Cracking Password Hashes with Hashcat Rule-based attack
In this tutorial, we will demonstrate how to dehash passwords using Hashcat with hashing rules. We will be using Kali Linux an open-source Linux operating system aimed at pen-testing. We will be using NVIDIA GTX 1080 8GB and Ryzen 5 1600 CPU to crack our password hashes.
What is a Rule-based attack?
Quote Hashcat “The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack”
https://hashcat.net/wiki/doku.php?id=rule_based_attack
Hashcat rules are rules that are programmed to accommodate the rules engine in Hashcat. Hash rules are efficient as they can produce complex patterns of words from our target wordlists. By using rules we can attempt more complex passphrases allowing us to crack more passwords from our target hash table.
Examples:
| Name | Function | Description | Example Rule | Input Word | Output Word | Note |
|---|---|---|---|---|---|---|
| Nothing | : | do nothing | : | p@ssW0rd | p@ssW0rd | |
| Lowercase | l | Lowercase all letters | l | p@ssW0rd | p@ssw0rd | |
| Uppercase | u | Uppercase all letters | u | p@ssW0rd | P@SSW0RD | |
| Capitalize | c | Capitalize the first letter and lower the rest | c | p@ssW0rd | P@ssw0rd | |
| Invert Capitalize | C | Lowercase first found character, uppercase the rest | C | p@ssW0rd | p@SSW0RD | |
| Toggle Case | t | Toggle the case of all characters in word. | t | p@ssW0rd | P@SSw0RD | |
| Toggle @ | TN | Toggle the case of characters at position N | T3 | p@ssW0rd | p@sSW0rd | * |
| Reverse | r | Reverse the entire word | r | p@ssW0rd | dr0Wss@p | |
| Duplicate | d | Duplicate entire word | d | p@ssW0rd | p@ssW0rdp@ssW0rd | |
| Duplicate N | pN | Append duplicated word N times | p2 | p@ssW0rd | p@ssW0rdp@ssW0rdp@ssW0rd | |
| Reflect | f | Duplicate word reversed | f | p@ssW0rd | p@ssW0rddr0Wss@p | |
| Rotate Left | { | Rotates the word left. | { | p@ssW0rd | @ssW0rdp | |
| Rotate Right | } | Rotates the word right | } | p@ssW0rd | dp@ssW0r | |
| Append Character | $X | Append character X to end | $1 | p@ssW0rd | p@ssW0rd1 | |
| Prepend Character | ^X | Prepend character X to front | ^1 | p@ssW0rd | 1p@ssW0rd | |
| Truncate left | [ | Deletes first character | [ | p@ssW0rd | @ssW0rd | |
| Trucate right | ] | Deletes last character | ] | p@ssW0rd | p@assW0r | |
| Delete @ N | DN | Deletes character at position N | D3 | p@ssW0rd | p@sW0rd | * |
| Extract range | xNM | Extracts M characters, starting at position N | x04 | p@ssW0rd | p@ss | * # |
| Omit range | ONM | Deletes M characters, starting at position N | O12 | p@ssW0rd | psW0rd | * |
| Insert @ N | iNX | Inserts character X at position N | i4! | p@ssW0rd | p@ss!W0rd | * |
| Overwrite @ N | oNX | Overwrites character at position N with X | o3$ | p@ssW0rd | p@s$W0rd | * |
| Truncate @ N | ‘N | Truncate word at position N | ‘6 | p@ssW0rd | p@ssW0 | * |
| Replace | sXY | Replace all instances of X with Y | ss$ | p@ssW0rd | p@$$W0rd | |
| Purge | @X | Purge all instances of X | @s | p@ssW0rd | p@W0rd | |
| Duplicate first N | zN | Duplicates first character N times | z2 | p@ssW0rd | ppp@ssW0rd | |
| Duplicate last N | ZN | Duplicates last character N times | Z2 | p@ssW0rd | p@ssW0rddd | |
| Duplicate all | q | Duplicate every character | q | p@ssW0rd | pp@@ssssWW00rrdd | |
| Extract memory | XNMI | Insert substring of length M starting from position N of word saved to memory at position I | lMX428 | p@ssW0rd | p@ssw0rdw0 | + |
| Append memory | 4 | Append the word saved to memory to current word | uMl4 | p@ssW0rd | p@ssw0rdP@SSW0RD | + |
| Prepend memory | 6 | Prepend the word saved to memory to current word | rMr6 | p@ssW0rd | dr0Wss@pp@ssW0rd | + |
| Memorize | M | Memorize current word | lMuX084 | p@ssW0rd | P@SSp@ssw0rdW0RD | + |
Default Hashcat Rules
Hashcat includes some rules by default.
Hashcat’s rules are located in the rules directory of your Hashcat installation. You can create your own rules if you like for the purpose of this tutorial we are going to use some precompiled rules.
root@kali:\~# ls -l /usr/share/hashcat/rules/ total 2588 \-rw-r--r-- 1 root root 933 Dec 2 2018 best64.rule \-rw-r--r-- 1 root root 633 Dec 2 2018 combinator.rule \-rw-r--r-- 1 root root 200188 Dec 2 2018 d3ad0ne.rule \-rw-r--r-- 1 root root 788063 Dec 2 2018 dive.rule \-rw-r--r-- 1 root root 483425 Dec 2 2018 generated2.rule \-rw-r--r-- 1 root root 78068 Dec 2 2018 generated.rule drwxr-xr-x 2 root root 12288 Mar 23 21:02 hybrid \-rw-r--r-- 1 root root 309439 Dec 2 2018 Incisive-leetspeak.rule \-rw-r--r-- 1 root root 35280 Dec 2 2018 InsidePro-HashManager.rule \-rw-r--r-- 1 root root 19478 Dec 2 2018 InsidePro-PasswordsPro.rule \-rw-r--r-- 1 root root 298 Dec 2 2018 leetspeak.rule \-rw-r--r-- 1 root root 1280 Dec 2 2018 oscommerce.rule \-rw-r--r-- 1 root root 301161 Dec 2 2018 rockyou-30000.rule \-rw-r--r-- 1 root root 1563 Dec 2 2018 specific.rule \-rw-r--r-- 1 root root 64068 Dec 2 2018 T0XlC-insert*00-99*1950-2050*toprules*0_F.rule \-rw-r--r-- 1 root root 2027 Dec 2 2018 T0XlC-insert*space*and*special*0_F.rule \-rw-r--r-- 1 root root 34437 Dec 2 2018 T0XlC-insert*top*100*passwords*1_G.rule \-rw-r--r-- 1 root root 34813 Dec 2 2018 T0XlC.rule \-rw-r--r-- 1 root root 104203 Dec 2 2018 T0XlCv1.rule \-rw-r--r-- 1 root root 45 Dec 2 2018 toggles1.rule \-rw-r--r-- 1 root root 570 Dec 2 2018 toggles2.rule \-rw-r--r-- 1 root root 3755 Dec 2 2018 toggles3.rule \-rw-r--r-- 1 root root 16040 Dec 2 2018 toggles4.rule \-rw-r--r-- 1 root root 49073 Dec 2 2018 toggles5.rule \-rw-r--r-- 1 root root 55346 Dec 2 2018 unix-ninja-leetspeak.rule
ls -l /usr/share/hashcat/rules
Hob0Rules
In this tutorial, I will be using Hob0Rules with Crackstation’s real human word list. Hob0Rules is a good ruleset for cracking passwords based on statistics and industry patterns.
https://github.com/praetorian-code/Hob0Rules
You can clone Hob0Rules by entering the following command in your terminal.
git clone https://github.com/praetorian-code/Hob0Rules.git
Hashdumps and Passwords
For the purpose of this demonstration, I will be cracking a Hashdump called ABC (SHA1)
You can download Hashdumps here
Download Hashdumps: http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
Cracking Password Hashes
Now we have our hashdump ready containing our target password hashes we can start cracking the password in Hashcat.
Command Examples:
hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/crackstation.txt -r d3adhob0.rule -o cracked -w 3 -O
hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/fasttrack.txt -r /usr/share/hashcat/rules/a3ad0ne.rule -o cracked -w 3 -O
-r d3adhob0.rule path to Hashcat rule -m 100 Hashing algorithm (SHA1) /root/Downloads/abc-sha1.txt (Hash list path) /usr/share/wordlists/crackstation.txt (Word list path) -o output directory of cracked passwords. -O Lowers the maximum supported password and salt length (typically down to 32). -w 3 Add if hash rate is lower then expected (This can cause your screen to lag).
It can take a lot longer to crack password hashes using Hashcat rules as Hashcat must compare a lot more possible passwords with the target hash table.
I’m using a 15GB real human wordlist that I downloaded from Crackstation Hashcat estimates that it will take 4 hours 28 mins to finishing cracking the password hashes from the hash table using Hashcat rules with Crackstation wordlist.
Let’s wait and see what password hashes can be dehashed.
Hashcat was able to crack 77.12% of our SHA1 password hashes using Hashcat rules (Hob0Rules – d3adhob0.rule) without using Hashcat Rules we were only able to crack 57.37% of the SHA1 password hashes from our hash list.
Results without Hashcat Rules
Results using Hashcat Rules
Now that Hashcat has finished let’s see what passwords we were able to crack you can list file contents in a terminal using the cat command in Linux.
cat cracked.txt
Debugging rules
echo WORd > word echo c > rule hashcat -r rule --stdout word Word
