Looking to write a rule to replace digits
#1
As we all know, people are lazy and predictable when it comes to passwords. I'm writing a rule to replace all digits in a password with every possible combination of other digits and the rule has to be able to identify digits in any location. For example:

Users old password: "Password123" or "My123Password"

I'm looking to get hashcat to create permutations on that so that 123 would be 000-999. I've started on a rule and am looking for guidance on this. What I have currently, I'm not sure will work or not.

Rule:
s10
s12
s13
s14
s15
s16
s17
s18
s19
s21
s23
s24
s25
s26
...
s01
s02
s03
s04
s05
s06
s07
...
Reply
#2
Only one way to find out. Big Grin
~
Reply
#3
(08-21-2020, 07:09 AM)royce Wrote: Only one way to find out. Big Grin

I did and it didn't work. Any helpful comments?
Reply
#4
Code:
hashcat --stdout -a 3 -o dict.txt Password?d?d?d
hashcat --stdout -a 3 -o dict.txt My?d?d?dPassword
hashcat -m 14800 -a 0 -w 3 hash.txt dict.txt
Reply
#5
I think they're trying to replace digits in place, without having to know the text before and after in advance.
~
Reply
#6
(08-21-2020, 10:08 PM)philsmd Wrote:
Code:
hashcat --stdout -a 3 -o dict.txt Password?d?d?d
hashcat --stdout -a 3 -o dict.txt My?d?d?dPassword
hashcat -m 14800 -a 0 -w 3 hash.txt dict.txt

Ya, that isn't quite the goal. I'm trying to create a rule file that can identify digits and go through all combinations of digits.
Reply
#7
I don't think it's practical, you would need to combine rules with each and every combination (10x -r multi-rule replaces within the command, rule-chaining, to change mutliple digits at the same time).
Let's say you have one rule that leaves the digit as is (: rule) and then for every digit (0-9) you replace them with another digit (10 * 9 replaces, because you don't need for instance "s00"), you get 1 + 90 = 91 replaces to just replace one unique digit in a password, but the password could also contain 0123456789, so you need to almost combine it with each and every other combination to make out all the 10 different digits replaced in the same password (almost 91 ^ 10), approximated : 91 * 90 * 89 * 88 * 87 * 86 * 85 * 84 * 83 * 82 = 23321927500622150400 combinations of replace (sxy) rules. That's not very practical if you want to do it that way.

It would make sense that you also mention the hash type, to make sure a good/clever strategy is feasible here.

You could for instance try to do the same as mentioned above (similar strategy, but not using a large dict file), but with a .hcmask file (no rules, but mask attack):
Code:
sed 's/[0-9]/?d/g' dict.txt > my.hcmask

sed here replaces every digits, with a ?d built-in charset and creates a mask. I would even filter it like this to make sure you do not run meaningless masks:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' > my.hcmask

this could produce several identical masks, so you should sort and unique these lines:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' | sort -u > my.hcmask

now you either could run it like this:

Code:
hashcat -m 18400 -a 3 -w 3 hash.txt my.hcmask

or filter and optimize it again, e.g. every masks that only ends or starts with at least one ?d, you could replace that with a -a 6 or -a 7 attack:

Code:
grep '^?d' my.hcmask | grep -v '[^?][^d]?d' | sed 's/?d//g' | sort -u > prepend_d_dict.txt
run this dict with -a 7 -i hash.txt ?d?d?d?d?d prepend_d_dict.txt

Code:
grep '?d$' my.hcmask | grep -v '?d[^?][^d]' | sed 's/?d//g' | sort -u > append_d_dict.txt
run this dict with -a 6 -i hash.txt append_d_dict.txt ?d?d?d?d?d

of course you could then eliminate these -a 6 and -a 7 compatible "masks" from the my.hcmask file and only leave the ones that replace something in the middle or on both sides/ends:
Code:
grep '^?d' my.hcmask | grep '[^?][^d]?d' > my_mod.hcmask

Code:
grep '?d$' my.hcmask | grep '?d[^?][^d]' >> my_mod.hcmask

Code:
grep -v '^?d' my.hcmask | grep -v '?d$' >> my_mod.hcmask

and uniq it:
Code:
sort -u my_mod.hcmask -o my_mod.hcmask

There are probably many more optimizations possible, but the -a 6 and -a 7 optimization seems to me the most important one (it doesn't mean that the speed will be much faster or you are guaranteed to complete the job much sooner, especially if you need to use it, as mentioned above, with -i length increment etc).
Reply
#8
(08-22-2020, 10:11 AM)philsmd Wrote: I don't think it's practical, you would need to combine rules with each and every combination (10x -r multi-rule replaces within the command, rule-chaining, to change mutliple digits at the same time).
Let's say you have one rule that leaves the digit as is (: rule) and then for every digit (0-9) you replace them with another digit (10 * 9 replaces, because you don't need for instance "s00"), you get 1 + 90 = 91 replaces to just replace one unique digit in a password, but the password could also contain 0123456789, so you need to almost combine it with each and every other combination to make out all the 10 different digits replaced in the same password (almost 91 ^ 10), approximated : 91 * 90 * 89 * 88 * 87 * 86 * 85 * 84 * 83 * 82 = 23321927500622150400 combinations of replace (sxy) rules. That's not very practical if you want to do it that way.

It would make sense that you also mention the hash type, to make sure a good/clever strategy is feasible here.

You could for instance try to do the same as mentioned above (similar strategy, but not using a large dict file), but with a .hcmask file (no rules, but mask attack):
Code:
sed 's/[0-9]/?d/g' dict.txt > my.hcmask

sed here replaces every digits, with a ?d built-in charset and creates a mask. I would even filter it like this to make sure you do not run meaningless masks:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' > my.hcmask

this could produce several identical masks, so you should sort and unique these lines:
Code:
grep '[0-9]' dict.txt | sed 's/[0-9]/?d/g' | sort -u > my.hcmask

now you either could run it like this:

Code:
hashcat -m 18400 -a 3 -w 3 hash.txt my.hcmask

or filter and optimize it again, e.g. every masks that only ends or starts with at least one ?d, you could replace that with a -a 6 or -a 7 attack:

Code:
grep '^?d' my.hcmask | grep -v '[^?][^d]?d' | sed 's/?d//g' | sort -u > prepend_d_dict.txt
run this dict with -a 7 -i hash.txt ?d?d?d?d?d prepend_d_dict.txt

Code:
grep '?d$' my.hcmask | grep -v '?d[^?][^d]' | sed 's/?d//g' | sort -u > append_d_dict.txt
run this dict with -a 6 -i hash.txt append_d_dict.txt ?d?d?d?d?d

of course you could then eliminate these -a 6 and -a 7 compatible "masks" from the my.hcmask file and only leave the ones that replace something in the middle or on both sides/ends:
Code:
grep '^?d' my.hcmask | grep '[^?][^d]?d' > my_mod.hcmask

Code:
grep '?d$' my.hcmask | grep '?d[^?][^d]' >> my_mod.hcmask

Code:
grep -v '^?d' my.hcmask | grep -v '?d$' >> my_mod.hcmask

and uniq it:
Code:
sort -u my_mod.hcmask -o my_mod.hcmask

There are probably many more optimizations possible, but the -a 6 and -a 7 optimization seems to me the most important one (it doesn't mean that the speed will be much faster or you are guaranteed to complete the job much sooner, especially if you need to use it, as mentioned above, with -i  length increment etc).

That is an interesting alternative. I'll keep that in mind and I may resort to that in the end if I can't find a way to get a rule to do this. I really don't  want to have to keep going back to the cracked file to create a new wordlist if I can help it. Thank you.
Reply