Rule-based Attack: Substitution of single chars with strings
#1
Hey guys,

I stumbled upon this problem looking at a MySQL db record of a forum software which had a faulty implementation of passing passwords on register-process.

Turned out, every password containing one or more of different special characters (like !, &, < and >) was encoded into its html-entity pendant.

! turned to #&33;
& turned to #&amp;

Weird stuff but I finally realized this happened when passing the passwords into the db.

Now my question:
Regarding the different attack modes I had to use workarounds to deal with this encoding, like appending $#$&$3$3$; to a wordlist. But I need this a little more simple for like character injection into passwords of a wordlist. Thought of using the char-substitution-rule like

s!#&33;

but this is not a valid rule. Solved this by preparing my wordlists with 'sed' before using it, but this is still not very flexible.

Is there a way to tell hashcat to substitute the single characters with the whole 5-or-more-char-strings?
#2
As far as I know, if you want to stick with rules, you would probably need at least 2 different types of rules.

One idea is to purge all "!" characters with the purge rule and insert the multi-byte string with a couple of insert rules, like this:
Code:
@! i0# i1& i23 i33 i4;
@! i1# i2& i33 i43 i5;
@! i2# i3& i43 i53 i6;
#...
@! iU# iV& iW3 iX3 iY;
@! iV# iW& iX3 iY3 iZ;

#...
# repeat with next symbol and/or combinations of multiple symbols

This rule files can be easily generated with a simple script (you only need to know that the offset for the insert rules are 0123456789ABCDEF...XYZ). The only problem with this approach is, that the rule file could get very large if you combine purges and inserts of multiple strings (and even allow combinations of the same inserted string in multiple places within the password).

You could for instance just generate all rules for each and every symbol within separate .rule files (like the the example above but of course with the complete set of rules, no "..." Wink, the examle was for the charater "!") and use rule stacking to do the combinations (even with the same rule files): https://hashcat.net/wiki/rule_based_attack#multi-rules
#3
Nice approach overall, will definitely try this by generating some rules files for the few chars which were saved as html-entities.

I'm not really sure the rule-stacking with combined insert-rules will get me some "valid" password candidates but I'll give it a try and comment on it later, thanks a lot!

While writing this I wondered if it is possible to hand the multi-byte strings as some kind of "single char" as a custom charset to hashcat. This would allow the not yet mentioned use in mode -a 3.
#4
Problems like this are why I miss the original Table Attack.
#5
If you want to use some static string like "#&33;" within a mask, you just need to put it there for instance like this (file mask_file.hcmask):
Code:
?l?u?d,?1?1?1?1?1#&33;
?l?u?d,?1?1?1?1#&33;?1
?l?u?d,?1?1?1#&33;?1?1
?l?u?d,?1?1#&33;?1?1?1
...

but as you might know, it is not always clever to use some long constant string (it is especially bad for the speed whenever it is at the beginning of the mask) within the masks... but you can test it anyway and see

Note: the custom charset including ?l?u?d (lower, upper, digits) and the mask length is just an example (you might need to change it depending on your situation)