THIS POST WAS WRITTEN BY @NYXGEEK

Intro

Password recovery tool hashcat ships with a bunch of great rules, but have you actually looked at them? Being familiar with the built-in rules can help enhance your cracking capabilities and enable you to choose the right rule or rule combination.

via GIPHY

So where are these rules anyways? The rules files exist in a "rules" folder that comes with hashcat. Here's what a default rules folder will look like:

One of the most basic things to know is how LONG the different rulesets are. How many permutations will be applied to the wordlist? This is important for gauging how long a job will take and decide which combinations of wordlist + rules might be completed in a timely manner.

To find the length of the rulesets we could use "wc -l", but there are some comments and blank lines in these rules. So for accuracy, use a little Bash one-liner:

for file in `ls *.rule`; do echo -n "$file ";cat $file | grep -v '^#' | grep -v '^[[:space:]]*$' | sort -u | wc -l; done | awk '{print $2"\t"$1}' | sort -nr


99085   dive.rule
65117   generated2.rule
34156   d3ad0ne.rule
30000   rockyou-30000.rule
20000   T0XlCv2.rule
15487   Incisive-leetspeak.rule
14728   generated.rule
6662    T0XlC_insert_HTML_entities_0_Z.rule
6551    InsidePro-HashManager.rule
4943    toggles5.rule
4085    T0XlC.rule
4016    T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
3234    InsidePro-PasswordsPro.rule
3071    unix-ninja-leetspeak.rule
1940    toggles4.rule
1601    T0XlC-insert_top_100_passwords_1_G.rule
575     toggles3.rule
480     T0XlC-insert_space_and_special_0_F.rule
256     oscommerce.rule
176     specific.rule
120     toggles2.rule
77      best64.rule
51      combinator.rule
30      T0XlC_3_rule.rule
17      leetspeak.rule
15      toggles1.rule

Here's a chart to really visualize the difference:

Alright, we have the lay of the land. Now let’s look at some of these rules and touch on their origin stories (if known). If anybody has any additions, or corrections to the origin stories, please let me know!

best64

The best64.rule is the go-to, tried and true rule used by crackers across the planet. Well, best64.rule has a secret.

THAT'S RIGHT! Take out the comments and blank lines and you're left with 77 unique rules in best64.

If best64 isn't 64 lines, then what else have I been assuming?

Let's take a look:

This is a rarity in the rules world: regular and clear comments! best64 has some pretty standard rules, making common permutations such as appending a number, reversing a word, uppercasing a word, etc.

The best64 rule is great on its own, stacked with itself (best64 + best64), or combined with other rules (e.g., best64 + toggles2).

Dive

Created by someone known as 'dive', the Dive ruleset is huge. I had always mistakenly assumed 'dive' was in reference to it being a 'deep dive' ruleset. It is thorough and has a great success rate if you can spare the time. Use this with fast hashes (NT, MD5, etc.) or a short wordlist.

Although the dive ruleset is large, it's sorted by popularity, which makes it easy to take advantage of partial lists. For instance, if the full 99,000+ lines are too much, use the Linux program 'head' to pull out a smaller range.

head -n 10000 dive.rule > head.dive.10k.rule

This trick can be used with most rulesets, as they are typically count-ordered.

The T0XIC Rules

A set of rules by someone known as 'T0XlC', the T0XlC rules include:

T0XlC.rule

T0XlCv2.rule

T0XlC-insert_top_100_passwords_1_G

T0XlC-insert_space_and_special_0_F

T0XlC-insert_00-99_1950-2050_toprules_0_F

T0XlC_insert_HTML_entities_0_Z.rule

T0XlC_3_rule.rule

These are some great rules. Let's take a brief look at the various rulesets.

T0XIC.rule/T0XICv2.rule

These rules are a top selection of tested rules (likely compiled with hashcat's debug option). T0XlC.rule has 4,085 rules (4,086 claimed), and T0XICv2 has 20,000 rules. They appear to be from different testing runs, since the top rules are not overlapped.

I've had good success with both, but if you have the GPUs/CPUs, go for the bigger list.

T0XIC-insert_top_100_passwords_1_G.rule

To see what words are actually in here, we can use sed to pull out any of the 'i1', 'i2', etc., rules-specific syntax.

cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | head

To get a better idea of the actual contents, include 'shuf' in the command before the 'head' command, so that a random selection is shown instead of just the top alphabetical.

cat T0XlC-insert_top_100_passwords_1_G.rule | sed 's/i[0-9A-P]\{1\}//g' | shuf | head -n 30

These words are fine but a little dated. I recommend making your own custom version of this list. Creating this is a little beyond the scope of this post, but a future writeup will go in-depth into making your own custom rules.

T0XIC-insert_space_and_special_0_F.rule

This rule inserts spaces and special symbols at every position from 0-F.

Two (2) symbols are missing from this:

+  and \

I submitted a pull request  to fix the omission, and it was accepted (https://github.com/hashcat/hashcat/pull/3457).

The updated rule can be found here:

https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_space_and_special_0_F.rule

T0XIC-insert_00-99_1950-2050_toprules_0_F.rule

This ruleset is super useful—users put numbers everywhere in passwords.

To get a clearer view of what the insertion rules are doing, remove the insert rules' syntax:

cat T0XlC-insert_00-99_1950-2050_toprules_0_F.rule | sed 's/i[0-9A-Z]\{1\}//g'  | sort -u

Here's another instance where hashcat lied to us. While the rule title indicates 1950 - 2050, the years actually span from 1930 to 2050. Also, reviewing the file shows no insertions of 00-99.

Another puzzling factor is that, while the title and comment state that it runs from positions 0 - F (16 positions total), it actually covers from 0 to 32 characters out.

This ruleset also has some additional bonus rules at the end: truncation, deletion of a few characters, and some case toggling.

At any rate, this is an awesome rule and is very useful. It is a relatively small ruleset, which makes it a great candidate for stacking with best64 or one of the leetspeak rules.

I submitted a pull request to fix the omission of the insert 00-99 rules, and it was accepted (https://github.com/hashcat/hashcat/pull/3457). I did not reduce the character positions, or the 1930-2050 range. The updated rules can now be found here:

https://github.com/hashcat/hashcat/blob/master/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule

I've also created a true-to-the-title form that can be found here:

https://github.com/nyxgeek/nyxgeek-rules/blob/master/hashcat-rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.as_advertised.rule

This 'as_advertised' ruleset strictly does an insert of 1950-2050, and 00-99 in the character positions 0-F. No extras.

I ran some benchmarks of the new and improved rulesets versus the original, and the results were fantastic. (The benchmark below was done against a single random domain dump using rockyou.txt.)

T0XIC_3_rule.rule

The last T0XlC rule to mention is T0XlC_3_rule.rule. This newcomer (as of hashcat 6.2.6) is a remarkably efficient rule, measuring in at only 30 lines.

Rockyou-30000

Rockyou-30k is a rule file based on Password Analysis and Cracking Kit (PACK) output. The PACK tool can be found here: https://github.com/iphelix/pack.

Rockyou was a plaintext dump, which made it particularly valuable (100% 'crack' rate). It's still a handy wordlist today, despite its age. This ruleset used PACK to perform an analysis of the dump.

The Rockyou-30k rule made its first appearance in hashcat v0.15 (https://hashcat.net/forum/thread-2543.html) from iphelix (https://twitter.com/_iphelix) circa 2013.

d3ad0ne

Created by d3ad0ne (https://twitter.com/d3ad0ne_), this ruleset uses PACK circa 2013.

Generated/Generated2

As the name suggests, these were generated using the hashcat '-g' option and benchmarked for effectiveness against hashes.

Generated

The original Generated.rule first appeared, as far as I could find, from K9 on the hashcat forum, in May 2010. (https://hashcat.net/forum/thread-27.html?highlight=generated.rule)

Per the comment, it is a "collection of unique auto-generated rules which recovered a password". This likely means it was generated using hashcat's debug option (we will cover this in a later post).

It works well and is fairly lightweight.

Generated2

Generated2 was created by EvilMog (https://twitter.com/Evil_Mog). Here is a write-up about the process behind it:

https://github.com/evilmog/evilmog/wiki/Hashcat-Raking---generated2.rule

This is a highly effective ruleset but is a little on the large side. Use it like 'dive.rule'. If needed, chop it down using the 'head' command.

InsidePro

InsidePro-HashManager

InsidePro-PasswordsPro

InsidePro was a password cracking site/forum. Although the owner shut down due to time constraints, here is a web archive of the site:

https://web.archive.org/web/20190305112137/http://insidepro.team/

(Thanks to https://forum.hashkiller.io/index.php?threads/insidepro-alternatives-wordlists-etc.31629/ )

There was also a cracking program called PasswordsPro. The InsidePro-PasswordsPro ruleset is from that product (v2.5.5.0 per the rule).

While the site and product may be dead, the rulesets live on with hashcat. These are great rules, especially paired with best64 (e.g., best64.rule + InsidePro-HashManager.rule).

specific

This is a rule that I do not use often, but it has some interesting and very specific rules. It's another rare set with well commented and clean rules.

I haven't had much luck with this set. The patterns described in the comments are not ones that I feel are encountered often today.

leetspeak Mutators

hashcat comes with two (2) leetspeak mutators. These convert regular text to 1337$p34k, l33t$p3@<, or 1337speak, etc. You might have limited success with them on their own, but they really shine when paired with another ruleset (e.g., best64 + leetspeak).

One (1) caveat for both of these: they only perform leet conversions on lowercase characters.

Incisive-leetspeak

This one is a giant. It has various combinations of leetspeak, so even if it is only selectively used, it will still be covered (e.g., $ecret or S3cr3t versus $3cr3t).

unix-ninja-leetspeak

This mutator was made by a member of team hashcat, unix-ninja (https://twitter.com/unix_ninja). It is significantly smaller than Incisive (3,000 versus 15,000 lines) and thus offers fewer combinations. However, because of this it is great for stacking.

Toggles1-5

More mutators! These are underrated and, like the leetspeak mutator, work best with other rules. Toggles1 is super lightweight and can be paired with a lot of different rules without bogging down too much. However, by the time you get up to Toggles3 + rules, you can see some real impact on time.

Combinator

This rule adds common combinator-style symbols such as a dash or a period (e.g., Pass-word, Pass.word).

osCommerce

osCommerce uses a weird hashing method. This rule is for those hashes only. This is not one that most people are going to need. If you wanna geek out though, here is a neat write-up on dissecting the osCommerce hashing method:

http://ryanuber.com/09-24-2010/os-commerce-password-hashing.html

Conclusion - Which Should I Use?

A lot of variables come into play when choosing a ruleset. This includes the probable strength of the passwords, the hash type, wordlist size and type, CPU/GPU power, and available time.

Let's touch briefly on which of these built-in rules are my favorites.

Top Picks (in order):

1. best64 - Fast and great for finding a quick win against a weak password
2. dive - Great results but slow due to number of rules
3. InsidePro-PasswordsPro or InsidePro-Hashmanager - Both produce good results and aren't too big, so you can easily combine with other rules.
4. d3ad0ne, generated2, or rockyou-30000 – About 30,000 lines, but good results
5. toggles1 or toggles2 -- underrated. Use these with a big wordlist, or combine with other rules.

Here are some initial benchmarks, showing example performance against real-world hashes. The following hashes were benchmarked using the hashcat rules, with rockyou.txt against a dump that had no complexity requirements, and minimal length requirements (6 char minimum).

If you enjoy these benchmarks, be sure to check out the next installation, where we will review different wordlist and rule combinations, against dumps of different strengths.

Reference Table

The following table was created to demonstrate examples of candidates generated by the various rules. To sample any ruleset, use a one-liner similar to the following:

echo "Testpass" | ./hashcat --stdout --rules=rules/generated2.rule | shuf | head -n 20  | sort -u