(08-22-2020, 10:11 AM)philsmd Wrote: I don't think it's practical, you would need to combine rules with each and every combination (10x -r multi-rule replaces within the command, rule-chaining, to change mutliple digits at the same time).
Let's say you have one rule that leaves the digit as is (: rule) and then for every digit (0-9) you replace them with another digit (10 * 9 replaces, because you don't need for instance "s00"), you get 1 + 90 = 91 replaces to just replace one unique digit in a password, but the password could also contain 0123456789, so you need to almost combine it with each and every other combination to make out all the 10 different digits replaced in the same password (almost 91 ^ 10), approximated : 91 * 90 * 89 * 88 * 87 * 86 * 85 * 84 * 83 * 82 = 23321927500622150400 combinations of replace (sxy) rules. That's not very practical if you want to do it that way.
It would make sense that you also mention the hash type, to make sure a good/clever strategy is feasible here.
You could for instance try to do the same as mentioned above (similar strategy, but not using a large dict file), but with a .hcmask file (no rules, but mask attack):
Code:sed 's/[0-9]/?d/g' dict.txt > my.hcmask
sed here replaces every digits, with a ?d built-in charset and creates a mask. I would even filter it like this to make sure you do not run meaningless masks:
Code:grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' > my.hcmask
this could produce several identical masks, so you should sort and unique these lines:
Code:grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' | sort -u > my.hcmask
now you either could run it like this:
Code:hashcat -m 18400 -a 3 -w 3 hash.txt my.hcmask
or filter and optimize it again, e.g. every masks that only ends or starts with at least one ?d, you could replace that with a -a 6 or -a 7 attack:
run this dict with -a 7 -i hash.txt ?d?d?d?d?d prepend_d_dict.txtCode:grep '^?d' my.hcmask | grep -v '[^?][^d]?d' | sed 's/?d//g' | sort -u > prepend_d_dict.txt
run this dict with -a 6 -i hash.txt append_d_dict.txt ?d?d?d?d?dCode:grep '?d$' my.hcmask | grep -v '?d[^?][^d]' | sed 's/?d//g' | sort -u > append_d_dict.txt
of course you could then eliminate these -a 6 and -a 7 compatible "masks" from the my.hcmask file and only leave the ones that replace something in the middle or on both sides/ends:
Code:grep '^?d' my.hcmask | grep '[^?][^d]?d' > my_mod.hcmask
Code:grep '?d$' my.hcmask | grep '?d[^?][^d]' >> my_mod.hcmask
Code:grep -v '^?d' my.hcmask | grep -v '?d$' >> my_mod.hcmask
and uniq it:
Code:sort -u my_mod.hcmask -o my_mod.hcmask
There are probably many more optimizations possible, but the -a 6 and -a 7 optimization seems to me the most important one (it doesn't mean that the speed will be much faster or you are guaranteed to complete the job much sooner, especially if you need to use it, as mentioned above, with -i length increment etc).
That is an interesting alternative. I'll keep that in mind and I may resort to that in the end if I can't find a way to get a rule to do this. I really don't want to have to keep going back to the cracked file to create a new wordlist if I can help it. Thank you.