How to apply rules to combinator attack?

[Kgx Pnqvhm]

In the Press section of the Wiki, the article from ARS Technica has Rick Redman (of KoreLogic) combining the two items "sup3r" and "thinkers" from RockYou to get "Sup3rThinkers".

This must be the Combinator attack. But how did casing rules get applied?

[undeath]

i think the cpu version can apply rules to -a1

[M@LIK]

I'm not sure, but I believe It's:

Code:

-j,  --rule-left=RULE              Single rule applied to each word from left dict
-k,  --rule-right=RULE             Single rule applied to each word from right dict

Note you can only apply one rule.

[M@LIK]

CPU's hashcat apply rules to the whole candidate, not separately.

[Kgx Pnqvhm]

Did "sup3r" become "Sup3r" and "thinkers" become "Thinkers" before being combined, or did "sup3r" + "thinkers" = "sup3rthinkers" with some sort of case toggling applied to the the "s" and "t"?

A quick test found that the CPU hashcat, I can apply a rule to the resultant combination candidate, so -a 1 can have a rule via -r, also.

[M@LIK]

If you want to make "Sup3rThinkers" out of "sup3r" in dict1 and "thinkers" in dict2, you would run:

Code:

-plus ... -a1 -j u -k u ... dict1 dict2

But you can't do it that simple with CPU's hashcat since it applies rules to the resultant combination candidate as you mentioned above. You will have to use something like: T0 T5

[Kgx Pnqvhm]

I somehow thought there couldn't be two dictionaries used at once by 'plus.

So the -j u would apply to dict1 and the -k u to dict2?

(This is like the original oclHashcat, which was backported into 'plus, I see(?) But the tutorials from back then also had the stdout/debug modes where the output could be inspected.)

[M@LIK]

-plus's -a1 always works with two dicts (Right and left).
And yes, it was brought back due to a request: https://hashcat.net/forum/thread-1335.html

But careful, CPU's hashcat works with one dict at a time only when using -a1, although it accepts more than one.

[Kgx Pnqvhm]

Can someone update the Wiki for the Combinator attack to point out this difference?

[Kgx Pnqvhm]

A quick speed comparison using the word list from Cain against a group of 60 hashes, with no rules, showed that CPU hashcat would take 2 days, whlie the GPU hashcat-plus would take 26 days (for the -a 1 attacks).

If this is really the expected speed difference, one should do simple no-rule attacks in regular hashcats. Combining two dictionaries can be done by just merging them together.

Very simple rules like "u" or "c" could be done on a word list before being fed back into regular hashcat, and still be faster than GPU hashcat. (Along with the advantage of getting over 15 characters.) (So maybe that T0 T3 on the combined candidate would be faster than -j u on a left side in GPU 'plus?)

So one would use GPU hashcat for combinator attacks only if complicated rules were involved that would be impractical to do beforehand on word lists for regular hashcat?

As another comparison, I ran CPU hashcat with a rule file with just ":" to set up the script to use, but running it for a while never gave me an estimate of how long it would take. This must be some sort of bug?