Cracking Password Hashes with Hashcat Rule-based attack
In this tutorial, we will demonstrate how to dehash passwords using Hashcat with hashing rules. We will be using Kali Linux an open-source Linux operating system aimed at pen-testing. We will be using NVIDIA GTX 1080 8GB and Ryzen 5 1600 CPU to crack our password hashes.
What is a Rule-based attack?
Quote Hashcat “The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack”
https://hashcat.net/wiki/doku.php?id=rule_based_attack
Hashcat rules are rules that are programmed to accommodate the rules engine in Hashcat. Hash rules are efficient as they can produce complex patterns of words from our target wordlists. By using rules we can attempt more complex passphrases allowing us to crack more passwords from our target hash table.
Examples:
| Name | Function | Description | Example Rule | Input Word | Output Word | Note |
|---|---|---|---|---|---|---|
| Nothing | : | do nothing | : | [email protected] | [email protected] | |
| Lowercase | l | Lowercase all letters | l | [email protected] | [email protected] | |
| Uppercase | u | Uppercase all letters | u | [email protected] | [email protected] | |
| Capitalize | c | Capitalize the first letter and lower the rest | c | [email protected] | [email protected] | |
| Invert Capitalize | C | Lowercase first found character, uppercase the rest | C | [email protected] | [email protected] | |
| Toggle Case | t | Toggle the case of all characters in word. | t | [email protected] | [email protected] | |
| Toggle @ | TN | Toggle the case of characters at position N | T3 | [email protected] | [email protected] | * |
| Reverse | r | Reverse the entire word | r | [email protected] | [email protected] | |
| Duplicate | d | Duplicate entire word | d | [email protected] | [email protected]@ssW0rd | |
| Duplicate N | pN | Append duplicated word N times | p2 | [email protected] | [email protected]@[email protected] | |
| Reflect | f | Duplicate word reversed | f | [email protected] | [email protected]@p | |
| Rotate Left | { | Rotates the word left. | { | [email protected] | @ssW0rdp | |
| Rotate Right | } | Rotates the word right | } | [email protected] | [email protected] | |
| Append Character | $X | Append character X to end | $1 | [email protected] | [email protected] | |
| Prepend Character | ^X | Prepend character X to front | ^1 | [email protected] | [email protected] | |
| Truncate left | [ | Deletes first character | [ | [email protected] | @ssW0rd | |
| Trucate right | ] | Deletes last character | ] | [email protected] | [email protected] | |
| Delete @ N | DN | Deletes character at position N | D3 | [email protected] | [email protected] | * |
| Extract range | xNM | Extracts M characters, starting at position N | x04 | [email protected] | [email protected] | * # |
| Omit range | ONM | Deletes M characters, starting at position N | O12 | [email protected] | psW0rd | * |
| Insert @ N | iNX | Inserts character X at position N | i4! | [email protected] | [email protected]!W0rd | * |
| Overwrite @ N | oNX | Overwrites character at position N with X | o3$ | [email protected] | [email protected]$W0rd | * |
| Truncate @ N | ‘N | Truncate word at position N | ‘6 | [email protected] | [email protected] | * |
| Replace | sXY | Replace all instances of X with Y | ss$ | [email protected] | [email protected]$$W0rd | |
| Purge | @X | Purge all instances of X | @s | [email protected] | [email protected] | |
| Duplicate first N | zN | Duplicates first character N times | z2 | [email protected] | [email protected] | |
| Duplicate last N | ZN | Duplicates last character N times | Z2 | [email protected] | [email protected] | |
| Duplicate all | q | Duplicate every character | q | [email protected] | [email protected]@ssssWW00rrdd | |
| Extract memory | XNMI | Insert substring of length M starting from position N of word saved to memory at position I | lMX428 | [email protected] | [email protected] | + |
| Append memory | 4 | Append the word saved to memory to current word | uMl4 | [email protected] | [email protected]@SSW0RD | + |
| Prepend memory | 6 | Prepend the word saved to memory to current word | rMr6 | [email protected] | [email protected]@ssW0rd | + |
| Memorize | M | Memorize current word | lMuX084 | [email protected] | [email protected]@ssw0rdW0RD | + |
Default Hashcat Rules
Hashcat includes some rules by default.
Hashcat’s rules are located in the rules directory of your Hashcat installation. You can create your own rules if you like for the purpose of this tutorial we are going to use some precompiled rules.
[email protected]:\~# ls -l /usr/share/hashcat/rules/ total 2588 \-rw-r--r-- 1 root root 933 Dec 2 2018 best64.rule \-rw-r--r-- 1 root root 633 Dec 2 2018 combinator.rule \-rw-r--r-- 1 root root 200188 Dec 2 2018 d3ad0ne.rule \-rw-r--r-- 1 root root 788063 Dec 2 2018 dive.rule \-rw-r--r-- 1 root root 483425 Dec 2 2018 generated2.rule \-rw-r--r-- 1 root root 78068 Dec 2 2018 generated.rule drwxr-xr-x 2 root root 12288 Mar 23 21:02 hybrid \-rw-r--r-- 1 root root 309439 Dec 2 2018 Incisive-leetspeak.rule \-rw-r--r-- 1 root root 35280 Dec 2 2018 InsidePro-HashManager.rule \-rw-r--r-- 1 root root 19478 Dec 2 2018 InsidePro-PasswordsPro.rule \-rw-r--r-- 1 root root 298 Dec 2 2018 leetspeak.rule \-rw-r--r-- 1 root root 1280 Dec 2 2018 oscommerce.rule \-rw-r--r-- 1 root root 301161 Dec 2 2018 rockyou-30000.rule \-rw-r--r-- 1 root root 1563 Dec 2 2018 specific.rule \-rw-r--r-- 1 root root 64068 Dec 2 2018 T0XlC-insert*00-99*1950-2050*toprules*0_F.rule \-rw-r--r-- 1 root root 2027 Dec 2 2018 T0XlC-insert*space*and*special*0_F.rule \-rw-r--r-- 1 root root 34437 Dec 2 2018 T0XlC-insert*top*100*passwords*1_G.rule \-rw-r--r-- 1 root root 34813 Dec 2 2018 T0XlC.rule \-rw-r--r-- 1 root root 104203 Dec 2 2018 T0XlCv1.rule \-rw-r--r-- 1 root root 45 Dec 2 2018 toggles1.rule \-rw-r--r-- 1 root root 570 Dec 2 2018 toggles2.rule \-rw-r--r-- 1 root root 3755 Dec 2 2018 toggles3.rule \-rw-r--r-- 1 root root 16040 Dec 2 2018 toggles4.rule \-rw-r--r-- 1 root root 49073 Dec 2 2018 toggles5.rule \-rw-r--r-- 1 root root 55346 Dec 2 2018 unix-ninja-leetspeak.rule
ls -l /usr/share/hashcat/rules
Hob0Rules
In this tutorial, I will be using Hob0Rules with Crackstation’s real human word list. Hob0Rules is a good ruleset for cracking passwords based on statistics and industry patterns.
https://github.com/praetorian-code/Hob0Rules
You can clone Hob0Rules by entering the following command in your terminal.
git clone https://github.com/praetorian-code/Hob0Rules.git
Hashdumps and Passwords
For the purpose of this demonstration, I will be cracking a Hashdump called ABC (SHA1)
You can download Hashdumps here
Download Hashdumps: http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
Cracking Password Hashes
Now we have our hashdump ready containing our target password hashes we can start cracking the password in Hashcat.
Command Examples:
hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/crackstation.txt -r d3adhob0.rule -o cracked -w 3 -O
hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/fasttrack.txt -r /usr/share/hashcat/rules/a3ad0ne.rule -o cracked -w 3 -O
-r d3adhob0.rule path to Hashcat rule -m 100 Hashing algorithm (SHA1) /root/Downloads/abc-sha1.txt (Hash list path) /usr/share/wordlists/crackstation.txt (Word list path) -o output directory of cracked passwords. -O Lowers the maximum supported password and salt length (typically down to 32). -w 3 Add if hash rate is lower then expected (This can cause your screen to lag).
It can take a lot longer to crack password hashes using Hashcat rules as Hashcat must compare a lot more possible passwords with the target hash table.
I’m using a 15GB real human wordlist that I downloaded from Crackstation Hashcat estimates that it will take 4 hours 28 mins to finishing cracking the password hashes from the hash table using Hashcat rules with Crackstation wordlist.
Let’s wait and see what password hashes can be dehashed.
Hashcat was able to crack 77.12% of our SHA1 password hashes using Hashcat rules (Hob0Rules – d3adhob0.rule) without using Hashcat Rules we were only able to crack 57.37% of the SHA1 password hashes from our hash list.
Results without Hashcat Rules
Results using Hashcat Rules
Now that Hashcat has finished let’s see what passwords we were able to crack you can list file contents in a terminal using the cat command in Linux.
cat cracked.txt
Debugging rules
echo WORd > word echo c > rule hashcat -r rule --stdout word Word
