Password Cracking – It's all about the rules!

Table of Contents

Password cracking 2.0

Password Cracking offers in addition to the im first article There are a number of other ways to crack passwords using the methods mentioned above: rules, word lists, hybrid and combination attacks. These tools represent only a small part of all the possibilities in Hashcat, but they provide the basis for further deeper attacks, which are detailed in further articles.

Agenda

In order to be able to hash crack efficiently, a systematic approach is required: documentation and notes, no matter how annoying you may find them, are essential to making progress in hash cracking. Hashcracking is a topic that offers a lot of room for research and many methods and optimizations are still undiscovered. Therefore, it makes sense to document your own procedure in order to be able to adapt or improve procedures afterwards. The exact documentation also helps to better understand your own results or to adapt them to new circumstances.

Don't want to waste time on your way to becoming a penetration tester?
In our courses, led by experienced penetration testers, you will learn everything you really need for this.
Go to the Junior Penetration Tester Intensive Course
The hash cracking is divided into several phases, which differ in the choice of tool and methodology and are only promising in their interaction:

extraction and identification

In the beginning, it depends on the correct extraction of the hashes and their identification. In addition, the hashes must be brought into a Hashcat-compatible format. Tools such as hash identifiers or the Hashcat Examples. Proper formatting is important to ensure Hashcat functions correctly.

Evaluation and plan of attack

Then the hash strength (is it a slow or fast hash?) and the speed of your own cracking rig must be determined in order to select one of the sensible strategies. Basically, slow hashes must be attacked in a targeted manner - OSINT is of crucial importance here. Fast hashes can be attacked more generally because the high speed allows for a lot more to be tried.

Various attacks

After the first two steps, the hash is attacked. In the beginning, with fast hashes, you either start with a brute force of 7 to 8 characters (depending on your own computing power) or start directly with dictionaries and rules. These first attacks are initially about getting an impression of the passwords used. Based on this, further attacks are planned. In this phase, it makes sense to try dictionaries in different languages ​​(depending on the origin of the hashes) in addition to password lists. This is how you can crack passwords or passphrases based on sentences.

Password analysis

The cracked passwords are analyzed to find patterns and structures in the passwords that influence further action. We recommend tools such as Pipal or Pack, which can be used to analyze the cracked passwords. In this way, static peculiarities such as repetitions or particularly frequent root words can be identified. The tools can also be used to create your own rules and masks, e.g. B. to be able to react to a password policy.

Targeted Attacks

These results are then used in a targeted manner to select suitable dictionaries/password lists and to apply your own rules or masks that best meet user behavior. These results can also be used to generate your own suitable word lists. Cewl or crunch, for example, are suitable for this.

Advanced Attacks

In order to crack further passwords, advanced methods such as Prince processor, mask processor, keyboard walks, own Markov chains or PCFG (explanation of this follows in future parts of this blog series) can be used to reach the last hashes. However, these methods are very complex and require a great deal of knowledge from the user.

Repetition

Then go back to step 4 and repeat the scheme until the desired amount of cracked hashes is achieved. But now with modified parameters and methods.

Back to the Roots

dictionary attacks

Dictionaries and password lists are the basis of how Hashcat works. The dictionary attack is the most important mode and the basis of most attacks. The dictionary attack can be modified in many ways to be more efficient: rules, rule chains, random rules, raking or loopback are different methods that make password cracking much easier.


In the classic dictionary attack, all words from the dictionary are matched against the password hashes, which is limited by the size of the dictionary. There are also some restrictions that limit the achievable speed, which will be discussed in more detail later.

Regulate

The classic dictionary attack is therefore expanded with rules. These rules contain a syntax comparable to a programming language that can modify, shorten or expand words and thus open up countless attack options. Some of these rules are already included in Hashcat in the hashcat/rules folder and allow very good results to be achieved even with much smaller dictionaries. The combination of rules can lead to very good results, but involves immense RAM & VRAM consumption. A maximum of 31 rules can be combined with each other, but this limit is rarely exhausted.

Personally, I prefer these rules:

  • OneRuleToRuleThemAll
  • Pantagrule.random
  • pantagrule.random.royce
  • NSAKEY.v2.dive
  • best64

Syntax

Classic dictionary attack:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt
				
			

Dictionary attack with rules:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt -r Regel.rule
				
			

Dictionary attack with multiple rules:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt -r Regel01.rule -r Regel02.rule
				
			

Advanced Attacks

More advanced attacks can also be implemented with rules, such as B. loopback or raking. These attacks allow you to crack even better and more efficiently, or they are a good way out in some situations.

Loopback

When using the loopback option, passwords that have been cracked are added to the dictionary until no more new passwords are found. Loopback is a very useful method that often cracks a lot of other passwords. The option is set with means -loopback activated and can only be used in connection with rules (regardless of whether they are normal or self-generated). The looback can only be used together with the dictionary attack, i.e. hashcat mode and 0

Dictionary attack with loopback and rules:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt --loopback -r Regel.rule
				
			

Raking

Raking is the process of generating random rules and then running them over many hashes to create new rules. This makes sense if you don't have any further ideas or to create your own rules that better meet your own needs.

The -g parameter generates a number of random rules and is a good idea if you don't have a new approach to cracking. Otherwise, it never hurts to use randomly generated rules. To perfect the approach, applicable rules can also be saved, to analyze or use them. The command is –debug-mode=1 –debug-file=matched.rule .

Syntax

Dictionary attack with loopback and rules:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt --loopback -g Num
				
			

Dictionary attack with loopback and random rules and storing matched rules:

				
					hashcat -a0 hashfile.txt Wörterbuch.txt --loopback -g  --debug-mode=1 --debug-file=matched.rule
				
			

Dictionaries & Password Lists

The eponymous dictionaries are also of elementary importance in dictionary attacks: without the appropriate dictionaries, no passwords can be found. However, there are a few things to keep in mind when it comes to dictionaries. The rule is: less is more. Dictionaries & Password Lists are measured by the quality of the words they contain, not their length and size. The dictionaries are extended by rules, so that the original size says little about the number of words generated from it.

Known Dictionaries

Word lists can either be downloaded from various sites or generated by yourself, but my personal recommendations for word lists are:

  • rockyou.txt
  • Hashesorg2019
  • Kaonashi.txt
  • ALM(PasswdOnly)(freq_sorted).txt
 

Very large dictionary:

  • RockYou2021.txt
 

These dictionaries all combine very well with different rules to get good results.

Targeted Attacks

If known dictionaries do not lead to the goal or if you attack individual hashes, it makes sense to generate your own dictionaries. Cewl is a good way to do this.

cewl

Cewl is a web scraping tool that scans websites and downloads words onto them. This makes it possible to create word lists that enable targeted attacks on hashes by including numerous words from websites that are otherwise not considered in normal dictionaries.

Syntax:

				
					cewl -d3 -m4 -e -w Wörterliste_name.txt -v https://Web.seite
				
			
Cewl is a web scraping tool that scans websites

combinator attacks

In addition to rule-based attacks, Hashcat also offers the possibility of combinator attacks. In the combinator attack, words from two dictionaries are combined with one another, i.e. words from the second are appended to words from the first dictionary. Characters can also be added, removed or manipulated using rules to the right and left of the added word. These rules are implemented using -j for links and with -k added for right. However, only one rule can be added per parameter, which is a limitation. You can use all the rules listed under https://hashcat.net/wiki/doku.php?id=rule_based_attack be listed. For combinator attacks, the rules that append words are often best suited. However, this always depends on the target of the attack and may vary due to local peculiarities.

The combinator attack can be re-applied in its capabilities using Hashcat extensions, allowing more than two dictionaries to be combined. Unfortunately, the Hashcat kernel on which combinator mode is based does not support one hoursmode, which is why the combinator attack cannot be used repeatedly in a pipe. That's why there are extension scripts like CombinatorX that allow more than 2 dictionaries to be combined. Up to 8 dictionaries can be combined with this script, which means that many passphrases or password sets are vulnerable.

Syntax:

Combinator attack with two dictionaries:

				
					hashcat -a0 hashfile.txt Wörterbuch01.txt Wörterbuch02.txt
				
			

Combinator attack with dictionaries and rules that insert a hyphen on the left and an exclamation point on the right:

				
					hashcat -a1 hashfile.txt Wörterbuch01.txt Wörterbuch02.txt -j'$-' -k '$!'
				
			

CombinatorX installation:

				
					git clone https://github.com/hashcat/hashcat-utils.git
cd hashcat-utils/src
make
				
			

CombinatorX syntax:

Combinator attack with two dictionaries

KombinatorX with 3 dictionaries and storage of the results:

				
					./combinatorX.bin -1 Wörterbuch01.txt -2 Wörterbuch02.txt -3 Wörterbuch03.txt > Wörterbuch123.txt
				
			

KombinatorX with 3 dictionaries, storage and characters between the dictionaries

				
					./combinatorX.bin -1 Wörterbuch01.txt -2 Wörterbuch02.txt -3 Wörterbuch03.txt > Wörterbuch123.txt --sep1 '-' --sep2'-' --sep3 '-' > Wörterbuch123-.txt
				
			

KombinatorX can do this with up to 8 dictionaries. While this allows large sentences/passphrases to be recreated, it creates huge dictionaries that easily outgrow the available device memory. We are talking about up to several hundred GB here, so be careful when combining several dictionaries.

hybrid attack

The hybrid attack is best described as a modified form of the combinator attack. Here a mask is added instead of the second dictionary. This allows passwords to be attacked with greater flexibility than would be possible with a combinator attack.

There are two hybrid attacks: Word List + Hybrid and hybrid + word list, whereby both schemes of typical passwords can be mapped. If masks or brute force are used in the hybrid attack, the parameter -i used for an extension of the mask. 

Unfortunately, both hybrid attacks cannot be combined with each other, so you have to create a workaround. For this purpose, the attack is once in defaultExecuted mode to create a dictionary of the first attack's mods and then use that in the second attack, now modifying it on the other side.

Syntax:

Classic hybrid attack with mask:

				
					hashcat -a6 hashfile.txt wörterbuch.txt ?d?d?d
				
			

Hybrid attack with masks and increment:

				
					hashcat -a6 hasfile.txt wörterbuch.txt -i ?u?l?l?l??d?d?s
				
			

Classic hybrid attack the other way around with a mask:

				
					hashcat -a7 ?d?d?d hashfile.txt wörterbuch.txt
				
			

Classic hybrid attack the other way around with mask and increment:

				
					hashcat -a7 -i ?d?d?d hashfile.txt wörterbuch.txt
				
			

Experimental: Hybrid attack both sides:

				
					hashcat -a6 Wörterliste.txt (-i) ?d?d?d --stdout > Wörterbuch01.txt hashcat -a7 (-i) Hashfile.txt ?a?a?a Wörterbuch01.txt
				
			

Both attacks are carried out one after the other and the creation of dictionaries/password lists is very memory-intensive, so it can generate very large files even with small dictionaries. It is not advisable to connect the two commands via pipe, as this will very likely fill up the entire working memory and freeze the computer.

Do you want to get started as a penetration tester?
Qualify for your dream job with our practice-oriented intensive course!
To the Junior Penetration Tester certificate course
OTHER CONTRIBUTIONS

Table of Contents

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.