Try all combinations in a wordlist and apply rules

[kilo9delta]

Hello all!

hashcat is a great tool, I have a question though that I was unable to solve myself.

I do know:
- I have a list of 60 words that probably somehow make up the password.
- Hashing algorithm: 9500 Office 2010, pretty slow
- Password length: 6-14 chars
- Combination of words: 1-4

I do not know:
- I have no idea whether any character of any word is capitalized or not.
- The order of the words is unknown.
- There might be additional numbers of special characters somewhere in the password.

Does anyone know if a rule based attack would work? If so can anyone give me hints how generate rules that check for the stuff I do not know listed above.


Basically it should try everything with the available words (any possible combination, any possible capitalization, add numbers/special chars at will)

Thank you so much!

[philsmd]

You forgot to mention very crucial information, like what hash type you are dealing with and how long the passwords are and how many words are used and where the special characters should be inserted (between words or within words/anywhere) and ...

I think some steps can be easily done with something like -a 1 or combinator3 or even princeprocessor... but if your password candidate policies get too fancy and if you at the same time have to deal with a very slow hashing algorithm... it could make sense to use a dedicated/special password candidate generation script (purposely written for this specific scenario) and pipe its output to hashcat

Code:

perl my_special_password_generator.pl | hashcat -m 11600 -a 0 -r my_special.rules hashes.txt

[kilo9delta]

@philsmd

Thank you for your reply. I have edited the topic to include that additional information.

Thanks for pointing out the options. The princeprocessor looks very promising. I think I will combine that will some custom rules and it should be good to go.

Thanks!