RevsUp Lab

RevsUp Lab: Hashcat 06

resources:
Hashcat Wiki
oclHashcat Details
Rule Based Attacks

Rule Based Attacks

So far we have covered a variety of different angles of attacking password hashes through hashcat. We have gone through examples of dictionary, combination, mask, and hybrid attacks, as well as different ways to utilize each. All these attacks possess a common trait, they are basically just different ways of defining a character space to iterate through. A dictionary attack supplies a wordlist that hashcat parses through, systematically hashing and comparing. A combination attack is just the same, essentially multiplying two dictionaries together. Mask attacks simply iterate through every combination of a template of the user's choosing, the mask. Hybrid attacks combine dictionaries and masks, but how the attack functions is still the same. Now we will explore a more dynamic method of attacking hashes, rule based attacks.
A rule is a specific syntax that can be given to hashcat that will manipulate existing words picked from a dictionary or generated by a mask. This can be extremely valuable if password patterns can be found and mimicked with a rule. For instance, a common pattern in passwords is to capitalize the first letter. Using a mask you could try every capital or lowercase letter, or in a dictionary you could take every word and add a copy with the first letter capitalized. As you can imagine, both of these methods are less than ideal. This is where a rule based attack can really shine. By the Capitalize rule in hashcat, every word tested in the attack will be checked again after being modified by the rule.

    Word      Transformed Word(Capitalize)
    password        Password
    pAsSwOrD        Password

A chart full of the possible rules can be found on hashcat's wiki, take a look through these. By applying these rules, your given keyspace can be modified to cover seemingly complex passwords quite easily, without having the same performance impact as a large mask attack.
As is the case with mask attacks, rule based attacks can be stored in files to create rule sets. Hashcat can then use these rulesets, iterating down the list to quickly try many different patterns. Some premade rules are included with hashcat in the rules folder. These rule sets have proven to be quite effective and looking through them can give inspiration on how to effectively make use of rules in an attack.

(1) Leetspeak is a popular method people use to incorporate symbols into their passwords, supposedly making them more difficult to crack while also staying easy to remember. With rules we can see how this behavior can be used to refine an attack. Take a look at the leetspeak rule set and see if you can describe what some of the rules would do to a word.
(2) If the leetspeak rule set was used and the current word being tested with hashcat is "password", what different modified words would be created?
(3) Come up with a rule to invert the case of the first letter of every word in your dictionary.
(4) In the rule based attack wiki random rules are mentioned. Why would generating random rules be useful?
(5) Why would using a rule that swaps every letter 'a' in a word with '@' result in less total hashes than duplicating every word in a dictionary and manually applying the change to the duplicates?
(6) With small and medium sized dictionary attacks, some claim that rule based attacks are practically 'free' to perform. Why might they say this? (Hint: think about some of the messages hashcat gives when performing simple dictionary attacks.)

Review

(1) Let's assume the variable s is the speed of an attack in Hashes per second. The variable n is the number of total hashes the attack will perform. What is the formula for the total time the attack will take, t?
(2) Why is a real world application of the previous problem always an estimate?
(3) A collision refers to when two unique passwords map to the same hash. Knowing what we do about hashes, why is this a problem? Without going into technical detail, why do collisions happen in the first place?
(4) Knowing your answers to the previous questions, why is a hashing algorithm like MD5 less secure than something like SHA256?
(5) If you are given a large file full of password hashes to crack, what is a basic plan of attack? What types of attacks do you perform and in what order?