rules attack
#1
Good morning. I have a SHA-256 hash that matches a word from the RockYou dictionary, with changes o-0, i-1, b-6, and the first letter of the word can be a capital letter. I used some rules like so0, si1, sb6 without success. also I have problem like " Skipping invalid or unsupported rule in file rgl.rule on line 1: ta tc td te tf tg th tj tk tl tm tn tp tq tr ts tt tu tv tw tx ty tz". can you help me ?
Reply
#2
Try to use --stdout to see what the single rules do (hashcat --stdout -a 0 -r test.rule dict.txt)

also see: https://hashcat.net/wiki/doku.php?id=rule_based_attack


for instance the rule "t" (lowercase t) doesn't have any parameter, it's just "toggle all"
Reply
#3
the hash is 6986ed8aef8261654ec4958b3e3543f0785bb394e89c52892d70b3cf6ea6f78a
in SHA-256 and changes: o-0, b-6, i-1, the first letter of the word can be uppercase. if you can help me find the password, I'll be glad.
Reply
#4
it's not allowed to post hashes here, read the forum rules.

You didn't even mention the password and therefore nobody can verify what you are claiming is correct about these "rules".
Without the exact details about how this hash was generated and what the password is, we can't really help (nobody will be willing to waste there time to just run a hash that might even be uncrackable, it could be some very strange or hard to crack password like B10shock, .... because it could be not correctly generated or matching a completely different pattern/plain)
Reply
#5
philsmd, i said the pass is a word of rockyou
Reply
#6
(04-02-2020, 05:06 PM)test_kali Wrote: Good morning. I have a SHA-256 hash that matches a word from the RockYou dictionary, with changes o-0, i-1, b-6, and the first letter of the word can be a capital letter. I used some rules like so0, si1, sb6 without success. also I have problem like " Skipping invalid or unsupported rule in file rgl.rule on line 1: ta tc td te tf tg th tj tk tl tm tn tp tq tr ts tt tu tv tw tx ty tz". can you help me ?

T0 will toggle caps for first letter I think. so0 does a global search and replace on o and replaces with 0. I wrote some (really bad) python code to do one at a time, which you'd need to adapt if you use it: https://github.com/blacktraffic/hashcrac...leetify.py

However, you could create a rule file R1 with just "T0" in it, and R2 with just
so0
si1
sb6 
in and try them both:  

hashcat64.exe <blah>  rockyou.txt -r R1 -r R2 

If that doesn't work, you could add 
T0
c
to R1, as 'c' does : Capitalize the first letter and lower the rest 
Reply
#7
The main problem here should be very clear.

Let's assume we have a dictionary called rockyou.txt and it contains the word "bioshock" (without quotes):
Code:
$ grep '^bioshock$' rockyou.txt
bioshock

but we want to mangled the dict rockyou.txt such that it produces the password candidate "B10shock" (without quotes) to match the above hash...

Now we have the problem that the rule
Code:
so0

replaces all the o's with 0's so we get bi0sh0ck (the "shock" with the letter "o" is not there anymore).

This is indeed not possible with the "replace all" rules (that should be quite logical).

Therefore, you would need to perform things on the N'th instance, like mentioned here: https://hashcat.net/wiki/doku.php?id=rul...onal_rules

The problem with the "p" rule is that it only work with -j and -k


I think it's probably easier to just come up with a different rule that works with the GPU based rule-engine.

E.g. using rules like prefixing "B10" to "shock" with the prepend character rule "^". Or using a different attack mode altogether like using -a 7 with a prepended mask etc.

At the end, I also very easily cracked the hash with a rule file (see above), but it was definitely a different rule than just a "replace all instances of x" (sxy) rule.

That's an important thing that you need to learn when dealing with such advanced attack types (like rule based attacks etc)... they do whatever you tell them to do. If you say replace all "o" with "0" they will do that and generate (according to you) the "wrong" password, but it's not really incorrect... the rule just did it's job. Indeed, very correctly and efficiently,
Reply
#8
This worked for me, which is doing the l33tification in python - and just the capitalisation from best64.rule I guess. 

Code:
$ python3 scripts/leetify.py /root/dict/rockyou.txt | ./hashcat64.bin -a0 -m 1400 /tmp/ng2tg6qt.hash.tmp -r /root/hashcrack/rules/best64.rule  --loopback -O -w4  --session hc

And that's because I'm lazy and already had the code written. 

There's absolutely nothing wrong with the 's' rule of course, but when people say "swap o with 0", that's ambiguous about whether it's one, some or all of occurrences of 'o'. But I ended up with the python script because my leetification rules weren't always getting everything I thought they should be getting.
Reply