Advanced Attacks

Rules

Rules are probably one of the more confusing aspects of wordlist mangling. A rule is a way of instructing the cracker to perform targeted mangling on a candidate. For instance, the rule "u", will take each entry from the wordlist, and uppercase it. So "password" will become "PASSWORD". If the input word is "PASSword", it is still transformed into "PASSWORD".

You can also chain rules together. Here, we will use "r" and "u" together. Our candidate word will again be "password". First, "r" will reverse the word. Our candidate is now "drowssap", then "u" is applied to uppercase it. The candidate is now "DROWSSAP". The following shows how a multi rule file might look: 

$ cat password-village.rule
# do nothing to the candidate word
:
# uppercase the candidate word
u
# reverse the candidate word
r
# reverse then uppercase the candidate word
ru
# duplicate the word
f

Unlike Hashcat, JTR parses possible rules from its config file. To add your custom rules, you will need to create an entry for it. Let's use an existing entry to base our new rule file off of. 

[List.Rules:rockyou-30000]
!! hashcat logic ON
.include 
!! hashcat logic OFF

So we have a header, to identify the rule, a "hashcat logic" switch to tell JTR the rule file was written in Hashcat notation, the path to the rule file, and a switch to turn off Hashcat logic. Let add our rule file right below this one. 

[List.Rules:password-village]
!! hashcat logic ON
.include 
!! hashcat logic OFF

With our entry update, we can now use it with JTR: 

./john hashlist -w:wordlist --rules:password-village

Hashcat is a little easier to handle in this regard. Make your rule file, and load it right on the commandline. They can also be specified directly on the commandline if you only wanted to run one rule (or chain). 

./hashcat hashfile wordlist --rules password-village.rule
|_______| |______| |______| |_____| |___________________|
    |        |        |        |              |
    |        |        |        |              |_ Our rule rule_file
    |        |        |        |
    |        |        |        |_ Specify we want a rule attack
    |        |        |
    |        |        |_ Path to our wordlist
    |        |
    |        |_ Path to our hashfile
    |
    |_ Invoke Hashcat

To specify a rule on the commandline we need to take a quick break and explain the "left side" (-j) "right side" (-k) concept Hashcat uses. Basically, when you load only a wordlist, you are operating in "left side" only mode. If we want to mangle words with rules, we specify the "-j" flag. Later, we will talk about "hybrid" modes where "right side" comes into play, but lets press on for now. 

./hashcat hashfile -j ru wordlist
|_______| |______| |  |  |______|
    |        |     |  |     |
    |        |     |  |     |_ Path to our wordlist
    |        |     |  |
    |        |     |  |_ The rule we want to apply (reverse, then uppercase)
    |        |     |
    |        |     |_ Specify "left side" operator
    |        |
    |        |_ Path to our hashfile
    |
    |_ Invoke Hashcat

Most rules are supported by Hashcat and JTR in the same way, but there are rules specific to each. Each of these crackers will ignore rules they do not support meaning you can mix them up, and use them from a single file, but you will only see results from the cracker that supports the rule you have written. Both of these tools have a list of supported rules. Here for Hashcat, and here for JTR.

Hashcat Example Command JTR Example Command
./hashcat64.bin hashlist -r rule_file wordlist ./john hashlist -w:wordlist --rules:All
./hashcat64.bin hashlist -j ru wordlist

Mask

Mask attacks are a directed form of brute-force attacks based on character classes. To understand mask attacks, one must first understand what a mask is.

A password mask (sometimes referred to as a password "topology", or password "structure") is a sequence of character classes. The character classes that most people are familiar with are uppercase letters, lowercase letters, digits, and special characters, but a character class can include any characters you want. Hashcat/JTR use the following abbreviations:

Abbreviation Character's included
?u ABCDEFGHIJLKMNOPQRSTUVWXYZ
?l abcdefghijklmnopqrstuvwxyz
?d 0123456789
?s !@#$%^&*()_+`~-=[]\{}|;':",./?<>

The password mask for the password "Apple123!" would be "?u?l?l?l?l?d?d?d?s".

To perform a mask attack, you first need to assemble a list of masks. There are many ways to do this, but a great starting point is to build masks from previously cracked passwords. During a mask attack, the cracker will exhaust all possible guesses in each supplied mask before moving onto the next.

See this KoreLogic blog post for a list of common masks computed from passwords found in the wild.

Masks can also use custom character sets. For instance, if you want to only attempt A-F in the left most position of the password candidate, you can do the following:

Hashcat format:
-1 ABCDEF ?1?l?l?l?l?d?d?d?s
|_||____|  |
 |  |      |_ Custom charset position
 |  |
 |  |_ Custom character set 
 |
 |_ Custom charset identifier

JTR format:
-1=[A-F] --mask='?1?l?l?l?l?d?d?d?s'
|_||___|          |
 |  |             |_ Custom charset position
 |  |
 |  |_ Custom character set 
 |
 |_ Custom charset identifier

Hybrid (Append)

Hybrid attacks combine dictionary and mask attacks into one. Here, we are using "left side" and "right side". You can think of them like a Combination attack where one side is a dictionary, and the other is a mask. For example, if we consider the following dictionary file "foo.dict": 

$ cat foo.dict
Summer
Winter

Then the hybrid attack where our dictionary "foo.dict" (left side) is appended with the mask "?d?d" (right side) would look like this.

./hashcat hashlist -a 6 wordlist ?d?d
|_______| |______| |__| |______| |__|
    |        |      |      |      |
    |        |      |      |      |_ Increment 0-9 and 0-9
    |        |      |      |
    |        |      |      |_ Specify we want to use a wordlist and provide the path to the wordlist we want to use
    |        |      |
    |        |      |_ Specify the hybrid (append) attack mode
    |        |
    |        |_ Specify the path to our hash[es]
    |
    |_ Invoke the hashcat program

./john hashlist -w:wordlist --mask ?w?d?d
|____| |______| |_________| |____|  | |__|
  |       |          |        |     |   |
  |       |          |        |     |   |_ Increment 0-9 and 0-9
  |       |          |        |     | 
  |       |          |        |     |_ Insert each word from the wordlist here
  |       |          |        |
  |       |          |        |_ Specify we're doing a mask attack
  |       |          |
  |       |          |_ Specify we want to use a wordlist and provide the path to the wordlist we want to use
  |       |
  |       |_ Specify the path to our hash[es]
  |
  |_ Invoke the john program

Summer00
Summer01
Summer02
...
Summer99
Winter00
Winter01
Winter02
...
Winter99

We can also add rules to this. Lets say, our dictionary was made to target seasons, but since it is based on cracks we already have, theres some unwanted stuff on the end.
Summer1964
Fall2011
Winter1999
Spring1984
Now, we want to strip off the existing years. Let's combine a hybrid attack, with a rule attack. 

./hashcat hashlist -a 6 wordlist -j ]]]] ?d?d?d?d
|_______| |______| |__| |______| |_____| |______|
    |        |      |      |        |       |
    |        |      |      |        |       |_ Bruteforce 0000 - 9999
    |        |      |      |        |
    |        |      |      |        |_ Truncate (]) the right side of the word 4 times (Summer1964 -> Summer)
    |        |      |      |
    |        |      |      |_ Path to our wordlist
    |        |      |
    |        |      |_ Specify hybrid (append) attack
    |        |
    |        |_ Path to our hashlist
    |
    |_ Invoke Hashcat
Hashcat Example Command JTR Example Command
./hashcat64.bin hashlist -a6 wordlist ?d?d ./john hashlist -w:wordlist --mask=?w?d?d
./hashcat64.bin hashlist -a6 wordlist -j ru ?d?d

Hybrid (Prepend)

Conversely, hybrid attacks can be performed when the mask is prepended to the dictonary entires. In this case, the attack would make the following guesses.

00Summer
01Summer
02Summer
...
99Summer
00Winter
01Winter
02Winter
...
99Winter
Hashcat Example Command JTR Example Command
./hashcat64.bin hashlist -a7 ?d?d wordlist ./john hashlist -w:wordlist --mask=?d?d?w

Hybrid (JTR Specific)

In JTR hybrid attacks can be performed on both sides of a wordlist. For example, generate candidates with a mask on either side of a word, we can use the mask flag (--mask) in conjunction with the wordlist flag as in the above examples, then define the mask in the positions we choose. For example, the following commandline would generate all possible combinations of [00-99]Summer[00-99]:

./john hashlist -w:wordlist --mask ?d?d?w?d?d
|____| |______| |_________| |____| |__|| |__|
  |       |          |        |      | |  |
  |       |          |        |      | |  |_ Increment 0-9 and 0-9
  |       |          |        |      | |
  |       |          |        |      | |_ Insert each word from the wordlist here
  |       |          |        |      |
  |       |          |        |      |_ Increment 0-9 and 0-9
  |       |          |        |
  |       |          |        |_ Specify we're doing a mask attack
  |       |          |
  |       |          |_ Specify we want to use a wordlist and provide the path to the wordlist we want to use
  |       |
  |       |_ Specify the path to our hash[es]
  |
  |_ Invoke the john program

00Summer00
00Summer01
00Summer02
...
99Summer99
00Winter00
00Winter01
00Winter02
...
99Winter99
Copyright © Password Village