The Table-Lookup Attack has a more technical explanation here.
This page however is a very basic guide for people new to hashcat or this attack in particular and just want to get started.
The Table-Lookup Attack (--table-file) can be seen in context within the following example.
hashcat-cli32.exe --attack-mode 5 --table-file A.table --stdout B.txt >> C.txt
In this case the user intends to generate a new, more diverse and complex word list from a selection of simple or plain base words. Thanks to the “--stdout” feature in hashcat we are able to write the output to a text file for future use.
So to be clear, the command above is not an actual “attack” it is being used to modify an existing wordlist (B.txt) and to generate a new wordlist (C.txt) which can be used later by hashcat in its other modes.
Here is a breakdown of each section of the command to modify and generate a word list.
This of course is the main executable. In this case the 32bit version, if you are using a 64bit OS then hashcat-cli64.exe is the one for you.
--attack-mode 5 instructs hashcat to employ the “Table-Lookup Attack”.
--table-file indicates the table files location. Hashcat will expect to see the full address of your chosen table file immediately after this.
A.table is a randomly chosen name for this example, “A” could be any name you choose for your table file. Here it is assumed that the file resides in the same directory as hashcat. If not, be sure to enter the full address, you may also need to enclose the address in quotes. A good trick is to drag and drop the file into the command window at the point where you need to type the location.
--stdout tells hashcat to either print the results to the command prompt or to a file. Up to this point we haven’t told hashcat exactly where to print yet.
B.txt again this is a randomly chosen name purely for this example. This text file is your source of plain or base words for hashcat to elaborate on, using the pre-defined instructions within your table file.
»C.txt Finally we tell hashcat to write or pipe the results out to a text file called C.txt. As before this is just a random name for the output file, you may name your output file differently.
It is good practice to name the output file in such a way you can easily identify it, trying to open very large text file to see what it contains at a later date can sometimes be very difficult to do.
You should now be able to generate new password text files by mutilating or modifying your existing base word lists.
I suggest you make a very small input file, (B.txt) at first and see just how your table affects it. The size of your output file can be huge in comparison to your input file so take things easy until you fully understand tables.
Atom has kindly provided some default table files in the hashcat directory, however if you believe you have created a particularly good table file or password list please consider sharing on the hashcat forum.
Currently the Table-Lookup Attack can only operate on < 16 characters, this is because the number of passwords generated at this length would be huge.