With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.

The Table-Lookup attack is not to be confused with Rainbow-Tables.

If our dictionary contains the word

word1

It is splitted into single chars.

1. w
2. o
3. r
4. d
5. 1

The next step is to “lookup” each of these chars against a “Table”. Just continue reading…

--table-file

The following box shows what we call a “Table”. What we configure here are assignments. As usual in assignments, we have a left and a right side.

o=o
o=O
o=0
o=.
w=w
1=1
1=2
1=3
1=9

Hashcat has two command-line parameters to fine-tune this attack. But why does this simple attack require a configuration at all? The reason for this is that it can create so many combinations that it will never finish.

For example, if we have a long word like “111111111111111” in our dictionary, which has the length 15, and a table file containing…

1=0
1=1
1=2
1=3
1=4
1=5
1=6
1=7
1=8
1=9

…hashcat has to generate 10^15 (1.000.000.000.000.000) combinations.

The following commands enable the user to define the length of password they wish to modify.

--table-min=NUM

Default is set to: 2

--table-max=NUM

Default is set to: 15

Any word outside of the defined length range will be skipped.

Before hashcat generates the mask, it takes each char from the split result and matches them against the table configuration. If it matches, it replaces the char with all the chars from the right assignement. Yes, exactly, and creates new words this way. That's exactly what we want here. If it does not match, it will not replace it and use the original char.

word1
wOrd1
w0rd1
w.rd1
word2
wOrd2
w0rd2
w.rd2
word3
wOrd3
w0rd3
w.rd3
word9
wOrd9
w0rd9
w.rd9

This attack is extremly efficient against leetspeak passwords if we choose a table like this:

a=a
a=@
a=4
c=c
c=<
c=[
c={
e=e
e=3
i=i
i=I
i=!
i=|
i=.

etc..

It can also fully replace the Toggle-case attack if we choose a table like this:

a=a
a=A
b=b
b=B
c=c
c=C
d=d
d=D

etc..

But the best thing, we can do both at once.

a=a
a=A
a=@
a=4
b=b
b=B
c=c
c=C
c=<
c=[
c={
d=d
d=D
e=e
e=E
e=3

etc..

Another nice Idea is to fill holes in our dictionaries. For example if our dictionary contains:

pass0
pass1
pass2
pass3
pass5

We can see, its missing pass4, pass6 etc. A single line in a table can fill the missing ones:

0=0
0=1
0=2
0=3
0=4
0=5
0=6
0=7
0=8
0=9

Hint: To avoid dupes, replace all digits with 0 and unique what's left.

$ sed -e 's/[0123456789]/0/g' < passes.dict | sort -u > passes_table_optimized.dict

See the table/ folder for more inspirations.

This attack is currently supported by:

• hashcat (v0.36 or higher)

This attack is planned for migration into oclHashcat-plus in a later version (low priority).

We can use stdout parameter in hashcat to pipe generated password candidates into oclHashcat-plus.