule
Used together significantly increase the number of candidates.
With the release of the old oclHashcat-plus v0.07, a completely new feature was introduced in the world of rule-based password cracking. Instead of just providing one -r parameter with a rule file, you can now add as many -r's as you want...
Importantly: they are not executed sequentially! Each rule from each file is combined with every rule from other files. This way, you can easily create your own custom attack mode. However, it’s important to note that the total number of generated rules is the product of all lists – meaning that with a large number of large files, you can quickly exceed available memory resources. But, a few well-chosen small sets of rules can have a really strong effect.
passphrase-rule1.rule + passphrase-rule2.rule in action:
OneRuleToRuleThemAll
In 2017, the company notsosecure conducted very interesting tests geared towards testing the performance of individual hashcat rules. They used Lifeboat data dump - Minecraft community leak including unsalted MD5 hashes. It was these hashes that were tested using the rockyou.txt dictionary as the base for the rules. The most well-known rules were tested in the test:
- best64
- unix-ninja-leetspeak
- InsidePro-HashManager
- InsidePro-PasswordsPro
- toggles5
- T0XICv1
- rockyou-30000
- d3ad0ne
- dive
- generated2
- d3adhob0
- hob064
- KoreLogicRulesPrependRockYou50000
- v2.dive
All except d3adhob0, hob064, KoreLogicRulesPrependRockYou50000 and _NSAKEY.v2.dive are included with hashcat.
The result of their testing was the creation of their own rules called OneRuleToRuleThemAll.
one-rule-to-rule-them-all
Pantagrule
the King is dead, long live the King!
Let's cracking begin.
[OneRuleToRuleThemAll] - https://github.com/NotSoSecure/password_cracking_rules [unshade-hash-b2.txt] - file with hashes.
We will start by downloading a file with the hashes we will be cracking[unshade-hash-b2.txt]. We will start with a familiar dictionary attack using the rockyou.txt dictionary.
hashcat -m 1000 -a 0 unshade-hash-b2.txt 'rockyou.txt.gz -O {{< /code >}}
Some passwords we have managed to crack but the vast majority still remain just hashes. Let us change this by increasing the number of candidates with a set of rules - OneRuleToRuleThemAll
hashcat -m 1000 -a 0 unshade-hash-b2.txt rockyou.txt.gz -r OneRuleToRuleThem.all -O rockyou.txt.gz vs rockyou.txt.gz + OneRuleToRuleThemAll
Just look at Keyspace with aditional rules file...
Depending on the power it will take shorter or longer ;d
Finally.
47 seconds of cracking and all hashes are no longer a mystery and all thanks to OneRuleToRuleThemAll.rule.
More coming..
Interesting hashcat rules: __https://contest-2010.korelogic.com/rules.html https://github.com/cyclone-github/rules https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules https://github.com/initstring/passphrase-wordlist/tree/master/hashcat-rules https://github.com/clem9669/hashcat-rule https://github.com/nyxgeek/nyxgeek-rules/tree/master/hashcat-rules https://github.com/xfox64x/Hashcat-Stuffs/tree/master/Rules https://github.com/webpwnized/byepass/tree/master/rules https://github.com/hashcat/hashcat/tree/master/rules https://github.com/praetorian-inc/Hob0Rules https://github.com/NSAKEY/nsa-rules https://github.com/rarecoil/pantagrule/tree/master/rules
