For each word in a dictionary, all possible combinations of upper- and lower-case variants are generated.

This attack was implemented as a stand-alone attack mode in hashcat. The new Table-Lookup Attack transparently replaced it in current versions.

If our dictionary contains the word

pass1234

Hashcat creates the following password candidates

pass1234
Pass1234
pAss1234
PAss1234
paSs1234
PaSs1234
pASs1234
PASs1234
pasS1234
PasS1234
pAsS1234
PAsS1234
paSS1234
PaSS1234
pASS1234
PASS1234

Hashcat has two command-line parameters to fine-tune this attack. But why does this simple attack require a configuration at all? The reason for this is that it can create so many combinations that it will never finish. For example, if we have a long word like “ThisLongWordInYourDictionaryCreatesLotsOfCombinations” in our dictionary, which has the length 53, hashcat has to generate 2^53 (9.007.199.254.740.992) combinations. This can shorten run time by disregarding values that fall outside the password requirements.

--toggle-min=NUM

Default is set to: 1

--toggle-max=NUM

Default is set to: 16

Any word outside of the defined length range will be skipped.

The information for this section has moved to a dedicated wiki article available here Using rules to emulate toggle attack.

This attack is currently supported by:

• hashcat

We can use the stdout parameter in hashcat to pipe generated password candidates into oclHashcat-plus.