hashcat
advanced password recovery

kcrowder69 · 04-11-2022, 02:40 AM

I am attempting to create a combined wordlist word###word for use in hashcat. I have achieved this in the past but I am unable to get the right syntax. I have tried piping list in with a rule(file) or hybrid attack with input mask.
I am using 2 wordlists and the rule format $?d$?d$?d . I can get the digits appended to the first list but I can't seem to get the second list added to that result. because of mem and space concerns I don't want to create the list before hand.

monyanus · (This post was last modified: 04-11-2022, 10:43 AM by monyanus.)

Yep, had the same issue. Problem is that you cannot pipe the results in a combinator attack. You can only pipe them into a single brute force attack. See my post and answer here:
https://hashcat.net/forum/thread-10680.html

One solution I can think of, would be to first run a combinator attack, with a left rule that you prepend some special character, then pipe that result (word1^word2) into a brute force attack with a rule file that tries to replace this special anchor character "^" with 00,01, etc.
The below is one way to go about it, it works.

Step 1), run a combinator attack, with a rule that works on the left side to append character "^"

Run .hashcat.exe -a1 --stdout wordslist1.txt wordslist2.txt -j $^

Step 2), pipe the output into a brute force attack (attack mode 0), with a special rule to replace all occurrences of "^"with two digits. If you have this character in your word lists, make sure to replace "^" with another character in the rule file.

Example of such a rule replace_anchor_with_dd.rule
s^01
s^$02
s^$03
... (continue this password up to 100), I added it to this post

In general, I think it would be great if there would be support for piping into a combinator attack. It should not be hard to implement this at all. just like you know have -j and -k to indicate on which side a rule should be implemented, maybe we could use -l -m to indicate which side piped input needs to be places.
Just mo 2 cents.

Snoopy · 04-11-2022, 01:31 PM

(04-11-2022, 10:41 AM)monyanus Wrote: Yep, had the same issue. Problem is that you cannot pipe the results in a combinator attack. You can only pipe them into a single brute force attack. See my post and answer here:
https://hashcat.net/forum/thread-10680.html

One solution I can think of, would be to first run a combinator attack, with a left rule that you prepend some special character, then pipe that result (word1^word2) into a brute force attack with a rule file that tries to replace this special anchor character "^" with 00,01, etc.
The below is one way to go about it, it works.

Step 1), run a combinator attack, with a rule that works on the left side to append character "^"

Run .hashcat.exe -a1 --stdout wordslist1.txt wordslist2.txt -j $^

Step 2), pipe the output into a brute force attack (attack mode 0), with a special rule to replace all occurrences of "^"with two digits. If you have this character in your word lists, make sure to replace "^" with another character in the rule file.

Example of such a rule replace_anchor_with_dd.rule
s^01
s^$02
s^$03
... (continue this password up to 100), I added it to this post

In general, I think it would be great if there would be support for piping into a combinator attack. It should not be hard to implement this at all. just like you know have -j and -k to indicate on which side a rule should be implemented, maybe we could use -l -m to indicate which side piped input needs to be places.
Just mo 2 cents.

feel free to open a github issue for this idea (new feature)

kcrowder69 · 04-11-2022, 06:23 PM

thank you for the tips. I agree piping would be a simple fix. I first tried this and then realized reading the util docs that piping into the util is not allowed. Similarly, I am assuming the reason you can't apply rules (file) to a combinator attach is overhead. For that same reason it isn't practical to prepare one list before hand. 7word list becomes 7000 after appending 3 digits * 7 again for second list. Now using a more thorough list of say 10,000 words, my little quad core is hot enough to fry an egg. Smile

before it finally shuts down. (old laptop heat sensors are tricky for hashcat throttling.)

I'll give the replace a try
Thanks again.

kcrowder69 · 04-11-2022, 07:09 PM

Well here is what I have tried and it seems that the rule is the hang up here.

hashcat --stdout -a 1 outeng.txt outeng.txt -j $^ | hashcat -m 0 -a 0 -r replacecarret.rule testhash.tst

after the pipe I get the desired output word^word.

I am using the mask processor to create the rule to add the 3 digits. but it mangles the results upon running

mp64 -o replacement.rule 's^ $?d $?d $?d'

with the spaces between functions it leaves a space between the words and adds the digits at the end.
result: word word123

if I run the mp with out spaces it fails. At this point I can see my only option is to create the rule more direct as in your attachment.
s^$123
s^$124 etc.... am i missing something?

kcrowder69

(04-11-2022, 07:09 PM)kcrowder69 Wrote: Well here is what I have tried and it seems that the rule is the hang up here.

hashcat --stdout -a 1 outeng.txt outeng.txt -j $^ | hashcat -m 0 -a 0 -r replacecarret.rule testhash.tst

after the pipe I get the desired output word^word.

I am using the mask processor to create the rule to add the 3 digits. but it mangles the results upon running

mp64 -o replacement.rule 's^ $?d $?d $?d'

with the spaces between functions it leaves a space between the words and adds the digits at the end.
result: word word123

if I run the mp with out spaces it fails. At this point I can see my only option is to create the rule more direct as in your attachment.
s^$123
s^$124 etc.... am i missing something?

The mask suggested did not work either. Skipping invalid rule etc.....
rule used s^$123

kcrowder69 · 04-12-2022, 10:12 AM

To add to this mystery the error that is printed changes on the same line every time I run the command. I have deleted and re-created the rule file several times with no change.

Skipping invalid or unsupported rule in file replacecarret.rule on line 642: s^$641
Skipping invalid or unsupported rule in file replacecarret.rule on line 643: s^$642
Skipping invalid or unsupported rule in file replacecarret.rule on line 644: s^$643
Cannot convert rule for use on OpenCL device in file replacecarret.rule on line 645: s^$644
Skipping invalid or unsupported rule in file replacecarret.rule on line 646: s^$645
Cannot convert rule for use on OpenCL device in file replacecarret.rule on line 647: s^$646
Skipping invalid or unsupported rule in file replacecarret.rule on line 648: s^$647
Skipping invalid or unsupported rule in file replacecarret.rule on line 649: s^$648
Skipping invalid or unsupported rule in file replacecarret.rule on line 650: s^$649
Skipping invalid or unsupported rule in file replacecarret.rule on line 651: s^$650
Skipping invalid or unsupported rule in file replacecarret.rule on line 652: s^$651
Skipping invalid or unsupported rule in file replacecarret.rule on line 653: s^$652
Skipping invalid or unsupported rule in file replacecarret.rule on line 654: s^$653
Skipping invalid or unsupported rule in file replacecarret.rule on line 655: s^$654
Skipping invalid or unsupported rule in file replacecarret.rule on line 656: s^$655
Skipping invalid or unsupported rule in file replacecarret.rule on line 657: s^$656
Skipping invalid or unsupported rule in file replacecarret.rule on line 658: s^$657
Skipping invalid or unsupported rule in file replacecarret.rule on line 659: s^$658
Skipping invalid or unsupported rule in file replacecarret.rule on line 660: s^$659
Skipping invalid or unsupported rule in file replacecarret.rule on line 661: s^$660
Skipping invalid or unsupported rule in file replacecarret.rule on line 662: s^$661
Skipping invalid or unsupported rule in file replacecarret.rule on line 663: s^$662
Skipping invalid or unsupported rule in file replacecarret.rule on line 664: s^$663
Cannot convert rule for use on OpenCL device in file replacecarret.rule on line 665: s^$664
Skipping invalid or unsupported rule in file replacecarret.rule on line 666: s^$665
Cannot convert rule for use on OpenCL device in file replacecarret.rule on line 667: s^$666
Skipping invalid or unsupported rule in file replacecarret.rule on line 668: s^$667
Skipping invalid or unsupported rule in file replacecarret.rule on line 669: s^$668
Skipping invalid or unsupported rule in file replacecarret.rule on line 670: s^$669
Skipping invalid or unsupported rule in file replacecarret.rule on line 671: s^$670
Skipping invalid or unsupported rule in file replacecarret.rule on line 672: s^$671
Skipping invalid or unsupported rule in file replacecarret.rule on line 673: s^$672
Skipping invalid or unsupported rule in file replacecarret.rule on line 674: s^$673

kcrowder69 · 04-12-2022, 10:58 AM

With much trial and error I have been able to achieve what
was needed for the target. word123word.

Thanks goes to moryana for pointing me in the right direction.

Finding of note is that the replacement function is only for a single character.
You cannot replace one character with more than one.

The rule that I had to use in the maskprocessor is: mp64 -o replacecarret.rule 's^?ds&?ds%?d'

I had to add 3 different placeholders for each digit I wanted to add as the replace function will replace ALL instances of the character. Here is the full command line used.

savaho@Atlantis:~/hash$ /usr/bin/hashcat --stdout -a 1 wordlist2.txt wordlist2.txt -j '$^$&$%' | hashcat -m 0 -a 0 -r replacecarret.rule testhash.tst

monyanus · 04-14-2022, 10:18 AM

[/quote]
feel free to open a github issue for this idea (new feature)
[/quote]

Github issue opened:
https://github.com/hashcat/hashcat/issues/3257

@kcrowder69 Good job figuring that out. Sorry, I did not test the rule, I never used the replacement rule yet, so I assumed it allowed for multiple characters. Maybe another feature request, inserting and replace multiple characters tryings with 'abc' with quotes around them. I am on roll with feature requests, now only we need people to implement them Wink

Hashcat can be a bit inflexible sometimes, I guess these are limitations that have

kcrowder69 · 04-14-2022, 04:04 PM

Quote:Github issue opened:
https://github.com/hashcat/hashcat/issues/3257

@kcrowder69 Good job figuring that out. Sorry, I did not test the rule, I never used the replacement rule yet, so I assumed it allowed for multiple characters. Maybe another feature request, inserting and replace multiple characters tryings with 'abc' with quotes around them. I am on roll with feature requests, now only we need people to implement them
Hashcat can be a bit inflexible sometimes, I guess these are limitations that have

i'm sure it's just a documentation oversight, all the wordlist manipulation tools seem to deal with a char, word or entire list. I'm sure I could have managed to figure out regex/sed to do it but i'd rather have a tooth pulled than dealing with that. Smile

Now my chore is speeding it up. the lists grow exponentially with 2 lists and 1000 rules and after about 10 minutes it drops from 1700 H/s to 550.. Sad

I've added the workload switch -w 3 and it doesn't seem to make a diff. tried making bigger lists or split lists. just cracking one WPA hash..lists are even limited to len 4-6. Currently 3 pipes, combo lists, run rule against it then into the attack pipe. Any ideas on streamlining it would be appreciated. FYI This is an old Del quad core 2.35ghz so I may just have to live with it.

Login
Username/Email:
Password:	Lost Password?
	Remember me

hashcat advanced password recovery

hashcat
advanced password recovery