RevsUp Lab: Hashcat 06
Rule Based Attacks
Rule Based Attacks
So far we have covered a variety of different angles of attacking password hashes through
hashcat. We have gone through examples of dictionary, combination, mask, and hybrid
attacks, as well as different ways to utilize each. All these attacks possess a common
trait, they are basically just different ways of defining a character space to iterate
through. A dictionary attack supplies a wordlist that hashcat parses through, systematically
hashing and comparing. A combination attack is just the same, essentially multiplying two
dictionaries together. Mask attacks simply iterate through every combination of a template
of the user's choosing, the mask. Hybrid attacks combine dictionaries and masks, but
how the attack functions is still the same. Now we will explore a more dynamic method
of attacking hashes, rule based attacks.
A rule is a specific syntax that can be given to hashcat that will manipulate
existing words picked from a dictionary or generated by a mask. This can be extremely
valuable if password patterns can be found and mimicked with a rule. For instance, a
common pattern in passwords is to capitalize the first letter. Using a mask you could
try every capital or lowercase letter, or in a dictionary you could take every word and
add a copy with the first letter capitalized. As you can imagine, both of these methods
are less than ideal. This is where a rule based attack can really shine. By the
Capitalize rule in hashcat, every word tested in the attack will be checked again after
being modified by the rule.
Word Transformed Word(Capitalize)
A chart full of the possible rules can be found on hashcat's wiki, take a look through
these. By applying these rules, your given keyspace can be modified to cover seemingly
complex passwords quite easily, without having the same performance impact as a large
As is the case with mask attacks, rule based attacks can be stored in files to create
rule sets. Hashcat can then use these rulesets, iterating down the list to quickly
try many different patterns. Some premade rules are included with hashcat in the
rules folder. These rule sets have proven to be quite effective and looking
through them can give inspiration on how to effectively make use of rules in an attack.
(1) Leetspeak is a popular method people use to incorporate
symbols into their passwords, supposedly making them more difficult to crack while also
staying easy to remember. With rules we can see how this behavior can be used to refine
an attack. Take a look at the leetspeak rule set and see if you can describe what some
of the rules would do to a word.
(2) If the leetspeak rule set was used and the current word being tested with
hashcat is "password", what different modified words would be created?
(3) Come up with a rule to invert the case of the first letter of every word
in your dictionary.
(4) In the rule based attack wiki random rules are mentioned. Why would generating
random rules be useful?
(5) Why would using a rule that swaps every letter 'a' in a word with '@' result
in less total hashes than duplicating every word in a dictionary and manually applying
the change to the duplicates?
(6) With small and medium sized dictionary attacks, some claim that rule based
attacks are practically 'free' to perform. Why might they say this? (Hint: think about
some of the messages hashcat gives when performing simple dictionary attacks.)
(1) Let's assume the variable s is the speed of an attack in Hashes per
second. The variable n is the number of total hashes the attack will perform.
What is the formula for the total time the attack will take, t?
(2) Why is a real world application of the previous problem always an estimate?
(3) A collision refers to when two unique passwords map to the same
hash. Knowing what we do about hashes, why is this a problem? Without going into
technical detail, why do collisions happen in the first place?
(4) Knowing your answers to the previous questions, why is a hashing algorithm
like MD5 less secure than something like SHA256?
(5) If you are given a large file full of password hashes to crack, what is a
basic plan of attack? What types of attacks do you perform and in what order?