In this article, we will demonstrate how to perform a rule-based attack with hashcat to crack password hashes.
For this tutorial, we are going to use the password hashes from the Battlefield Heroes leak in 2013. These passwords are MD5 hashed and can be downloaded here.
This guide is demonstrated using the Kali Linux operating system by Offensive Security. Some commands may differ on other systems but the process will be the same.
As our base dictionary, we will use the rockyou wordlist. It comes pre-installed on Kali, or you can download it here.
What Are Rules and When Would I Use Them?
First of all, consider the following scenario. You have a basic password wordlist containing the words below:
password
mysecret
qwerty
If you wanted to try the above passwords with the pattern “123” added to the end, your list will become:
password
password123
mysecret
mysecret123
qwerty
qwerty123
If you also want to capitalise the first letter of the original words, it will now become:
password
password123
Password
mysecret
mysecret123
Mysecret
qwerty
qwerty123
Qwerty
Although you can type each new pattern manually for each word in your list, this will quickly get impractical with larger wordlists.
Thankfully, we can express these patterns in programming terms using rules. With rules, we can create new passwords through modification of existing passwords supplied.
Instead of having to write every new pattern for each password like above, we only require our original wordlist:
password
mysecret
qwerty
And a file containing the rules that express our patterns:
$c
$1 $2 $3
Though much smaller, the above would produce the same outcome of words as before. Not only is this quicker than manually creating each password you want to try, your dictionary file also won’t be as large.
In short, a rule-based attack allows you to express patterns which are applied to existing passwords to quickly generate new passwords to use.
Creating Rules
Now that we can see the benefits of rules, we will now define some rules to use in our own rule-based attack. To define our own custom set of rules to use with hashcat, we need to store them in a file.
In this tutorial, we will cover some of the most commonly used rule functions:
| Name | Function | Description | Example Rule | Input Word | Output Word | | Nothing | : | Do nothing | : | p@ssW0rd | p@ssW0rd | | Lowercase | l | Lowercase all letters | l | p@ssW0rd | p@ssw0rd | | Uppercase | u | Uppercase all letters | u | p@ssW0rd | P@SSW0RD | | Capitalize | c | Capitalize the first letter and lower the rest | c | p@ssW0rd | P@ssw0rd | | Append Character | $X | Append character X to end | $1 | p@ssW0rd | p@ssW0rd1 | | Prepend Character | ^X | Prepend character X to front | ^1 | p@ssW0rd | 1p@ssW0rd | | Replace | sXY | Replace all instances of X with Y | ss$ | p@ssW0rd | p@$$W0rd |
Note: This table is a condensed version from the hashcat wiki. The full version is available here.
Creating Our Rule-Set
To start, we will create some rules to do basic manipulation of the characters.
From the above table, we will put in our rules file the lowercase, uppercase, and capitalize functions:
:
l
u
c
The colon entry instructs hashcat to try the original word. We’ll be including this so we can compare how many passwords were cracked using unmodified passwords from the wordlist.
We’ll also append to the end of the passwords the characters one to nine individually:
$1
$2
$3
$4
$5
$6
$7
$8
$9
To express multiple functions in a single rule, you can separate them with a space like the following:
$1 $2 $3
In this case we are appending characters one, two and three to the end of our passwords.
You can substitute one character for another, by doing the following:
sXY
Where X is the character to replace and Y is the new character.
For this demonstration, we will substitute the following letters for their commonly used alternatives:
- “@” or “4” instead of “a”
- “3” instead of “e”
- “1” instead of “l”
To express these as rules in a hashcat file, it looks like:
sa@
sa4
se3
sl1
sa@ se3 sl1
sa4 se3 sl1
The final rules we’ll add inserts the word “battlefield” before and after the password:
^B ^a ^t ^t ^l ^e ^f ^i ^e ^l ^d
^b ^a ^t ^t ^l ^e ^f ^i ^e ^l ^d
$b $a $t $t $l $e $f $i $e $l $d
From the above, notice we’ve also included “Battlefield” with a capital “B” before the password.
Now that we have covered the different rules we’re going to use, make sure you have created a file called “rules” that contains the following rules:
:
#Lowercase
l
#Uppercase
u
#Capitalise first character
c
#Add '1' to the end
$1
#Add '2' to the end
$2
#Add '3' to the end
$3
#Add '4' to the end
$4
#Add '5' to the end
$5
#Add '6' to the end
$6
#Add '7' to the end
$7
#Add '8' to the end
$8
#Add '9' to the end
$9
#Add '123' to the end
$1 $2 $3
#Substitute 'a' for '@'
sa@
#Substitute 'a' for '4'
sa4
#Substitute 'e' for '3'
se3
#substitute 'l' for '1'
sl1
#Substitute 'a' for '@', 'e' for '3', 'l' for '1'
sa@ se3 sl1
#Substitute 'a' for '4', 'e' for '3', 'l' for '1'
sa4 se3 sl1
#Add the word 'Battlefield' to the beginning
^B ^a ^t ^t ^l ^e ^f ^i ^e ^l ^d
#Add the word 'battlefield' to the beginning
^b ^a ^t ^t ^l ^e ^f ^i ^e ^l ^d
#Add the word 'battlefield' to the end
$b $a $t $t $l $e $f $i $e $l $d
The lines beginning with a “#” are used to indicate to hashcat that the line is a comment.
Running the Rule-Based Attack
Now that we have our rules file and providing you have the Battlefield hashes and rockyou password dictionary, we are ready to start cracking the password hashes.
In order to log the effectiveness of our rules, we’ll make use of hashcat’s debug commands. The debug option in hashcat works by logging a rule to a file every time it successfully cracks a password.
To run our rule-based attack, we will use the following command:
hashcat -m 0 bfield.hash /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule
| Argument | Meaning |
| -m 0 | Identify the hash as MD5. |
| bfield.hash | The hash file to use. |
| /usr/share/wordlists/rockyou.txt | The rockyou wordlist. |
| -r rules | Points hashcat to our rules file called “rules”. |
| –debug-mode=1 | Writes the rule whenever it successfully cracks a password. |
| –debug-file=matched.rule | The name of the debug file where the matched rules are stored. |
After following the steps above, when you run the command the output should look like the following:
# hashcat -m 0 bfield.hash /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule
…
b54f8d1dfd33eb3833bf3656431da977:(esteban)
fbf00f2e535e9d25ff1dac322a440c27:&YGVcft6
58559517f1e008d76f294a49e9f2923f:$killer1
069a10f97216ccbf52885c74226af651:$andra
cafa74d22621873748959d3862dca8ff:$4kur4
cbe252567989b895f503d3b9ffe758be:#1geek
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 5/5 (segment), 553095 (words), 5720149 (bytes)
Recovered.: 154009/548686 hashes, 0/1 salts
Speed/sec.: 5.64M plains, 245.37k words
Progress..: 553095/553095 (100.00%)
Running...: 00:00:00:02
Estimated.: --:--:--:--
From our output, the run shows 154,009 hashes were cracked in total, however we do not know how many passwords each rule cracked.
To find this information, this is where our debug file comes in. If we look at its contents right now…
# cat matched.rule
…
:
sa4
$7
:
$6
:
:
:
:
:
:
…the output is not that useful. To make it easier to read, we can use the following command:
# sort matched.rule | uniq –c | sort –n –r
| Arugment | Meaning |
| sort matched.rule | Sorts the rules by grouping each occurrence of the rule with each other. |
| uniq -c | Used to count up the number of occurrences of each rule. |
| sort –n –r | Sorts the counted number of rules numerically in descending order. |
After running this command, the output becomes:
# sort matched.rule | uniq -c | sort -n -r
82135 :
15337 $1
7815 c
7493 $2
5345 l
5065 $1 $2 $3
4596 $3
4119 $7
4083 $4
3999 $5
3423 $9
3220 $6
3110 $8
1453 u
1328 se3
607 sa4
391 sl1
270 sa4 se3 sl1
121 sa@
63 sa@ se3 sl1
36 $b $a $t $t $l $e $f $i $e $l $d
Analysing the results it’s clear that adding the number one to the end of the passwords was the most effective rule, cracking an additional 15337 password hashes that would otherwise have been missed. Cumulatively we can see that the other rules also resulted in a lot of additional cracked hashes, showing the importance of applying good rules.
Furthermore, notice that adding “battlefield” at the beginning of our passwords cracked thirty-six hashes, however the other rules using the word didn’t crack any.
Using Existing Rule Files
It is worth mentioning that hashcat contains some rule files by default.
These are located in the “rules” folder of your hashcat installation:
ls -l /usr/share/hashcat/rules/
total 2412
-rw-r--r-- 1 root root 284 Dec 4 2015 best64.rule
-rw-r--r-- 1 root root 692 Dec 4 2015 combinator.rule
-rw-r--r-- 1 root root 242503 Dec 4 2015 d3ad0ne.rule
-rw-r--r-- 1 root root 973248 Dec 4 2015 dive.rule
-rw-r--r-- 1 root root 92810 Dec 4 2015 generated.rule
-rw-r--r-- 1 root root 324926 Dec 4 2015 Incisive-leetspeak.rule
-rw-r--r-- 1 root root 42026 Dec 4 2015 InsidePro-HashManager.rule
-rw-r--r-- 1 root root 22963 Dec 4 2015 InsidePro-PasswordsPro.rule
-rw-r--r-- 1 root root 327 Dec 4 2015 leetspeak.rule
-rw-r--r-- 1 root root 37939 Dec 4 2015 Ninja-leetspeak.rule
-rw-r--r-- 1 root root 1536 Dec 4 2015 oscommerce.rule
-rw-r--r-- 1 root root 331161 Dec 4 2015 rockyou-30000.rule
-rw-r--r-- 1 root root 1774 Dec 4 2015 specific.rule
-rw-r--r-- 1 root root 68087 Dec 4 2015 T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
-rw-r--r-- 1 root root 2508 Dec 4 2015 T0XlC-insert_space_and_special_0_F.rule
-rw-r--r-- 1 root root 36039 Dec 4 2015 T0XlC-insert_top_100_passwords_1_G.rule
-rw-r--r-- 1 root root 38904 Dec 4 2015 T0XlC.rule
-rw-r--r-- 1 root root 116633 Dec 4 2015 T0XlCv1.rule
-rw-r--r-- 1 root root 60 Dec 4 2015 toggles1.rule
-rw-r--r-- 1 root root 690 Dec 4 2015 toggles2.rule
-rw-r--r-- 1 root root 4330 Dec 4 2015 toggles3.rule
-rw-r--r-- 1 root root 17980 Dec 4 2015 toggles4.rule
-rw-r--r-- 1 root root 54016 Dec 4 2015 toggles5.rule
If you want to view the rules contained in each file, the format is the same as what was covered in this article.
As previously mentioned, only the commonly used rule functions were covered in this tutorial. To view a full list of available rule functions, you can do so on the hashcat website here.
Summary
In this guide, we created and used our own custom rules in hashcat to perform a rule-based attack. We started by covering what rule-based attacks are and why they are used. We then proceeded to create our own rules and use the rockyou dictionary to crack MD5 hashes from the Battlefield Heroes leak in 2013.
