Rule-based Attack
#1
I'd like to carry out a rule-based attack where the password should have:
- capitalise first character
- append from one to four digits to the end
- append a special character and from one to four digits to the end.

As regular expression I could use this pattern:


Code:
[[:upper:]][[:alpha:]]*+[[:punct:]]*+[[:digit:]]*

that grab words such as:


Code:
Palermo01
Palermo.01

To perform this search by Hashcat I tried to create a file called “myrules” that contains the following rules:
Code:
#Capitalise first character
c
#Append a digit to the end
$?d
#Append a special character and a digit to the end
$?s?d
#Add two digits to the end
$?d?d
#Append a special character and two digits to the end
$?s?d?d
#Append three digits to the end
$?d?d?d
#Append a special character and three digits to the end
$?s?d?d?d
#Append four digits to the end
$?d?d?d?d
#Append a special character and four digits to the end
$?s?d?d?d?d

But according hashcat these rules are not correct:

Code:
hashcat -m 0 Palermo-01_md5.txt rockyou.txt -r myrules --debug-mode=1 --debug-file=matched.rule
<snip>
Skipping invalid or unsupported rule in file myrules on line 8: $?d?d
Skipping invalid or unsupported rule in file myrules on line 10: $?s?d?d
Skipping invalid or unsupported rule in file myrules on line 12: $?d?d?d
Skipping invalid or unsupported rule in file myrules on line 14: $?s?d?d?d
Skipping invalid or unsupported rule in file myrules on line 16: $?d?d?d?d
Skipping invalid or unsupported rule in file myrules on line 18: $?s?d?d?d?d
<snip>
...
#2
You are mixing masks and rules here. That's not possible.
#3
Each rule creates a new candidate. You need one rule that applies all of the modifications simultaneously.
#4
(06-25-2018, 07:03 PM)undeath Wrote: You are mixing masks and rules here. That's not possible.

I created a simple dictionary with one word in it (mydictionary.txt) and these 2 rule files:
  • my_Upper-First-Prefix.rule, that contain the rule
    Code:
    c
    , which capitalizes the first letter and lower-cases the rest;
  • my_suffix_rules.rule, that was made by maskprocessor
    Code:
    mp64.exe -1 .,-_ -2 0123456789 "$?1$?2$?2$?2" -o my_suffix_rules.rule
    , which append a special character and four digits.
However, when I tested these rules, I got these results:

Code:
hashcat64.exe -r my_Upper-First-Prefix.rule my_suffix_rules.rule --stdout mydictionary.txt
clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

what am I doing wrong?
#5
First, you need -r for every rule file you specify. However, the error you got seems like a opencl problem. is hashcat generally working?
#6
(06-26-2018, 07:53 PM)undeath Wrote: First, you need -r for every rule file you specify. However, the error you got seems like a opencl problem. is hashcat generally working?

I got the same error message also with two -r
Code:
>hashcat64.exe -r my_Upper-First-Prefix.rule -r my_suffix_rules.rule --stdout mydictionary.txt

clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

As a rule hashcat work, even if my laptop use mainly the CPU.

Code:
>hashcat64.exe -b
hashcat (v4.1.0) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
* Device #3: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
ADL_Overdrive_Caps(): -8
#7
To your original question:
"I'd like to carry out a rule-based attack where the password should have:
- capitalise first character
- append from one to four digits to the end
- append a special character and from one to four digits to the end."

Try something along the lines of:
hashcat -m<value> <hash> -a3 -1 ?d?s ?u?a?a?a?a?1?1?1?1 --increment

where you use as many ?a as you think are necessary, or if you know something about those characters, you can tighten that up with a smaller character set.
#8
mask attack/brute force should be your last resort, especially when you suspect the password is actually using a real word. Also that mask with --increment is going to try lots of invalid candidates.
#9
(06-27-2018, 05:10 PM)plaverty9 Wrote: To your original question:
"I'd like to carry out a rule-based attack where the password should have:
- capitalise first character
- append from one to four digits to the end
- append a special character and from one to four digits to the end."

Try something along the lines of:
hashcat -m<value> <hash> -a3 -1 ?d?s ?u?a?a?a?a?1?1?1?1 --increment

where you use as many ?a as you think are necessary, or if you know something about those characters, you can tighten that up with a smaller character set.


I'd like to perform a rule-based attack because I know that my target uses generally common words (e.g. italian words, that in some occasions have the first character capitalised) followed by specific suffixes (e.g. a special character and from 2 to 4 digits). For this reason I think that a brute force attak, even if based on masks, it's not the best solution.
#10
regarding your opencl problem, I have no idea what exactly is wrong but I highly suspect something with your driver is kaput.