TrustedSec - Better Hacking Through Cracking: Know Your Rules
THIS POST WAS WRITTEN BY @NYXGEEK
Intro
Password recovery tool hashcat ships with a bunch of great rules, but have you actually looked at them? Being familiar with the built-in rules can help enhance your cracking capabilities and enable you to choose the right rule or rule combination.
So where are these rules anyways? The rules files exist in a “rules” folder that comes with hashcat. Here’s what a default rules folder will look like:
One of the most basic things to know is how LONG the different rulesets are. How many permutations will be applied to the wordlist? This is important for gauging how long a job will take and decide which combinations of wordlist + rules might be completed in a timely manner.
To find the length of the rulesets we could use “wc -l”, but there are some comments and blank lines in these rules. So for accuracy, use a little Bash one-liner:
for file in `ls *.rule`; do echo -n "$file ";cat $file | grep -v '^#' | grep -v '^[[:space:]]*$' | sort -u | wc -l; done | awk '{print $2"\t"$1}' | sort -nr 99085 dive.rule 65117 generated2.rule 34156 d3ad0ne.rule 30000 rockyou-30000.rule 20000 T0XlCv2.rule 15487 Incisive-leetspeak.rule 14728 generated.rule 6662 T0XlC_insert_HTML_entities_0_Z.rule 6551 InsidePro-HashManager.rule 4943 toggles5.rule 4085 T0XlC.rule 4016 T0XlC-insert_00-99_1950-2050_toprules_0_F.rule 3234 InsidePro-PasswordsPro.rule 3071 unix-ninja-leetspeak.rule 1940 toggles4.rule 1601 T0XlC-insert_top_100_passwords_1_G.rule 575 toggles3.rule 480 T0XlC-insert_space_and_special_0_F.rule 256 oscommerce.rule 176 specific.rule 120 toggles2.rule 77 best64.rule 51 combinator.rule 30 T0XlC_3_rule.rule 17 leetspeak.rule 15 toggles1.rule
Here’s a chart to really visualize the difference:
Alright, we have the lay of the land. Now let’s look at some of these rules and touch on their origin stories (if known).
Hashcat Rules Reference We will be examining hashcat rules briefly — if you want to decipher these rules, check out: https://hashcat.net/wiki/doku.php?id=rule_based_attack |
best64
The best64.rule is the go-to, tried and true rule used by crackers across the planet. Well, best64.rule has a secret.
THAT’S RIGHT! Take out the comments and blank lines and you’re left with 77 unique rules in best64.
If best64 isn’t 64 lines, then what else have I been assuming?
Let’s take a look:
This is a rarity in the rules world: regular and clear comments! best64 has some pretty standard rules, making common permutations such as appending a number, reversing a word, uppercasing a word, etc.
The best64 rule is great on its own, stacked with itself (best64 + best64), or combined with other rules (e.g., best64 + toggles2).
Dive
Created by someone known as ‘dive’, the Dive ruleset is huge. I had always mistakenly assumed ‘dive’ was in reference to it being a ‘deep dive’ ruleset. It is thorough and has a great success rate if you can spare the time. Use this with fast hashes (NT, MD5, etc.) or a short wordlist.
Although the dive ruleset is large, it’s sorted by popularity, which makes it easy to take advantage of partial lists. For instance, if the full 99,000+ lines are too much, use the Linux program ‘head’ to pull out a smaller range.
head -n 10000 dive.rule > head.dive.10k.rule
This trick can be used with most rulesets, as they are typically count-ordered.
The T0XIC Rules
A set of rules by someone known as ‘T0XlC’, the T0XlC rules include:
T0XlC.rule
T0XlCv2.rule
T0XlC-insert_top_100_passwords_1_G
T0XlC-insert_space_and_special_0_F
T0XlC-insert_00-99_1950-2050_toprules_0_F
T0XlC_insert_HTML_entities_0_Z.rule
T0XlC_3_rule.rule
These are some great rules. Let’s take a brief look at the various rulesets.
T0XIC.rule/T0XICv2.rule
These rules are a top selection of tested rules (likely compiled with hashcat’s debug option). T0XlC.rule has 4,085 rules (4,086 claimed), and T0XICv2 has 20,000 rules. They appear to be from different testing runs, since the top rules are not overlapped.
I’ve had good success with both, but if you have the GPUs/CPUs, go for the bigger list.
Hashcat Tip: Note: The title of some of these T0XlC rules will make more sense if you understand character positions in rules in hashcat. For hashcat rules, the character positions are referred to as 0-9, but then the counting switches over to alpha. Counting upwards goes like: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ | | 0 <—— ——> 35 So when you see the “_1_G” in the rule name, those are the character positions that it’s referring to. To learn more about the rules, check out https://hashcat.net/wiki/doku.php?id=rule_based_attack |
T0XIC-insert_top_100_passwords_1_G.rule
To see what words are actually in here, we can use sed to pull out any of the ‘i1’, ‘i2’, etc., rules-specific syntax.
cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | head
To get a better idea of the actual contents, include ‘shuf’ in the command before the ‘head’ command, so that a random selection is shown instead of just the top alphabetical.
cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | shuf | head -n 30
These words are fine but a little dated. I recommend making your own custom version of this list. Creating this is a little beyond the scope of this post, but a future writeup will go in-depth into making your own custom rules.
T0XIC-insert_space_and_special_0_F.rule
This rule inserts spaces and special symbols at every position from 0-F.
Two (2) symbols are missing from this:
+ and \
I submitted a pull request to fix the omission, and it was accepted (https://github.com/hashcat/hashcat/pull/3457).
The updated rule can be found here:
https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_space_and_special_0_F.rule
T0XIC-insert_00-99_1950-2050_toprules_0_F.rule
This ruleset is super useful—users put numbers everywhere in passwords.
To get a clearer view of what the insertion rules are doing, remove the insert rules’ syntax:
cat T0XlC-insert_00-99_1950-2050_toprules_0_F.rule | sed 's/i[0-9A-Z]\{1\}//g' | sort -u
Here’s another instance where hashcat lied to us. While the rule title indicates 1950 – 2050, the years actually span from 1930 to 2050. Also, reviewing the file shows no insertions of 00-99.
Another puzzling factor is that, while the title and comment state that it runs from positions 0 – F (16 positions total), it actually covers from 0 to 32 characters out.
This ruleset also has some additional bonus rules at the end: truncation, deletion of a few characters, and some case toggling.
At any rate, this is an awesome rule and is very useful. It is a relatively small ruleset, which makes it a great candidate for stacking with best64 or one of the leetspeak rules.
I submitted a pull request to fix the omission of the insert 00-99 rules, and it was accepted (https://github.com/hashcat/hashcat/pull/3457). I did not reduce the character positions, or the 1930-2050 range. The updated rules can now be found here:
https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
I’ve also created a true-to-the-title form that can be found here:
This ‘as_advertised’ ruleset strictly does an insert of 1950-2050, and 00-99 in the character positions 0-F. No extras.
I ran some benchmarks of the new and improved rulesets versus the original, and the results were fantastic. (The benchmark below was done against a single random domain dump using rockyou.txt.)
T0XIC_3_rule.rule
The last T0XlC rule to mention is T0XlC_3_rule.rule. This newcomer (as of hashcat 6.2.6) is a remarkably efficient rule, measuring in at only 30 lines.
Rockyou-30000
Rockyou-30k is a rule file based on Password Analysis and Cracking Kit (PACK) output. The PACK tool can be found here: https://github.com/iphelix/pack.
Rockyou was a plaintext dump, which made it particularly valuable (100% ‘crack’ rate). It’s still a handy wordlist today, despite its age. This ruleset used PACK to perform an analysis of the dump.
The Rockyou-30k rule made its first appearance in hashcat v0.15 (https://hashcat.net/forum/thread-2543.html) from iphelix (https://twitter.com/_iphelix) circa 2013.
d3ad0ne
Created by d3ad0ne (https://twitter.com/d3ad0ne_), this ruleset uses PACK circa 2013.
Generated/Generated2
As the name suggests, these were generated using the hashcat ‘-g’ option and benchmarked for effectiveness against hashes.
Generated
The original Generated.rule first appeared, as far as I could find, from K9 on the hashcat forum, in May 2010. (https://hashcat.net/forum/thread-27.html?highlight=generated.rule)
Per the comment, it is a “collection of unique auto-generated rules which recovered a password”. This likely means it was generated using hashcat’s debug option (we will cover this in a later post).
It works well and is fairly lightweight.
Generated2
Generated2 was created by EvilMog (https://twitter.com/Evil_Mog). Here is a write-up about the process behind it:
https://github.com/evilmog/evilmog/wiki/Hashcat-Raking—generated2.rule
This is a highly effective ruleset but is a little on the large side. Use it like ‘dive.rule’. If needed, chop it down using the ‘head’ command.
InsidePro
InsidePro-HashManager
InsidePro-PasswordsPro
InsidePro was a password cracking site/forum. Although the owner shut down due to time constraints, here is a web archive of the site:
https://web.archive.org/web/20190305112137/http://insidepro.team/
(Thanks to https://forum.hashkiller.io/index.php?threads/insidepro-alternatives-wordlists-etc.31629/ )
There was also a cracking program called PasswordsPro. The InsidePro-PasswordsPro ruleset is from that product (v2.5.5.0 per the rule).
While the site and product may be dead, the rulesets live on with hashcat. These are great rules, especially paired with best64 (e.g., best64.rule + InsidePro-HashManager.rule).
specific
This is a rule that I do not use often, but it has some interesting and very specific rules. It’s another rare set with well commented and clean rules.
I haven’t had much luck with this set. The patterns described in the comments are not ones that I feel are encountered often today.
leetspeak Mutators
hashcat comes with two (2) leetspeak mutators. These convert regular text to 1337$p34k, l33t$p3@<, or 1337speak, etc. You might have limited success with them on their own, but they really shine when paired with another ruleset (e.g., best64 + leetspeak).
One (1) caveat for both of these: they only perform leet conversions on lowercase characters.
Incisive-leetspeak
This one is a giant. It has various combinations of leetspeak, so even if it is only selectively used, it will still be covered (e.g., $ecret or S3cr3t versus $3cr3t).
unix-ninja-leetspeak
This mutator was made by a member of team hashcat, unix-ninja (https://twitter.com/unix_ninja). It is significantly smaller than Incisive (3,000 versus 15,000 lines) and thus offers fewer combinations. However, because of this it is great for stacking.
Toggles1-5
More mutators! These are underrated and, like the leetspeak mutator, work best with other rules. Toggles1 is super lightweight and can be paired with a lot of different rules without bogging down too much. However, by the time you get up to Toggles3 + rules, you can see some real impact on time.
Combinator
This rule adds common combinator-style symbols such as a dash or a period (e.g., Pass-word, Pass.word).
osCommerce
osCommerce uses a weird hashing method. This rule is for those hashes only. This is not one that most people are going to need. If you wanna geek out though, here is a neat write-up on dissecting the osCommerce hashing method:
http://ryanuber.com/09-24-2010/os-commerce-password-hashing.html
Conclusion – Which Should I Use?
A lot of variables come into play when choosing a ruleset. This includes the probable strength of the passwords, the hash type, wordlist size and type, CPU/GPU power, and available time.
Let’s touch briefly on which of these built-in rules are my favorites.
Top Picks (in order):
- best64 – Fast and great for finding a quick win against a weak password
- dive – Great results but slow due to number of rules
- InsidePro-PasswordsPro or InsidePro-Hashmanager – Both produce good results and aren’t too big, so you can easily combine with other rules.
- d3ad0ne or rockyou-30000 – About 30,000 lines, but good results
- toggles1 or toggles2 — underrated. Use these with a big wordlist, or combine with other rules.
Here are some initial benchmarks, showing example performance against real-world hashes. The following hashes were benchmarked using the hashcat rules, with rockyou.txt against a dump that had no complexity requirements, and minimal length requirements (6 char minimum).
If you enjoy these benchmarks, be sure to check out the next installation, where we will review different wordlist and rule combinations, against dumps of different strengths.
Alright, we have the lay of the land. Now let’s look at some of these rules and touch on their origin stories (if known). If anybody has any additions, or corrections to the origin stories, please let me know!
Reference Table
The following table was created to demonstrate examples of candidates generated by the various rules. To sample any ruleset, use a one-liner similar to the following:
echo “Testpass” | ./hashcat –stdout –rules=rules/generated2.rule | shuf | head -n 20 | sort -u
Rule | Example Word | Example Permutations |
best64 | Testpass | 1Testpass qest T3stpass TassTa Testp1 Testpaa Testpaer Testpasa Testpass02 Testpass1 Testpass13 Testpass4 Testpass5 Testpass9 Testpass99 Testpasss TestpTestp Testpy Testss tpTtpT |
Combinator | Testpass | tes-tpass tes&tpass tes+tpass test pass test.pass test+pass testpa-ss testpa.ss testpas s testpas-s testpas&s testpas+s Testpass TestpasS TestpaSs TestpAss TesTpass testpass1 testpass123 testpass2007 |
d3ad0ne | Testpass | 3Testtpass bTestpassbTestpass destpassTestpass estpTss eTstPassssaptsTe lTestpassz Spsteass sTespss Taestp Tdstpass Testagss Testpas0k Testpass Testpass3 TestpassTesstpass Tests0 TTCstpass Uestpass zesptass |
Dive | Testpass | Teass TemtpAmm Test1999pass Test20p80ass TestestpassTestpass Testp012ass Testp6ss Testpa5s5 Testpass Testpass[ TestpaSs Testpass143! Testpassass Testpassdumb Testpasso TestpassUT TestqAss Testsaps |
Generated | Testpass | 999Testpass 9Tfstpass estpnssT eTStpass fTetpass Ltpass ssTestpass sTestpas- T2stpass7 Teltpass tescpass Tes`pass Tespsas Testp4st Testpass Testpssa Thstpssa TTTESTPASS TTTTestpass; TTTTTTestpass |
Generated2 | Testpass | bESbESTPASS cTe tpass jdstpass jTetstpass sTestpassq T8stpasst8stpass TeCstpasss Tes0tpasss Test9=ss Testkpass` TestpaqSs Testpasass Testpass@ #Testpassz Testpsestp Testpsn TestpxassH TestTestass. TETTPTETTPASS uTestpassy |
Incisive-leetspeak | Testpass | T35tp@55 T35tpa55 T3$7p4$$ T3$+pa$$ T3stp4ss T3$tpa$$ Te57pa55 Te5+p455 Te5+p@55 Te5+pa55 Te5tpa55 Te$+p@$$ Te$+p4$$ Te$+pa$$ Tes+pass |
InsidePro-HashManager | Testpass | 2Testpass 5Testpa aTestpassa sTestpasss Te3stpass TeJstpass TeMstpass Testpass Test~pass Testpass% Testpass123 Testpass2017 Testpass5Testpass5 TestpassO THstpass |
InsidePro-PasswordsPro | Testpass | lTestpass T1E2S3T4P5A6S7S T3stpass T3stp@ss Te5tpa55 Te6stpass Testp1Ass Testpa7ss Testpa8s Testpass T.e.s.tpass. Testp$ass Testp&ass TE_STPASS TESTPASS1971 Testpass40 Testpass43 TestpassTestpassTestpassTestpass vTestpass wTestpass |
Oscommerce | Testpass | 05Testpass 11Testpass 24Testpass 34Testpass 38Testpass 43Testpass 47Testpass 4bTestpass 65Testpass 71Testpass 8dTestpass 96Testpass a9Testpass abTestpass b7Testpass b9Testpass c4Testpass e1Testpass e9Testpass edTestpass |
Rockyou-30000 | Testpass | 1ssaptseT jcestpass kestpass88 noestpass shestpass ssaptse2518 Te1979tpass Te5tpa551 Te654321tpass Te6tpa6617 Teostpasso Tesi00pass Test1118ass Test2005ass testpass!!! Testpass2120 Testpassx TestpBss Tetitpass Tustpass11 |
Specific | Testpass | Pestpass Sdrspass sestpasT Tdrsoass Tdrspass Tesaptss Tesppass Tesso`rs Tesspats Testparr Testpasq Testpasr Testpass Testqass Tettpass Tetuqbss Tewtpass Tsstpaes Ufstpass Uftupass |
T0XlC-insert_00-99_1950-2050_toprules_0_F.rule | Testpass | 1960Testpass 2016Testpass T1944estpass T2006estpass T2033estpass Te1951stpass Te2019stpass Tes1961tpass Tes1970tpass Tes2037tpass Test2045pass Testp1950ass Testp1983ass Testpa1973ss Testpa1990ss Testpa2039ss Testpas1944s Testpas2002s Testpas2048s Testpass1988 |
T0XlC-insert_space_and_special_0_F.rule | Testpass | -Testpass *Testpass T~estpass T(estpass T}estpass Te~stpass Te;stpass Te.stpass Te}stpass Te*stpass Tes/tpass Tes]tpass Tes%tpass Testp|ass Testp.ass Testpa-ss Testpas(s Testpas]s Testpas{s Testpass! |
T0XlC-insert_top_100_passwords_1_G.rule | Testpass | T666666estpass Test121212pass Testpass Testpass131313 Testpassamsungs Testpassasdfasdf Testpassdaniel Testpassmetallica Testpassqazwsx Testpassupermans Tfreedomestpass Tqwer1234estpass |
T0XlC | Testpass | dysTestpass earthtestpass oilTestpass over-Testpass potTestpass ssaptseTment testpass!!!!!!! Testpas_s Testpass@123 Testpass2013& Testpass65 Testpass.ai testpasscy tESTPASSloop Testpass.lr testpassly Testpass.nc Testpassous Testpass.pl TestpassTestpassway |
T0XlCv1 | Testpass | Hestpass inkTestpass macroTestpass microtestpass T77estpass Tammestpass Tdiestpass Teslietpass Testit1pass Testpakerss testpasB Testpass Testpass6] Testpass.hu Testpass.jobs Testpasst3 TestpassTestpasslet Testpiaass testpo |
Toggles1 | Testpass | testpass Testpass TestpasS TestpaSs TestpAss TestPass TesTpass TeStpass TEstpass |
Toggles2 | Testpass | Testpass TestpasS TestpaSs TestpAss TestPass TesTpass TesTpasS TesTpAss TesTPass TeStpass TEstpaSs |
Toggles3 | Testpass | Testpass TestpasS TestpaSs TestpaSS TestpAss TestpAsS TestpASs TestPasS TestPAss TesTpass TesTpasS TesTpaSs TesTpAsS TeStpass TeStpaSs TEstpasS TEsTpass |
Toggles4 | Testpass | testpasS testpaSs tEstpass TestpaSs TestpaSS TesTpasS TesTpAsS TesTPass TeStpass TeStpasS TeStpaSs TeStpASs TeStPass TEstpasS TEstpaSs TEstpaSS TEstPasS |
Toggles5 | Testpass | testpaSs testpaSS tesTPass teStpass tEstpASs TestpaSS TestPass TestPAss TesTpaSs TesTPaSS TeStpasS TeStpAss TeStPass TEstpass TEsTpaSs TEStpass TEStpAss |
Unix-ninja | T357p455 T357p@55 T35tp455 T35tp@55 T35tpa55 T3s7p4ss T3s7pass T3stpass T3stp@ss Te57p455 Te57p@55 Te57pa55 Te5tp@55 Te5tpa55 Tes7pass Tes7p@ss Testp@ss |
The post Better Hacking Through Cracking: Know Your Rules appeared first on TrustedSec.
from TrustedSec https://www.trustedsec.com/blog/better-hacking-through-cracking-know-your-rules/
Comments
Post a Comment