Rule-based Attack
Description
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
Why not stick to regular expressions
Why re-invent the wheel? Simple answer: regular expressions are too slow. Typically we have to generate 1.000.000.000 (or more) fresh password candidates in less than 10 ms before hashing algorithms start to become idle, and then again and again, second after second. Just take a look at your GPU speed display to get an idea of it.
Compatibility to other rule engines
The rule-engine in Hashcat was written so that all functions that share the same letter-name are 100% compatible to John the Ripper and PasswordsPro rules and vice versa. Later we started to introduce some of our own functions that are not compatible. But these functions got their own letter-names to avoid conflicts.
Implemented compatible functions
The following functions are 100% compatible to John the Ripper and PasswordsPro:
| Name | Function | Description | Example Rule | Input Word | Output Word | Note |
|---|---|---|---|---|---|---|
| Nothing | : | do nothing | : | p@ssW0rd | p@ssW0rd | |
| Lowercase | l | Lowercase all letters | l | p@ssW0rd | p@ssw0rd | |
| Uppercase | u | Uppercase all letters | u | p@ssW0rd | P@SSW0RD | |
| Capitalize | c | Capitalize the first letter | c | p@ssW0rd | P@ssW0rd | |
| Invert Capitalize | C | Lowercase first found character, uppercase the rest | C | p@ssW0rd | p@SSW0RD | |
| Toggle Case | t | Toggle the case of all characters in word. | t | p@ssW0rd | P@SSw0RD | |
| Toggle @ | TN | Toggle the case of characters at position N | T3 | p@ssW0rd | p@sSW0rd | |
| Reverse | r | Reverse the entire word | r | p@ssW0rd | dr0Wss@p | |
| Duplicate | d | Duplicate entire word | d | p@ssW0rd | p@ssW0rdp@ssW0rd | |
| Reflect | f | Duplicate word reversed | f | p@ssW0rd | p@ssW0rddr0Wss@p | |
| Rotate Left | { | Rotates the word left. | { | p@ssW0rd | @ssW0rdp | |
| Rotate Right | } | Rotates the word right | } | p@ssW0rd | dp@ssW0r | |
| Append Character | $ | Append character to end | $1 | p@ssW0rd | p@ssW0rd1 | |
| Prepend Character | ^ | Prepend character to front | ^1 | p@ssW0rd | 1p@ssW0rd | |
| Truncate left | [ | Deletes first character | [ | p@ssW0rd | @ssW0rd | |
| Trucate right | ] | Deletes last character | ] | p@ssW0rd | p@assW0r | |
| Delete @ N | DN | Deletes character at position N | D3 | p@ssW0rd | p@sW0rd | * |
| Delete range | xNM | Deletes M characters, starting at position N | x02 | p@ssW0rd | ssW0rd | * |
| Insert @ N | iNX | Inserts character X at position N | i4! | p@ssW0rd | p@ss!W0rd | * |
| Overwrite @ N | oNX | Overwrites character at postion N with X | o3$ | p@ssW0rd | p@s$W0rd | * |
| Truncate @ N | 'N | Truncate word at position N | '6 | p@ssW0rd | p@ssW0 | |
| Replace | sXY | Replace all instances of X with Y | ss$ | p@ssW0rd | p@$$W0rd | |
| Purge | @X | Purge all instances of X | @s | p@ssW0rd | p@W0rd | + |
| Duplicate first N | z | Duplicates first character N times | z2 | p@ssW0rd | ppp@ssW0rd | |
| Duplicate last N | Z | Duplicates last character N times | Z2 | p@ssW0rd | p@ssW0rddd | |
| Duplicate all | q | Duplicate every character | q | p@ssW0rd | pp@@ssssWW00rrdd | |
| Duplicate word | pN | Duplicate entire word N times | p3 | Pass | PassPassPass |
- * Indicates that N starts at 0. For character positions other than 0-9 use A-Z (A=11)
- + Indicates that this rule is implemented in hashcat only.
Implemented specific functions
The following functions are not available in John the Ripper and PasswordsPro:
| Name | Function | Description | Example Rule | Input Word | Output Word | Note |
|---|---|---|---|---|---|---|
| Swap front | k | Swaps first two characters | k | p@ssW0rd | @pssW0rd | |
| Swap back | K | Swaps last two characters | K | p@ssW0rd | p@ssW0dr | |
| Swap @ N | *XY | Swaps character X with Y | *34 | p@ssW0rd | p@sWs0rd | * |
| Bitwise shift left | LN | Bitwise shift left character @ N | L2 | p@ssW0rd | p@æsW0rd | * |
| Bitwise shift right | RN | Bitwise shift right character @ N | R2 | p@ssW0rd | p@9sW0rd | * |
| Ascii increment | +N | Increment character @ N by 1 ascii value | +2 | p@ssW0rd | p@tsW0rd | * |
| Ascii decrement | -N | Decrement character @ N by 1 ascii value | -2 | p@ssW0rd | p?ssW0rd | * |
| Replace N + 1 | .N | Replaces character @ N with value at @ N plus 1 | .1 | p@ssW0rd | psssW0rd | * |
| Replace N - 1 | ,N | Replaces character @ N with value at @ N minus 1 | ,1 | p@ssW0rd | ppssW0rd | * |
| Duplicate block front | yN | Duplicates first N characters | y2 | p@ssW0rd | p@p@ssW0rd | * |
| Duplicate block back | YN | Duplicates last N characters | Y2 | p@ssW0rd | p@ssW0rdrd | * |
| Title | E | Upper case the first letter and every letter after a space | E | p@ssW0rd w0rld | P@ssw0rd W0rld |
- * Indicates that N starts at 0. For character positions other than 0-9 use A-Z (A=11)
Writing rules
The most important thing in writing rules is knowing what you want to write. That typically means you have to analyze dozens of plaintext passwords, maybe from a customer, to see a pattern. For example, a common pattern is that people append a digit to their passwords to improve its strength. So we have two “parameters”:
- We want to append something.
- The value we want to append is a digit.
If we take a look at the function overview we see that we can append something using the '$' function. So, for example, if we want to add a “1” to our password, we write a rule that looks like this.
$1
Simple enough. But what if we want to do all numbers 1 - 9? Well thats what we call a Hybrid attack, just take a look at this page.
Also note:
- White spaces are ignored as long as they are not used as a parameter. That enables formating of our “source code” a bit.
- To comment out some text, it has to start with a ”#” char.
Generating rules
There are two ways to automatically “generate” rules.
- Using the maskprocessor, we have a dedicated article on this topic here: Using maskprocessor to create rules.
- Using random rules, see below.
Random rules
This is a very unique hashcat feature. With hashcat you can generate random rules on the fly to be used for that session. This is a good thing if you are out of ideas on what to do next when you have already tried all your rules on all your dictionaries. There are three configuration parameters:
Tells hashcat to generate NUM rules to be applied to each attempt:
--generate-rules=NUM
Specifies the number of functions that should be used (minimum to maximum range):
--generate-rules-func-min=NUM --generate-rules-func-max=NUM
This number can be unlimited but large numbers are not recommended. When used in conjunction with –g, any rule outside of this setting will be ignored.
For example, it could randomly generate the rules “l r”, “l ^f”, and “sa@”, these are all valid rules to be used. However, “l ^f sa@ r $3” would be ignored as it contains 5 functions. Default: min=1 max=4
You can mix your rules from a rules-file with randomly generated rules. For example, if your rules-file contains 200 rules and you use -g 500, it will generate 300 additional rules.
Saving matched rules
This becomes handy especially in combination with the rules generator but also for statistical analysis of your rule sets.
To save any rule that generated a matched password use these switches:
--debug-mode=1 --debug-file=matched.rule
This will save the matched rule on every match, so the resulting rule file might contain many duplicate rules.
Debugging rules
With hashcat we can debug our rules easily. That means we can verify that the rule we wrote actually does what we want it to do. All you need to use is the --stdout switch and omit the hashlist.
Here is an example:
Create simple dictionary:
$ echo WORd > word
Generate a simple rule. The “c” rule capitalizes the first letter and lower-cases the rest.
$ echo c > rule
And thats how we see the generated debug output:
$ ./hashcat-cli64.bin -r rule --stdout word Word
This “feature” is also a very fast password candiate generator. That means that if we have some external program that supports reading from stdin we can feed it with our output.
Examples
See rules/ folder in hashcat or oclHashcat-plus for examples.
Multi-rules
With release of oclHashcat-plus v0.07 a complete new feature in the rule-based cracking world was added.
Instead of just giving one -r parameter and a file, you can now add as many -r's as you want.
They are not executed in a sequence!
Each rule of each rule-file is combined with each rule of each rule-file. This way you can easily cook your own attack mode.
Supported by
This attack is currently supported by: