hashcat Forum
Hashcat rules handling (native *.rule files) added to JtR - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Hashcat rules handling (native *.rule files) added to JtR (/thread-5401.html)



Hashcat rules handling (native *.rule files) added to JtR - JimF - 04-17-2016

JtR (bleeding-jumbo), can now handle the native hashcat .rules files.  There is also a document added to the john package, listing the syntax needed to be added to make it work (mostly to work around escape character requirements for some rules in john, due to the pre-processor).

The addition of these rules has shown a few differences between the tools.  The differences are on 'edge' conditions.  The notable rules are i x and O.

hashcat logic is to leave word alone, unless the letter (or full range of letters) are within the word.

john logic is to do 'best case' mangling, where if any of the range is in the word, then that is done, and for the 'i', if the insert is past end of word, it is treated as a $

The way I have implemented rules in 'hashcat logic' mode, I get the same results from john as from hashcat.  But it may be nice to have both tools producing the same candidate stream from the same input words and rule set.


RE: Hashcat rules handling (native files) added to JtR - JimF - 04-17-2016

One additional rule was added (to john).  That is eC  (and e?C for a class in john).  hashcat has the E command for title-casing.  The e is an extension of that, where any character (or class of characters in john), can be used as the separator for words.

so JOHN.DOE with e. rule would be John.Doe   Pretty useful since many companies have gone to a firstname.lastname user id scheme.


RE: Hashcat rules handling (native files) added to JtR - JimF - 04-17-2016

Upon further checking, there is also an 'edge' condition difference in the 'X' command, when the range goes past the end of the memorized word (but starts within the memorized word).