Cracking Password Hashes with Hashcat Rule-based attack

Cracking Password Hashes with Hashcat Rule-based attack

In this tutorial, we will demonstrate how to dehash passwords using Hashcat with hashing rules. We will be using Kali Linux an open-source Linux operating system aimed at pen-testing. We will be using NVIDIA GTX 1080 8GB and Ryzen 5 1600 CPU to crack our password hashes.

What is a Rule-based attack?

Quote Hashcat “The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack”

Hashcat rules are rules that are programmed to accommodate the rules engine in Hashcat. Hash rules are efficient as they can produce complex patterns of words from our target wordlists. By using rules we can attempt more complex passphrases allowing us to crack more passwords from our target hash table.


Name Function Description Example Rule Input Word Output Word Note
Nothing : do nothing : p@ssW0rd p@ssW0rd
Lowercase l Lowercase all letters l p@ssW0rd p@ssw0rd
Uppercase u Uppercase all letters u p@ssW0rd P@SSW0RD
Capitalize c Capitalize the first letter and lower the rest c p@ssW0rd P@ssw0rd
Invert Capitalize C Lowercase first found character, uppercase the rest C p@ssW0rd p@SSW0RD
Toggle Case t Toggle the case of all characters in word. t p@ssW0rd P@SSw0RD
Toggle @ TN Toggle the case of characters at position N T3 p@ssW0rd p@sSW0rd *
Reverse r Reverse the entire word r p@ssW0rd dr0Wss@p
Duplicate d Duplicate entire word d p@ssW0rd p@ssW0rdp@ssW0rd
Duplicate N pN Append duplicated word N times p2 p@ssW0rd p@ssW0rdp@ssW0rdp@ssW0rd
Reflect f Duplicate word reversed f p@ssW0rd p@ssW0rddr0Wss@p
Rotate Left { Rotates the word left. { p@ssW0rd @ssW0rdp
Rotate Right } Rotates the word right } p@ssW0rd dp@ssW0r
Append Character $X Append character X to end $1 p@ssW0rd p@ssW0rd1
Prepend Character ^X Prepend character X to front ^1 p@ssW0rd 1p@ssW0rd
Truncate left [ Deletes first character [ p@ssW0rd @ssW0rd
Trucate right ] Deletes last character ] p@ssW0rd p@assW0r
Delete @ N DN Deletes character at position N D3 p@ssW0rd p@sW0rd *
Extract range xNM Extracts M characters, starting at position N x04 p@ssW0rd p@ss * #
Omit range ONM Deletes M characters, starting at position N O12 p@ssW0rd psW0rd *
Insert @ N iNX Inserts character X at position N i4! p@ssW0rd p@ss!W0rd *
Overwrite @ N oNX Overwrites character at position N with X o3$ p@ssW0rd p@s$W0rd *
Truncate @ N ‘N Truncate word at position N ‘6 p@ssW0rd p@ssW0 *
Replace sXY Replace all instances of X with Y ss$ p@ssW0rd p@$$W0rd
Purge @X Purge all instances of X @s p@ssW0rd p@W0rd
Duplicate first N zN Duplicates first character N times z2 p@ssW0rd ppp@ssW0rd
Duplicate last N ZN Duplicates last character N times Z2 p@ssW0rd p@ssW0rddd
Duplicate all q Duplicate every character q p@ssW0rd pp@@ssssWW00rrdd
Extract memory XNMI Insert substring of length M starting from position N of word saved to memory at position I lMX428 p@ssW0rd p@ssw0rdw0 +
Append memory 4 Append the word saved to memory to current word uMl4 p@ssW0rd p@ssw0rdP@SSW0RD +
Prepend memory 6 Prepend the word saved to memory to current word rMr6 p@ssW0rd dr0Wss@pp@ssW0rd +
Memorize M Memorize current word lMuX084 p@ssW0rd P@SSp@ssw0rdW0RD +

Default Hashcat Rules

Hashcat includes some rules by default.

Hashcat’s rules are located in the rules directory of your Hashcat installation. You can create your own rules if you like for the purpose of this tutorial we are going to use some precompiled rules.

root@kali:\~# ls -l /usr/share/hashcat/rules/

total 2588

\-rw-r--r-- 1 root root 933 Dec 2 2018 best64.rule

\-rw-r--r-- 1 root root 633 Dec 2 2018 combinator.rule

\-rw-r--r-- 1 root root 200188 Dec 2 2018 d3ad0ne.rule

\-rw-r--r-- 1 root root 788063 Dec 2 2018 dive.rule

\-rw-r--r-- 1 root root 483425 Dec 2 2018 generated2.rule

\-rw-r--r-- 1 root root 78068 Dec 2 2018 generated.rule

drwxr-xr-x 2 root root 12288 Mar 23 21:02 hybrid

\-rw-r--r-- 1 root root 309439 Dec 2 2018 Incisive-leetspeak.rule

\-rw-r--r-- 1 root root 35280 Dec 2 2018 InsidePro-HashManager.rule

\-rw-r--r-- 1 root root 19478 Dec 2 2018 InsidePro-PasswordsPro.rule

\-rw-r--r-- 1 root root 298 Dec 2 2018 leetspeak.rule

\-rw-r--r-- 1 root root 1280 Dec 2 2018 oscommerce.rule

\-rw-r--r-- 1 root root 301161 Dec 2 2018 rockyou-30000.rule

\-rw-r--r-- 1 root root 1563 Dec 2 2018 specific.rule

\-rw-r--r-- 1 root root 64068 Dec 2 2018 T0XlC-insert*00-99*1950-2050*toprules*0_F.rule

\-rw-r--r-- 1 root root 2027 Dec 2 2018 T0XlC-insert*space*and*special*0_F.rule

\-rw-r--r-- 1 root root 34437 Dec 2 2018 T0XlC-insert*top*100*passwords*1_G.rule

\-rw-r--r-- 1 root root 34813 Dec 2 2018 T0XlC.rule

\-rw-r--r-- 1 root root 104203 Dec 2 2018 T0XlCv1.rule

\-rw-r--r-- 1 root root 45 Dec 2 2018 toggles1.rule

\-rw-r--r-- 1 root root 570 Dec 2 2018 toggles2.rule

\-rw-r--r-- 1 root root 3755 Dec 2 2018 toggles3.rule

\-rw-r--r-- 1 root root 16040 Dec 2 2018 toggles4.rule

\-rw-r--r-- 1 root root 49073 Dec 2 2018 toggles5.rule

\-rw-r--r-- 1 root root 55346 Dec 2 2018 unix-ninja-leetspeak.rule
ls -l /usr/share/hashcat/rules


In this tutorial, I will be using Hob0Rules with Crackstation’s real human word list. Hob0Rules is a good ruleset for cracking passwords based on statistics and industry patterns.

You can clone Hob0Rules by entering the following command in your terminal.

git clone

Hashdumps and Passwords

For the purpose of this demonstration, I will be cracking a Hashdump called ABC (SHA1)

You can download Hashdumps here

Download Hashdumps:

Cracking Password Hashes

Now we have our hashdump ready containing our target password hashes we can start cracking the password in Hashcat.

Command Examples: 

hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/crackstation.txt -r d3adhob0.rule -o cracked -w 3 -O
hashcat -a 0 -m 100 /root/Downloads/abc-sha1.txt /usr/share/wordlists/fasttrack.txt -r /usr/share/hashcat/rules/a3ad0ne.rule -o cracked -w 3 -O
-r d3adhob0.rule path to Hashcat rule

-m 100 Hashing algorithm (SHA1)

/root/Downloads/abc-sha1.txt (Hash list path)

/usr/share/wordlists/crackstation.txt (Word list path)

-o output directory of cracked passwords.

-O Lowers the maximum supported password and salt length (typically down to 32).

-w 3 Add if hash rate is lower then expected (This can cause your screen to lag).

It can take a lot longer to crack password hashes using Hashcat rules as Hashcat must compare a lot more possible passwords with the target hash table.

I’m using a 15GB real human wordlist that I downloaded from Crackstation Hashcat estimates that it will take 4 hours 28 mins to finishing cracking the password hashes from the hash table using Hashcat rules with Crackstation wordlist.

Let’s wait and see what password hashes can be dehashed.

Hashcat was able to crack 77.12% of our SHA1 password hashes using Hashcat rules (Hob0Rules – d3adhob0.rule) without using Hashcat Rules we were only able to crack 57.37% of the SHA1 password hashes from our hash list.

Results without Hashcat Rules

Results using Hashcat Rules

Now that Hashcat has finished let’s see what passwords we were able to crack you can list file contents in a terminal using the cat command in Linux.

cat cracked.txt

Debugging rules

echo WORd > word
echo c > rule
hashcat -r rule --stdout word