TrustedSec - Better Hacking Through Cracking: Know Your Rules

THIS POST WAS WRITTEN BY @NYXGEEK

Intro

Password recovery tool hashcat ships with a bunch of great rules, but have you actually looked at them? Being familiar with the built-in rules can help enhance your cracking capabilities and enable you to choose the right rule or rule combination.

via GIPHY

So where are these rules anyways? The rules files exist in a “rules” folder that comes with hashcat. Here’s what a default rules folder will look like:

One of the most basic things to know is how LONG the different rulesets are. How many permutations will be applied to the wordlist? This is important for gauging how long a job will take and decide which combinations of wordlist + rules might be completed in a timely manner.

To find the length of the rulesets we could use “wc -l”, but there are some comments and blank lines in these rules. So for accuracy, use a little Bash one-liner:

for file in `ls *.rule`; do echo -n "$file ";cat $file | grep -v '^#' | grep -v '^[[:space:]]*$' | sort -u | wc -l; done | awk '{print $2"\t"$1}' | sort -nr


99085   dive.rule
65117   generated2.rule
34156   d3ad0ne.rule
30000   rockyou-30000.rule
20000   T0XlCv2.rule
15487   Incisive-leetspeak.rule
14728   generated.rule
6662    T0XlC_insert_HTML_entities_0_Z.rule
6551    InsidePro-HashManager.rule
4943    toggles5.rule
4085    T0XlC.rule
4016    T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
3234    InsidePro-PasswordsPro.rule
3071    unix-ninja-leetspeak.rule
1940    toggles4.rule
1601    T0XlC-insert_top_100_passwords_1_G.rule
575     toggles3.rule
480     T0XlC-insert_space_and_special_0_F.rule
256     oscommerce.rule
176     specific.rule
120     toggles2.rule
77      best64.rule
51      combinator.rule
30      T0XlC_3_rule.rule
17      leetspeak.rule
15      toggles1.rule

Here’s a chart to really visualize the difference:

Figure 1 – Password Rules Ordered by Length

Alright, we have the lay of the land. Now let’s look at some of these rules and touch on their origin stories (if known).

Hashcat Rules Reference We will be examining hashcat rules briefly — if you want to decipher these rules, check out: https://hashcat.net/wiki/doku.php?id=rule_based_attack

best64

The best64.rule is the go-to, tried and true rule used by crackers across the planet. Well, best64.rule has a secret.

THAT’S RIGHT! Take out the comments and blank lines and you’re left with 77 unique rules in best64.

If best64 isn’t 64 lines, then what else have I been assuming?

Let’s take a look:

Figure 2 – best64.rule sample

This is a rarity in the rules world: regular and clear comments! best64 has some pretty standard rules, making common permutations such as appending a number, reversing a word, uppercasing a word, etc.

The best64 rule is great on its own, stacked with itself (best64 + best64), or combined with other rules (e.g., best64 + toggles2).

Dive

Created by someone known as ‘dive’, the Dive ruleset is huge. I had always mistakenly assumed ‘dive’ was in reference to it being a ‘deep dive’ ruleset. It is thorough and has a great success rate if you can spare the time. Use this with fast hashes (NT, MD5, etc.) or a short wordlist.

Figure 3 – dive rule sample

Although the dive ruleset is large, it’s sorted by popularity, which makes it easy to take advantage of partial lists. For instance, if the full 99,000+ lines are too much, use the Linux program ‘head’ to pull out a smaller range.

head -n 10000 dive.rule > head.dive.10k.rule

This trick can be used with most rulesets, as they are typically count-ordered.

The T0XIC Rules

A set of rules by someone known as ‘T0XlC’, the T0XlC rules include:

T0XlC.rule

T0XlCv2.rule

T0XlC-insert_top_100_passwords_1_G

T0XlC-insert_space_and_special_0_F

T0XlC-insert_00-99_1950-2050_toprules_0_F

T0XlC_insert_HTML_entities_0_Z.rule

T0XlC_3_rule.rule

These are some great rules. Let’s take a brief look at the various rulesets.

T0XIC.rule/T0XICv2.rule

Figure 4 – T0XlC.rule


These rules are a top selection of tested rules (likely compiled with hashcat’s debug option). T0XlC.rule has 4,085 rules (4,086 claimed), and T0XICv2 has 20,000 rules. They appear to be from different testing runs, since the top rules are not overlapped.

Figure 5 – T0XlCv2.rule

I’ve had good success with both, but if you have the GPUs/CPUs, go for the bigger list.

Hashcat Tip:  

Note: The title of some of these T0XlC rules will make more sense if you understand character positions in rules in hashcat. For hashcat rules, the character positions are referred to as 0-9, but then the counting switches over to alpha. Counting upwards goes like:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
|                                                                                   |
0    <——                                                ——>    35  

So when you see the “_1_G” in the rule name, those are the character positions that it’s referring to. To learn more about the rules, check out https://hashcat.net/wiki/doku.php?id=rule_based_attack  

T0XIC-insert_top_100_passwords_1_G.rule

Figure 6 – T0XlC-insert_top_100_passwords_1_G.rule sample

To see what words are actually in here, we can use sed to pull out any of the ‘i1’, ‘i2’, etc., rules-specific syntax.

cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | head
Figure 7 – making rules easier to read

To get a better idea of the actual contents, include ‘shuf’ in the command before the ‘head’ command, so that a random selection is shown instead of just the top alphabetical.

cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | shuf | head -n 30
Figure 8 – shuffled list for better sampling

These words are fine but a little dated. I recommend making your own custom version of this list. Creating this is a little beyond the scope of this post, but a future writeup will go in-depth into making your own custom rules.

T0XIC-insert_space_and_special_0_F.rule

This rule inserts spaces and special symbols at every position from 0-F.

Figure 9 – list of symbols inserted

Two (2) symbols are missing from this:

+  and \

I submitted a pull request  to fix the omission, and it was accepted (https://github.com/hashcat/hashcat/pull/3457).

The updated rule can be found here:

https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_space_and_special_0_F.rule

T0XIC-insert_00-99_1950-2050_toprules_0_F.rule

This ruleset is super useful—users put numbers everywhere in passwords.

Figure 10 – Inserting Numbers

To get a clearer view of what the insertion rules are doing, remove the insert rules’ syntax:

cat T0XlC-insert_00-99_1950-2050_toprules_0_F.rule | sed 's/i[0-9A-Z]\{1\}//g'  | sort -u
Figure 11 – Human-readable rules

Here’s another instance where hashcat lied to us. While the rule title indicates 1950 – 2050, the years actually span from 1930 to 2050. Also, reviewing the file shows no insertions of 00-99.

Another puzzling factor is that, while the title and comment state that it runs from positions 0 – F (16 positions total), it actually covers from 0 to 32 characters out.

Figure 12 – Large range for insert

This ruleset also has some additional bonus rules at the end: truncation, deletion of a few characters, and some case toggling.

Figure 13 – Bonus Rules

At any rate, this is an awesome rule and is very useful. It is a relatively small ruleset, which makes it a great candidate for stacking with best64 or one of the leetspeak rules.

I submitted a pull request to fix the omission of the insert 00-99 rules, and it was accepted (https://github.com/hashcat/hashcat/pull/3457). I did not reduce the character positions, or the 1930-2050 range. The updated rules can now be found here:

https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule

I’ve also created a true-to-the-title form that can be found here:

https://github.com/nyxgeek/nyxgeek-rules/blob/master/hashcat-rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.as_advertised.rule

This ‘as_advertised’ ruleset strictly does an insert of 1950-2050, and 00-99 in the character positions 0-F. No extras.

I ran some benchmarks of the new and improved rulesets versus the original, and the results were fantastic. (The benchmark below was done against a single random domain dump using rockyou.txt.)

Figure 14 – Example Benchmark of Variations vs Original Rule

T0XIC_3_rule.rule

The last T0XlC rule to mention is T0XlC_3_rule.rule. This newcomer (as of hashcat 6.2.6) is a remarkably efficient rule, measuring in at only 30 lines.

Rockyou-30000

Rockyou-30k is a rule file based on Password Analysis and Cracking Kit (PACK) output. The PACK tool can be found here: https://github.com/iphelix/pack.

Rockyou was a plaintext dump, which made it particularly valuable (100% ‘crack’ rate). It’s still a handy wordlist today, despite its age. This ruleset used PACK to perform an analysis of the dump.

The Rockyou-30k rule made its first appearance in hashcat v0.15 (https://hashcat.net/forum/thread-2543.html) from iphelix (https://twitter.com/_iphelix) circa 2013.

Figure 15 – Changelog Section Introducing rockyou-30000

d3ad0ne

Created by d3ad0ne (https://twitter.com/d3ad0ne_), this ruleset uses PACK circa 2013.

Figure 17 – d3ad0ne.rule sample

Generated/Generated2

As the name suggests, these were generated using the hashcat ‘-g’ option and benchmarked for effectiveness against hashes.

Generated

The original Generated.rule first appeared, as far as I could find, from K9 on the hashcat forum, in May 2010. (https://hashcat.net/forum/thread-27.html?highlight=generated.rule)

Per the comment, it is a “collection of unique auto-generated rules which recovered a password”. This likely means it was generated using hashcat’s debug option (we will cover this in a later post).

Figure 18 – generated.rule sample

It works well and is fairly lightweight.

Generated2

Generated2 was created by EvilMog (https://twitter.com/Evil_Mog). Here is a write-up about the process behind it:

https://github.com/evilmog/evilmog/wiki/Hashcat-Raking—generated2.rule

This is a highly effective ruleset but is a little on the large side. Use it like ‘dive.rule’. If needed, chop it down using the ‘head’ command.

InsidePro

InsidePro-HashManager

InsidePro-PasswordsPro

InsidePro was a password cracking site/forum. Although the owner shut down due to time constraints, here is a web archive of the site:

https://web.archive.org/web/20190305112137/http://insidepro.team/

(Thanks to https://forum.hashkiller.io/index.php?threads/insidepro-alternatives-wordlists-etc.31629/ )

There was also a cracking program called PasswordsPro. The InsidePro-PasswordsPro ruleset is from that product (v2.5.5.0 per the rule).

While the site and product may be dead, the rulesets live on with hashcat. These are great rules, especially paired with best64 (e.g., best64.rule + InsidePro-HashManager.rule).

specific

This is a rule that I do not use often, but it has some interesting and very specific rules. It’s another rare set with well commented and clean rules.

Figure 19 – specific.rule sample

I haven’t had much luck with this set. The patterns described in the comments are not ones that I feel are encountered often today.

leetspeak Mutators

hashcat comes with two (2) leetspeak mutators. These convert regular text to 1337$p34k, l33t$p3@<, or 1337speak, etc. You might have limited success with them on their own, but they really shine when paired with another ruleset (e.g., best64 + leetspeak).

One (1) caveat for both of these: they only perform leet conversions on lowercase characters.

Incisive-leetspeak

This one is a giant. It has various combinations of leetspeak, so even if it is only selectively used, it will still be covered (e.g., $ecret or S3cr3t versus $3cr3t).

unix-ninja-leetspeak

This mutator was made by a member of team hashcat, unix-ninja (https://twitter.com/unix_ninja). It is significantly smaller than Incisive (3,000 versus 15,000 lines) and thus offers fewer combinations. However, because of this it is great for stacking.

Toggles1-5

More mutators! These are underrated and, like the leetspeak mutator, work best with other rules. Toggles1 is super lightweight and can be paired with a lot of different rules without bogging down too much. However, by the time you get up to Toggles3 + rules, you can see some real impact on time.

Combinator

This rule adds common combinator-style symbols such as a dash or a period (e.g., Pass-word, Pass.word).

osCommerce

osCommerce uses a weird hashing method. This rule is for those hashes only. This is not one that most people are going to need. If you wanna geek out though, here is a neat write-up on dissecting the osCommerce hashing method:

http://ryanuber.com/09-24-2010/os-commerce-password-hashing.html

Conclusion – Which Should I Use?

A lot of variables come into play when choosing a ruleset. This includes the probable strength of the passwords, the hash type, wordlist size and type, CPU/GPU power, and available time.

Let’s touch briefly on which of these built-in rules are my favorites.


Top Picks (in order):

  1. best64 – Fast and great for finding a quick win against a weak password
  2. dive – Great results but slow due to number of rules
  3. InsidePro-PasswordsPro or InsidePro-Hashmanager – Both produce good results and aren’t too big, so you can easily combine with other rules.
  4. d3ad0ne or rockyou-30000 – About 30,000 lines, but good results
  5. toggles1 or toggles2 — underrated. Use these with a big wordlist, or combine with other rules.

Here are some initial benchmarks, showing example performance against real-world hashes. The following hashes were benchmarked using the hashcat rules, with rockyou.txt against a dump that had no complexity requirements, and minimal length requirements (6 char minimum).

If you enjoy these benchmarks, be sure to check out the next installation, where we will review different wordlist and rule combinations, against dumps of different strengths.

Alright, we have the lay of the land. Now let’s look at some of these rules and touch on their origin stories (if known). If anybody has any additions, or corrections to the origin stories, please let me know!

Reference Table

The following table was created to demonstrate examples of candidates generated by the various rules. To sample any ruleset, use a one-liner similar to the following:

echo “Testpass” | ./hashcat –stdout –rules=rules/generated2.rule | shuf | head -n 20  | sort -u

Rule Example Word Example Permutations
best64 Testpass 1Testpass
qest
T3stpass
TassTa
Testp1
Testpaa
Testpaer
Testpasa
Testpass02
Testpass1
Testpass13
Testpass4
Testpass5
Testpass9
Testpass99
Testpasss
TestpTestp
Testpy
Testss
tpTtpT
Combinator Testpass tes-tpass
tes&tpass
tes+tpass
test pass
test.pass
test+pass
testpa-ss
testpa.ss
testpas s
testpas-s
testpas&s
testpas+s
Testpass
TestpasS
TestpaSs
TestpAss
TesTpass
testpass1
testpass123
testpass2007
d3ad0ne Testpass 3Testtpass
bTestpassbTestpass
destpassTestpass
estpTss
eTstPassssaptsTe
lTestpassz
Spsteass
sTespss
Taestp
Tdstpass
Testagss
Testpas0k
Testpass
Testpass3
TestpassTesstpass
Tests0
TTCstpass
Uestpass
zesptass
Dive Testpass Teass
TemtpAmm
Test1999pass
Test20p80ass
TestestpassTestpass
Testp012ass
Testp6ss
Testpa5s5
Testpass
Testpass[
TestpaSs
Testpass143!
Testpassass
Testpassdumb
Testpasso
TestpassUT
TestqAss
Testsaps
Generated Testpass 999Testpass
9Tfstpass
estpnssT
eTStpass
fTetpass
Ltpass
ssTestpass
sTestpas-
T2stpass7
Teltpass
tescpass
Tes`pass
Tespsas
Testp4st
Testpass
Testpssa
Thstpssa
TTTESTPASS
TTTTestpass;
TTTTTTestpass
Generated2 Testpass bESbESTPASS
cTe tpass
jdstpass
jTetstpass
sTestpassq
T8stpasst8stpass
TeCstpasss
Tes0tpasss
Test9=ss
Testkpass`
TestpaqSs
Testpasass
Testpass@
#Testpassz
Testpsestp
Testpsn
TestpxassH
TestTestass.
TETTPTETTPASS
uTestpassy
Incisive-leetspeak Testpass T35tp@55
T35tpa55
T3$7p4$$
T3$+pa$$
T3stp4ss
T3$tpa$$
Te57pa55
Te5+p455
Te5+p@55
Te5+pa55
Te5tpa55
Te$+p@$$
Te$+p4$$
Te$+pa$$
Tes+pass
InsidePro-HashManager Testpass 2Testpass
5Testpa
aTestpassa
sTestpasss
Te3stpass
TeJstpass
TeMstpass
Testpass
Test~pass
Testpass%
Testpass123
Testpass2017
Testpass5Testpass5
TestpassO
THstpass
InsidePro-PasswordsPro Testpass lTestpass
T1E2S3T4P5A6S7S
T3stpass
T3stp@ss
Te5tpa55
Te6stpass
Testp1Ass
Testpa7ss
Testpa8s
Testpass
T.e.s.tpass.
Testp$ass
Testp&ass
TE_STPASS
TESTPASS1971
Testpass40
Testpass43
TestpassTestpassTestpassTestpass
vTestpass
wTestpass
Oscommerce Testpass 05Testpass
11Testpass
24Testpass
34Testpass
38Testpass
43Testpass
47Testpass
4bTestpass
65Testpass
71Testpass
8dTestpass
96Testpass
a9Testpass
abTestpass
b7Testpass
b9Testpass
c4Testpass
e1Testpass
e9Testpass
edTestpass
Rockyou-30000 Testpass 1ssaptseT
jcestpass
kestpass88
noestpass
shestpass
ssaptse2518
Te1979tpass
Te5tpa551
Te654321tpass
Te6tpa6617
Teostpasso
Tesi00pass
Test1118ass
Test2005ass
testpass!!!
Testpass2120
Testpassx
TestpBss
Tetitpass
Tustpass11
Specific Testpass Pestpass
Sdrspass
sestpasT
Tdrsoass
Tdrspass
Tesaptss
Tesppass
Tesso`rs
Tesspats
Testparr
Testpasq
Testpasr
Testpass
Testqass
Tettpass
Tetuqbss
Tewtpass
Tsstpaes
Ufstpass
Uftupass
T0XlC-insert_00-99_1950-2050_toprules_0_F.rule Testpass 1960Testpass
2016Testpass
T1944estpass
T2006estpass
T2033estpass
Te1951stpass
Te2019stpass
Tes1961tpass
Tes1970tpass
Tes2037tpass
Test2045pass
Testp1950ass
Testp1983ass
Testpa1973ss
Testpa1990ss
Testpa2039ss
Testpas1944s
Testpas2002s
Testpas2048s
Testpass1988
T0XlC-insert_space_and_special_0_F.rule Testpass -Testpass
*Testpass
T~estpass
T(estpass
T}estpass
Te~stpass
Te;stpass
Te.stpass
Te}stpass
Te*stpass
Tes/tpass
Tes]tpass
Tes%tpass
Testp|ass
Testp.ass
Testpa-ss
Testpas(s
Testpas]s
Testpas{s
Testpass!
T0XlC-insert_top_100_passwords_1_G.rule Testpass T666666estpass
Test121212pass
Testpass
Testpass131313
Testpassamsungs
Testpassasdfasdf
Testpassdaniel
Testpassmetallica
Testpassqazwsx
Testpassupermans
Tfreedomestpass
Tqwer1234estpass
T0XlC Testpass dysTestpass
earthtestpass
oilTestpass
over-Testpass
potTestpass
ssaptseTment
testpass!!!!!!!
Testpas_s
Testpass@123
Testpass2013&
Testpass65
Testpass.ai
testpasscy
tESTPASSloop
Testpass.lr
testpassly
Testpass.nc
Testpassous
Testpass.pl
TestpassTestpassway
T0XlCv1 Testpass Hestpass
inkTestpass
macroTestpass
microtestpass
T77estpass
Tammestpass
Tdiestpass
Teslietpass
Testit1pass
Testpakerss
testpasB
Testpass
Testpass6]
Testpass.hu
Testpass.jobs
Testpasst3
TestpassTestpasslet
Testpiaass
testpo
Toggles1 Testpass testpass
Testpass
TestpasS
TestpaSs
TestpAss
TestPass
TesTpass
TeStpass
TEstpass
Toggles2 Testpass Testpass
TestpasS
TestpaSs
TestpAss
TestPass
TesTpass
TesTpasS
TesTpAss
TesTPass
TeStpass
TEstpaSs
Toggles3 Testpass Testpass
TestpasS
TestpaSs
TestpaSS
TestpAss
TestpAsS
TestpASs
TestPasS
TestPAss
TesTpass
TesTpasS
TesTpaSs
TesTpAsS
TeStpass
TeStpaSs
TEstpasS
TEsTpass
Toggles4 Testpass testpasS
testpaSs
tEstpass
TestpaSs
TestpaSS
TesTpasS
TesTpAsS
TesTPass
TeStpass
TeStpasS
TeStpaSs
TeStpASs
TeStPass
TEstpasS
TEstpaSs
TEstpaSS
TEstPasS
Toggles5 Testpass testpaSs
testpaSS
tesTPass
teStpass
tEstpASs
TestpaSS
TestPass
TestPAss
TesTpaSs
TesTPaSS
TeStpasS
TeStpAss
TeStPass
TEstpass
TEsTpaSs
TEStpass
TEStpAss
Unix-ninja   T357p455
T357p@55
T35tp455
T35tp@55
T35tpa55
T3s7p4ss
T3s7pass
T3stpass
T3stp@ss
Te57p455
Te57p@55
Te57pa55
Te5tp@55
Te5tpa55
Tes7pass
Tes7p@ss
Testp@ss

The post Better Hacking Through Cracking: Know Your Rules appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/better-hacking-through-cracking-know-your-rules/

Comments

Popular posts from this blog

Krebs - NY Charges First American Financial for Massive Data Leak

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"