{"id":25539,"date":"2020-02-19T13:55:22","date_gmt":"2020-02-19T08:25:22","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=25539"},"modified":"2020-03-30T13:27:26","modified_gmt":"2020-03-30T07:57:26","slug":"performing-rule-based-attack-using-hashcat","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/performing-rule-based-attack-using-hashcat\/","title":{"rendered":"Performing Rule Based Attack Using Hashcat"},"content":{"rendered":"

Performing Rule Based Attack Using Hashcat<\/h2>\n

This post will focus on Performing Rule Based Attack Using Hashcat. It’s a way of using a dictionary or multiple dictionaries of words in order to crack a password in Kali Linux.
\n<\/span><\/p>\n

Rule-based Attack<\/h3>\n

Recently I was writing a blog on hashcat to cracking the hashes but the blog was going long so i thought about to write another blog to explain more about hashcat attacks,so that you can easily crack the has.So the rule-based attack is one of the most complicated of all the attack modes.The reason for this is very simple.the rule-based attack is like a programming language<\/strong> designed for password candidate generation. It has functions to modify,cut or extend words and has conditional operators to skip some, etc.That makes it the most flexible,accurate and efficient attack.<\/p>\n

Why not stick to regular expressions<\/h3>\n

Why re-invent the wheel? Simple answer: regular expressions are too slow. Typically we have to generate 1.000.000.000<\/strong> (or more) fresh password candidates in less than 10 ms<\/strong> before hashing algorithms start to become idle, and then again and again, second after second. Just take a look at your GPU speed display to get an idea of it.<\/p>\n

Compatibility to other rule engines<\/h3>\n

The rule-engine in hashcat was written so that all functions that share the same letter-name are 100% compatible to John the Ripper<\/a> and Passwordpro rules and vice versa. Later we started to introduce some of our own functions that are not compatible. But these functions got their own letter-names to avoid conflicts.<\/p>\n

What Are Rules and When Would I Use Them?<\/h3>\n

The first thing which comes in our mind is, What are rules\u00a0 why we should use rule attack to cracking the hash.So First of all, consider the following scenario. You have a basic password wordlist containing the words below:<\/p>\n

password\r\nmysecret\r\nqwerty<\/pre>\n
If you wanted to try the above passwords with the pattern “123” added to the end, your list will become:<\/p>\n
password\r\npassword123\r\nmysecret\r\nmysecret123\r\nqwerty\r\nqwerty123<\/pre>\n
If you also want to capitalise the first letter\u00a0of the original words, it will now\u00a0become:<\/p>\n
password\r\npassword123\r\nPassword\r\nmysecret\r\nmysecret123\r\nMysecret\r\nqwerty\r\nqwerty123\r\nQwerty<\/pre>\n
Although you can type each new pattern manually for each word in your list,this will quickly get impractical with larger wordlists.<\/p>\n
Thankfully,we can express these patterns in programming terms using rules. With rules,we can create new passwords through modification of existing passwords supplied.<\/p>\n
Instead of having to write every new pattern for each password like above,we only require our original wordlist:<\/p>\n
password\r\nmysecret\r\nqwerty<\/pre>\n
And a file containing the rules that express our patterns:<\/p>\n
$c\r\n$1 $2 $3<\/pre>\n
Though much smaller, the above would\u00a0produce the same outcome of words as before. Not only is this quicker than manually creating each password you want to try, your dictionary file also won\u2019t be as large.<\/p>\n
In short, a rule-based attack allows you to express patterns which are applied to existing passwords to quickly generate new passwords to use.and crack the hashed fast and easily.<\/p>\n
Creating Rules<\/h2>\n
Now that we can see the benefits of rules,we will now define some rules to use in our own rule-based attack. To define our own custom set of rules to use with hashcat, we need to store them in a file,like best64.rule or something you as want.<\/p>\n
In this tutorial,we will cover some of the most commonly used rule functions:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Name<\/strong><\/td>\nFunction<\/strong><\/td>\nDescription<\/strong><\/td>\nExample Rule<\/strong><\/td>\nInput Word<\/strong><\/td>\nOutput Word<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Nothing<\/td>\n:<\/td>\nDo nothing<\/td>\n:<\/td>\np@ssW0rd<\/td>\np@ssW0rd<\/td>\n<\/tr>\n
Lowercase<\/td>\nl<\/td>\nLowercase all letters<\/td>\nl<\/td>\np@ssW0rd<\/td>\np@ssw0rd<\/td>\n<\/tr>\n
Uppercase<\/td>\nu<\/td>\nUppercase all letters<\/td>\nu<\/td>\np@ssW0rd<\/td>\nP@SSW0RD<\/td>\n<\/tr>\n
Capitalize<\/td>\nc<\/td>\nCapitalize the first letter and lower the rest<\/td>\nc<\/td>\np@ssW0rd<\/td>\nP@ssw0rd<\/td>\n<\/tr>\n
Append Character<\/td>\n$X<\/td>\nAppend character X to end<\/td>\n$1<\/td>\np@ssW0rd<\/td>\np@ssW0rd1<\/td>\n<\/tr>\n
Prepend Character<\/td>\n^X<\/td>\nPrepend character X to front<\/td>\n^1<\/td>\np@ssW0rd<\/td>\n1p@ssW0rd<\/td>\n<\/tr>\n
Replace<\/td>\nsXY<\/td>\nReplace all instances of X with Y<\/td>\nss$<\/td>\np@ssW0rd<\/td>\np@$$W0rd<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
 <\/p>\n
Writing our rule-set:<\/h3>\n
To start, we will create some rules to do basic manipulation of the characters.<\/p>\n
From the above table, we will put in our rules file the lowercase, uppercase and capitalize functions:<\/p>\n
:\r\nl\r\nu\r\nc<\/pre>\n
The colon entry instructs hashcat to try the original word.We’ll be including this so we can compare how many passwords were cracked using unmodified passwords from the wordlist.<\/p>\n
We\u2019ll also append to the end of the passwords the characters one to\u00a0nine individually:<\/p>\n
$1\r\n$2\r\n$3\r\n$4\r\n$5\r\n$6\r\n$7\r\n$8\r\n$9<\/pre>\n
To express multiple functions in a single rule, you can separate them with a space like the following:<\/p>\n
$1 $2 $3 $4<\/pre>\n
In this case we are appending characters one, two and three to the end of our passwords.(i.e. the password is root it will convert to root1234 ), And if you want to append multi combination (i.e. $5 $ 5 it will be root55)<\/p>\n
You can substitute one character for another, by doing the following:<\/p>\n
sXY<\/pre>\n
Where X is the character to replace and Y is the new character.<\/p>\n
For this demonstration,we will substitute the following letters for their commonly used alternatives:<\/p>\n