+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Looking to write a rule to replace digits (/thread-9463.html)
Looking to write a rule to replace digits - pand0ra - 08-21-2020
As we all know, people are lazy and predictable when it comes to passwords. I'm writing a rule to replace all digits in a password with every possible combination of other digits and the rule has to be able to identify digits in any location. For example:
Users old password: "Password123" or "My123Password"
I'm looking to get hashcat to create permutations on that so that 123 would be 000-999. I've started on a rule and am looking for guidance on this. What I have currently, I'm not sure will work or not.
Rule:
s10
s12
s13
s14
s15
s16
s17
s18
s19
s21
s23
s24
s25
s26
...
s01
s02
s03
s04
s05
s06
s07
...
RE: Looking to write a rule to replace digits - royce - 08-21-2020
Only one way to find out.
RE: Looking to write a rule to replace digits - pand0ra - 08-21-2020
(08-21-2020, 07:09 AM)royce Wrote: Only one way to find out.
I did and it didn't work. Any helpful comments?
RE: Looking to write a rule to replace digits - philsmd - 08-21-2020
Code:
hashcat --stdout -a 3 -o dict.txt Password?d?d?d
hashcat --stdout -a 3 -o dict.txt My?d?d?dPassword
hashcat -m 14800 -a 0 -w 3 hash.txt dict.txtRE: Looking to write a rule to replace digits - royce - 08-21-2020
I think they're trying to replace digits in place, without having to know the text before and after in advance.
RE: Looking to write a rule to replace digits - pand0ra - 08-21-2020
(08-21-2020, 10:08 PM)philsmd Wrote:Code:hashcat --stdout -a 3 -o dict.txt Password?d?d?d
hashcat --stdout -a 3 -o dict.txt My?d?d?dPassword
hashcat -m 14800 -a 0 -w 3 hash.txt dict.txt
Ya, that isn't quite the goal. I'm trying to create a rule file that can identify digits and go through all combinations of digits.
RE: Looking to write a rule to replace digits - philsmd - 08-22-2020
I don't think it's practical, you would need to combine rules with each and every combination (10x -r multi-rule replaces within the command, rule-chaining, to change mutliple digits at the same time).
Let's say you have one rule that leaves the digit as is (: rule) and then for every digit (0-9) you replace them with another digit (10 * 9 replaces, because you don't need for instance "s00"), you get 1 + 90 = 91 replaces to just replace one unique digit in a password, but the password could also contain 0123456789, so you need to almost combine it with each and every other combination to make out all the 10 different digits replaced in the same password (almost 91 ^ 10), approximated : 91 * 90 * 89 * 88 * 87 * 86 * 85 * 84 * 83 * 82 = 23321927500622150400 combinations of replace (sxy) rules. That's not very practical if you want to do it that way.
It would make sense that you also mention the hash type, to make sure a good/clever strategy is feasible here.
You could for instance try to do the same as mentioned above (similar strategy, but not using a large dict file), but with a .hcmask file (no rules, but mask attack):
Code:
sed 's/[0-9]/?d/g' dict.txt > my.hcmasksed here replaces every digits, with a ?d built-in charset and creates a mask. I would even filter it like this to make sure you do not run meaningless masks:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' > my.hcmaskthis could produce several identical masks, so you should sort and unique these lines:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' | sort -u > my.hcmasknow you either could run it like this:
Code:
hashcat -m 18400 -a 3 -w 3 hash.txt my.hcmaskor filter and optimize it again, e.g. every masks that only ends or starts with at least one ?d, you could replace that with a -a 6 or -a 7 attack:
Code:
grep '^?d' my.hcmask | grep -v '[^?][^d]?d' | sed 's/?d//g' | sort -u > prepend_d_dict.txtCode:
grep '?d$' my.hcmask | grep -v '?d[^?][^d]' | sed 's/?d//g' | sort -u > append_d_dict.txtof course you could then eliminate these -a 6 and -a 7 compatible "masks" from the my.hcmask file and only leave the ones that replace something in the middle or on both sides/ends:
Code:
grep '^?d' my.hcmask | grep '[^?][^d]?d' > my_mod.hcmaskCode:
grep '?d$' my.hcmask | grep '?d[^?][^d]' >> my_mod.hcmaskCode:
grep -v '^?d' my.hcmask | grep -v '?d$' >> my_mod.hcmaskand uniq it:
Code:
sort -u my_mod.hcmask -o my_mod.hcmaskThere are probably many more optimizations possible, but the -a 6 and -a 7 optimization seems to me the most important one (it doesn't mean that the speed will be much faster or you are guaranteed to complete the job much sooner, especially if you need to use it, as mentioned above, with -i length increment etc).
RE: Looking to write a rule to replace digits - pand0ra - 08-22-2020
(08-22-2020, 10:11 AM)philsmd Wrote: I don't think it's practical, you would need to combine rules with each and every combination (10x -r multi-rule replaces within the command, rule-chaining, to change mutliple digits at the same time).
Let's say you have one rule that leaves the digit as is (: rule) and then for every digit (0-9) you replace them with another digit (10 * 9 replaces, because you don't need for instance "s00"), you get 1 + 90 = 91 replaces to just replace one unique digit in a password, but the password could also contain 0123456789, so you need to almost combine it with each and every other combination to make out all the 10 different digits replaced in the same password (almost 91 ^ 10), approximated : 91 * 90 * 89 * 88 * 87 * 86 * 85 * 84 * 83 * 82 = 23321927500622150400 combinations of replace (sxy) rules. That's not very practical if you want to do it that way.
It would make sense that you also mention the hash type, to make sure a good/clever strategy is feasible here.
You could for instance try to do the same as mentioned above (similar strategy, but not using a large dict file), but with a .hcmask file (no rules, but mask attack):
Code:sed 's/[0-9]/?d/g' dict.txt > my.hcmask
sed here replaces every digits, with a ?d built-in charset and creates a mask. I would even filter it like this to make sure you do not run meaningless masks:
Code:grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' > my.hcmask
this could produce several identical masks, so you should sort and unique these lines:
Code:grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' | sort -u > my.hcmask
now you either could run it like this:
Code:hashcat -m 18400 -a 3 -w 3 hash.txt my.hcmask
or filter and optimize it again, e.g. every masks that only ends or starts with at least one ?d, you could replace that with a -a 6 or -a 7 attack:
run this dict with -a 7 -i hash.txt ?d?d?d?d?d prepend_d_dict.txtCode:grep '^?d' my.hcmask | grep -v '[^?][^d]?d' | sed 's/?d//g' | sort -u > prepend_d_dict.txt
run this dict with -a 6 -i hash.txt append_d_dict.txt ?d?d?d?d?dCode:grep '?d$' my.hcmask | grep -v '?d[^?][^d]' | sed 's/?d//g' | sort -u > append_d_dict.txt
of course you could then eliminate these -a 6 and -a 7 compatible "masks" from the my.hcmask file and only leave the ones that replace something in the middle or on both sides/ends:
Code:grep '^?d' my.hcmask | grep '[^?][^d]?d' > my_mod.hcmask
Code:grep '?d$' my.hcmask | grep '?d[^?][^d]' >> my_mod.hcmask
Code:grep -v '^?d' my.hcmask | grep -v '?d$' >> my_mod.hcmask
and uniq it:
Code:sort -u my_mod.hcmask -o my_mod.hcmask
There are probably many more optimizations possible, but the -a 6 and -a 7 optimization seems to me the most important one (it doesn't mean that the speed will be much faster or you are guaranteed to complete the job much sooner, especially if you need to use it, as mentioned above, with -i length increment etc).
That is an interesting alternative. I'll keep that in mind and I may resort to that in the end if I can't find a way to get a rule to do this. I really don't want to have to keep going back to the cracked file to create a new wordlist if I can help it. Thank you.