Thursday, September 8, 2011

An Explanation of Hashcat Rules

I have come to realize that there is not a lot of solid documentation on how rules work or what rules do what, so I thought I would share my personal cheat sheet that I made for anyone else that may find it helpful. The better your rules are the more passwords you will find when cracking. It is also helpful to be able to customize the rules being used to fit the target as different techniques may yield varying results on different hash lists. I am not a pro but the below is a brief overview of how Hashcat Rules work and a few tricks that should help to get you started and on your way.

Here is a quick trick for generating rules via oclHashcat itself and saving them so we can review and learn how to create our own rules. You need to generate as many rules as the tool will allow, try "-g 999999" from command line (or just define number of rules to generate in the GUI).  We will then need to use debugging to help save the rules, which can be accomplished by adding this to the end of your command:
                –debug-file=C:\Hashcat\recorded.rule –debug-mode=1

In order to avoid confusion later, I must call out that oclHashcat (GPU) works using a left and right mask. The tool breaks each attempt into two pieces to speed up the attack, a right mask and a left mask. This allows us to define how either side is used during an attack: dictionary based, hybrid dictionary+rules, a defined mask to use based on charsets provided, or some combination of the above. Things will become clearer once you have investigated and played around with the rules a bit, so hang in there...

Charsets are broken into the following groups:
                ?l is all lower case letters from a to z
                ?u is all upper case letters from a to z
                ?d is all digits from 0-9
                ?s is all special characters on a standard keyboard
                ?h is all ISO-8859 characters or “HEX” characters
                ?D is all 8-bit characters from the German alphabet
                ?F is all 8-bit characters from the French alphabet
                ?R is all 8-bit characters from the Russian alphabet
                ?1 is custom user defined charset
                ?2 is custom user defined charset
                ?3 is custom user defined charset
               
NOTE: foreign alphabet call is case sensitive.
               
These are used by themselves, customized or combined to form a mask. In order to use the custom user defined charset simply define the charset(s) before using, like so:
                -1 abc
-2 123
                ./oclHashcat hash.txt ?1?1?1?1 ?2?2?2?2

This will try to crack hashes from hash.txt of 8 characters in length using the charset defined of abc for the ?1 instances and 123 for the ?2 instances. You can keep it simple or get as complex as you like. Here are some more charsets you could use instead:

Reference Charsets:
                0123456789
                aeiou
                AEIOU
                aeiouAEIOU
                bcdfghjklmnpqrstvwxyz
                BCDFGHJKLMNPQRSTVWXYZ
                bcdfghjklmnpqrstvwxyzBCDFGHJKLMNPQRSTVWXYZ
                abcdefghijklmnopqrstuvwxyz
                ABCDEFGHIJKLMNOPQRSTUVWXYZ
                abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
                !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
                ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
                ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
                abcdefghijklmnopqrstuvwxyz0123456789
                abcdefghijklmnopqrstuvwxyz0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
                abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
                abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

Top Used Characters in English passwords based on statistical analysis (done by others):
                etaoinsrhldcumfpgwybvkxjqz
                eaosrinl1tmcd2hbuyp
                eaosrinl1tmcd2hbuypg3k0456wf798

Here is a link if you’re interested in statistics based around other languages:   http://www.bckelk.ukfsn.org/words/etaoin.html
               
Complete overview of the Hashcat Rules and what they do:
  •  l = lowercase all letters of each word in wordlist
  •  u = uppercase all letters of each word in WORDLIST
  •  c = capitalize first letter of each word in Wordlist
  •  C= make the first letter of each word in the wordlist lowercase and makes the rest of the letters uPPERCASE
  • t = tOgGLe cAsE fOr AlL wORdS
  • TN = tOgGLe cAsE for character position N, where N = the letter N spaces from left starting position
  • r = reverse each word in wordlist (so it is sdrawkcab - backwards)
  • d = duplicate each word in wordlist in combo fashionfashion
  • f = duplicates each word in wordlist in reverse fashionnoihsaf
  • $N = append character to end of each word in wordlist, where N=the appended char to each word
  • ^N = prefix character to add to start of each word in wordlist, where N=the char to prefix to each word
  • pN = append word to itself N times
  • { = shift characters in word one space to the left|eftl
  • } = shift characters in word one space to the right|trigh
  • [ = deletes the first character of each word in wordlist
  • ] = deletes the last character of each word in wordlist
  • 'N = truncate each word in wordlist at position N
  • DN = if you don’t want to truncate the entire word but only delete specific char you can use this one, deletes the character in position N of each word in the wordlist
  • xNM = delete the characters from a range, where the range is defined based on character position from position N through position M
  • iNM = insert character at defined position, where N defines the character position and M defines the character to insert
  • oNM = if you don’t want to insert but replace this will overwrite, N defines position to overwrite and M defines char to overwrite with
  • sNM = swap and replace all occurrences of character defined by N with character defined by M (helpful for 1337 changes)
  • @N = removes all instances of the character defined by N from each word in the wordlist
  • zN = duplicates the first character of each word in wordlist N times
  • ZN = duplicates the last character of each word in wordlist N times
  • q = duplicates every single character in each word from the wordlist (so there will be ttwwoo ooff eeaacchh)
OK, so now you have an idea of what is available to you to use in creating your own custom rule sets. Open your favorite text editor and go to town creating your own custom rules, and save as "name.rule" and save in your rules folder. If you want to customize your rules to share with the world it might also be helpful to add some formal titles and descriptions. If you want to add this to your rule file then simply add comments using a “#” symbol and everything that follows is assumed as comment. You will want to add them to the top of the file and label them so it is clear. If you want to follow the format provided by the Hashcat team then you should call out a description of the rule file, the author or created by, and the version if you go multiple rounds on a rule set (trust me this part helps). It should look like this:

# Rules: HR’s custom rule set
# Created by: Hood3dRob1n
# Version: 1.0
:
l
c
u
t
$0
$1
$2
…blah more rules…

NOTE: you can use either “Author” or “Created by”, and you can shorten to just “V” instead of typing out the full word “Version” followed by the number (i.e. “V1.0”)

To teach by example:
Here is an example of what the famous “Best64.rule” file looks like (available in the Hashcat forums user contribution area). This is based on statistical analysis of common passwords. I have //commented each line item so you can see how each rule is applied.

==================================================================================
## rule: best 64 rules by statistics, manually optimized
## limits: none
## example: none
## extras: none

: //this does nothing
l //lowercase
c //capitalize the first letter
u //uppercase
t //toggle case
$0 //append 0 to end
$1 //append 1 to end
$2 //append 2 to end
$3 //append 3 to end
$4 //append 4 to end
$5 //append 5 to end
$6 //append 6 to end
$7 //append 7 to end
$8 //append 8 to end
$9 //append 9 to end
$0 $1 //append 01 to end
$1 $2 //append 12 to end
$1 $2 $3 //append 123 to end
c $0 //capitalize the first letter and append a 0 to the end
c $1 //capitalize the first letter and append a 1 to the end
c $0 $1 //capitalize the first letter and append a 01 to the end
c $1 $2 //capitalize the first letter and append a 12 to the end
c $1 $2 $3 //capitalize the first letter and append a 123 to the end
[ //deletes the first character of the word
[[ //deletes the first two characters of the word
[[[ //deletes the first three characters of the word
[[[[ //deletes the first four characters of the word
] //deletes the last character of the word
]] //deletes the last two characters of the word
]]] //deletes the last three characters of the word
]]]] //deletes the last four characters of the word
[    $1 //deletes the first character of the word and appends 1 to the end
[[   $1 //deletes the first two characters of the word and appends 1 to the end
[[[  $1 //deletes the first three characters of the word and appends 1 to the end
[[[[ $1 //deletes the first four characters of the word and appends 1 to the end
D1 //Deletes the first character of word
D2 //Deletes the second character of word
D3 //Deletes the third character of word
D4 //Deletes the fourth character of word
D5 //Deletes the fifth character of word
D6 //Deletes the sixth character of word
'7  //deletes any characters beyond the seventh character position
'8  //deletes any characters beyond the eighth character position
'9  //deletes any characters beyond the ninth character position
$2 $0 $0 $0 //appends 2000 to the end of each word
$2 $0 $0 $1 //appends 2001 to the end of each word
$2 $0 $0 $2 //appends 2002 to the end of each word
$2 $0 $0 $3 //appends 2003 to the end of each word
$2 $0 $0 $4 //appends 2004 to the end of each word
$2 $0 $0 $5 //appends 2005 to the end of each word
$2 $0 $0 $6 //appends 2006 to the end of each word
$2 $0 $0 $7 //appends 2007 to the end of each word
$2 $0 $0 $8 //appends 2008 to the end of each word
$2 $0 $0 $9 //appends 2009 to the end of each word
$2 $0 $1 $0 //appends 2010 to the end of each word
$2 $0 $1 $1 //appends 2011 to the end of each word
$2 $0 $1 $2 //appends 2012 to the end of each word
$s //append an "s" to the end of each word
$e $d //append "ed" to the end of each word
$i $n $g //append "ing" to the end of each word
Z1 //duplicate the last letter of each word one timee
d //append each word to itself
sa@ //swap all occurrences of the character "a" for "@"
se3 //swap all occurrences of the character "e" for "3"
================================================================================= 

NOTE: Rules can only be applied on wordlists, not masks.

I hope you find this overview helpful and if you have any suggestions or if I missed anything please comment so I can make sure it stays up to date, and covers all the needed material to get you started. Until next time, Enjoy!

Laters,
H.R.

5 comments:

  1. Great explanation !

    Lots of good info here, nice job.

    ReplyDelete
  2. Can you use multiple rules at once?

    ReplyDelete
  3. In the latest versions you can use more than one rule. They do not run in sequence but rather layer upon each other. Just use multiple instances of the -r option to point to the various rules files you want to use. You can read more about it on their wiki pages here: https://hashcat.net/wiki/rule_based_attack (search for 'Multi-rules' to find specifics). Hope that helps, let me know if any more questions.

    ReplyDelete
  4. HI HR, I was wondering if you could help me out. I have been trying to do a rule based attack for a while now and have encountered a hurdle. It seems that the plaintext whose hash value I have to find a collision for consists of a date in the format of 2014-08-26 $salt . I am currently facing a problem where ocl-hashcat assumes the hyphens as command line parameter thingies instead of being part of the character mask. Could you help with a solution to this please? Thanks.

    ReplyDelete