Table of Contents

Table-Lookup Attack

Description

Note: table-lookup attacks are only available in hashcat-legacy.

With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.

The Table-Lookup attack is not to be confused with rainbow tables.

Input

If our dictionary contains the word

word1

… then it is split into single characters:

  1. w
  2. o
  3. r
  4. d
  5. 1

The next step is to “look up” each of these chars against a “table”. Just continue reading…

Mandatory configuration

--table-file

The following box shows what we call a “table”. What we configure here are assignments. As usual in assignments, we have a left and a right side.

o=o
o=O
o=0
o=.
w=w
1=1
1=2
1=3
1=9

Optional configuration

Hashcat-legacy has two command-line parameters to fine-tune this attack. But why does this simple attack require a configuration at all? The reason for this is that it can create so many combinations that it will never finish.

For example, if we have a long word like “111111111111111” in our dictionary, which has length 15, and a table file containing:

1=0
1=1
1=2
1=3
1=4
1=5
1=6
1=7
1=8
1=9

…hashcat-legacy has to generate 10^15 (1.000.000.000.000.000) combinations.

The following commands enable the user to define the length of password they wish to modify.

--table-min=NUM

Default is set to: 2

--table-max=NUM

Default is set to: 15

Any word outside of the defined length range will be skipped.

Output

Before hashcat-legacy generates the mask, it takes each char from the split result and matches them against the table configuration. If it matches, it replaces the char with all the chars from the right assignment. Yes, exactly, and creates new words this way. That's exactly what we want here. If it does not match, it will not replace it and use the original char.

word1
wOrd1
w0rd1
w.rd1
word2
wOrd2
w0rd2
w.rd2
word3
wOrd3
w0rd3
w.rd3
word9
wOrd9
w0rd9
w.rd9

When to use

This attack is extremely efficient against leetspeak passwords if we choose a table like this:

a=a
a=@
a=4
c=c
c=<
c=[
c={
e=e
e=3
i=i
i=I
i=!
i=|
i=.

etc..

It can also fully replace the Toggle-case attack if we choose a table like this:

a=a
a=A
b=b
b=B
c=c
c=C
d=d
d=D

etc..

But the best thing, we can do both at once.

a=a
a=A
a=@
a=4
b=b
b=B
c=c
c=C
c=<
c=[
c={
d=d
d=D
e=e
e=E
e=3

etc..

Another nice idea is to fill holes in our dictionaries. For example, if our dictionary contains:

pass0
pass1
pass2
pass3
pass5

We can see that this dictionary is missing “pass4”, “pass6”, etc. A single line in a table can fill the missing ones:

0=0
0=1
0=2
0=3
0=4
0=5
0=6
0=7
0=8
0=9

Hint: To avoid dupes, replace all digits with 0 and unique what's left.

$ sed -e 's/[0123456789]/0/g' < passes.dict | sort -u > passes_table_optimized.dict

See the table/ folder for more inspiration.

Supported by

This attack is currently supported by:

Alternative support

We can use the –stdout parameter in hashcat-legacy to pipe generated password candidates into Hashcat.