I intentionally avoided using the source term “dictionary word” and used “source word” instead. To analyze password rules, we often have to consider source words that are not normally accounted for by standard dictionary-based word lists for spell checking. With all the time and energy invested in detecting advanced rule sets, I was initially a little disappointed that a large portion of passwords could be attacked with simple digital appendages (even with some pleasant surprises from Startfor). The results could be due to users simply choosing highly simplified attachment rules or a vulnerability in the rule detection engine (or both). However, looking at the percentage of total rules generated, it became clear that truly juicy rules are the ones that occur the least frequently. Here`s a list of some of the more unusual rules generated from the lists above that may prove useful at some point: Most rules are supported by Hashcat and JTR in the same way, but there are rules specific to each. Each of these crackers ignores the rules they don`t support, which means you can shuffle and use them from a single file, but you`ll only see the results of the cracker that supports the rule you wrote. Both tools have a list of supported rules. Here for Hashcat and here for JTR. You can also chain the rules.
Here we use “r” and “u” together. Our candidate word will be “password” again. First, “r” will reverse the word. Our candidate is now “drowssap”, then “u” is applied in uppercase. The candidate is now called “DROWSSAP”. Here`s what a multi-rule file might look like: The field of password cracking has evolved by leaps and bounds over the past decade with the introduction of new cracking techniques, more advanced software, and much faster hardware. These innovations were developed not only in response to improved cryptographic algorithms, but also to a gradual improvement in password quality by users. While the use of dictionary words for passwords is still a strong trend, many users have developed a set of word processing rules to find passwords that are harder to crack and/or match their organization`s or website`s password policies. For example, a rule to replace all letters “a” with a number “4” could be used to confuse a source word “password” to produce a candidate password “p4ssword”. As a result, many password crackers like Hashcat and John the Ripper have implemented rules engines that apply common word processing rules to source word lists to crack these more complex passwords.
Password rule analysis can be very effective in cracking a large number of passwords generated with common rules or words. For example, if a user`s password (p4ssword) was compromised on Site A, an attacker could recover the same user`s password on Site B if it was generated using the same rules but a different source word (for example, dr4gon) or the same source word but different rules (password1). This work can also be successfully used for password cracking contests such as Defcon`s Crack Me If You Can, where the continuous recycling of rules and words is essential to winning. The password mask for the password “Apple123!” would be “?u?l?l?l?l?d?d?s”. After observing this pattern, you will notice that the Levenshtein matrix actually retains all the transformations made on the original string, it can be used to trace the path from the truncated password to the source word while saving changes such as replacements, deletes, and inserts. Now it`s getting exciting! A password mask (sometimes called a password topology or password structure) is a sequence of character classes. The character classes that most users are familiar with are uppercase letters, lowercase letters, numbers, and special characters, but a character class can contain any character. Hashcat/JTR use the following abbreviations: Of course, checking if a candidate matches a hash has a cost.
To crack as many hashes as possible, we can try to reduce these costs (change the “verify” step, speed up the password cracking process) or be smart in selecting candidates (increasing the likelihood that a candidate will match). The order of the p4sword1 password recovery rules is o14 D3 i71, corresponding to replacing the letter “a”, removing the letters “s” and inserting the number “1”. By combining existing spell-checking algorithms with the pre-analysis engine, which takes into account the specifics of password generation, it may be possible to recover much more complex rules. With this primitive pre-analysis engine, we were able to get the correct source dictionary word “password” as one of the candidates among the top 3 results. From there, two rules are enough to crack all passwords: Let`s look at some of his expenses for a transformation from “password” to “p@ssword”: OK, so the hashcat (-stdout) asks him to take out any password that confuses him at the terminal, (-rule-file) asks him to read a rules file from disk, and in this example, we use the built-in best64 rule, but you can use another one, then we will provide the password file that we generated with CeWL.
