hashcat Forum
creating wordlist or not, what attack to use? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html)
+--- Thread: creating wordlist or not, what attack to use? (/thread-4680.html)



creating wordlist or not, what attack to use? - Difermo - 09-15-2015

Dear members,

I hope you can help me. I start to study more hashcat and hacking. The reason is personal security and i started to like cryptography (to protect my data 2).
I manage to make extremly good wordlist for my speaking area (my country). It have all names, surnames, nicknames, then date of birth, months, and all words (cases of words, nouns...)
Dictionary1 with all words have 266,034
Dictionary2 with all names, surnames and nicknames have 11,553
Dictionary3 with all months years have 740 words and,
Dictionary4 that is calendar (exp: 11031989) from 1950 to 2020 years have 46,896 words

I created python scrip to do all combination and scrypt to merge 2 dictionary with all combinations.
But if  I do all mutations of words (a=@...) and merge them all into one, then do combination with that single dictionary, the file will be huge. I'm sure that dict would be able to hack so many regular passwords. I think mutation is week since i don't have "c=(" or some others. But i can try to correct that.

So what would be best solution? Maybe I'm not aware of something.

I see there is toogle case attack, table lookup attack, combinator attack and rule based attack.
Does rule based attack cover all attacks (toogle case, table lookup and combinator)?
Or is it better (if it can be done) to merge all my dictionary (without mutation or combination) into one dictionary5 (266,034+11,553+740+46,896=325,223 words) then do table lookup attack to get dictionary 6. Then merge dictionary 5 and dictionary 6 = dictionary 7. Do toogle case attack with dictionary 7 to get dictionary 8. Then merge dict7 and dict8 = dict 9. And with that dict 9 to do combinator attack to get dict 10. Merge dict 9 and dict 10 to get final wordlist. Now that list (I think) is gona be huge huge huge file. But if i use it with rule bassed attack it can do pretty good unlock.
Now you sea what is my confusion. Should i do this or rule based attack cover all this? Is there better solution?

P.S. One more question. Can hashcat do attack and save words? For example to get mu dictionary 5 and with table lookup just to create dictionary.


RE: creating wordlist or not, what attack to use? - atom - 09-18-2015

I'd recommend you start learning how those attack-modes work. You can use --stdout to see which password candidates are generated. You can also save those outputs to file using a redirection and then reuse that result as input wordlist for your next attack. That way you should be able to combine different attack-modes as you want. But there is generally no GUI one-click solution, it's real work.