How to use .hcmask files in Hashcat for the most flexible character replacement
A rule-based attack is the flexible generation and filtering of password candidates.
Despite all its capabilities, this attack is not omnipotent. Consider the following example.
There is a word
seesaw
and ones need to replace the character “s” with the character “$”. For example, in John the Ripper you can try to use the “ss$” rule, but it only returns “$ee$aw” while the expected result is:
seesaw $eesaw see$aw $ee$aw
And ones also need to replace other characters in a similar way.
This task implies that when performing a replacement, the program must know about previous replacements, and this is in conflict with the way dictionaries are processed in a rule-based attack, when each line is processed independently of previous and subsequent ones. Therefore, this task is hardly solvable with the help of a Rule-based attack.
However, we can make sure that when generating dictionaries based on the mask, we get something like what we need:
maskprocessor -1 s$ ?1ee?1aw seesaw see$aw $eesaw $ee$aw
But what if the replacement of a variable number of characters, or the replacement of a character needs to be performed in different positions, needs to be performed not in one word, but in the whole dictionary?
This problem is quite solvable with the help of programming. Algorithm example:
- get the number of characters in the word to replace
- if there is only one character to replace, then we output two words – one with a replacement and original one
- if there are two characters to replace, then we output four words – without replacement, with the replacement of the first character, with the replacement of the second character, with the replacement of both characters
- if there are three characters to replace, then we display eight combinations – …
- etc.
This algorithm can be formalized as a function, the arguments of which should be: 1) the character to be replaced; 2) the character to be replaced with. It is enough to write the function code once and use it any number of times. This can be done even with PHP.
But do not rush to fall into sadness – you can do without programming. Using things like:
1. Masks
2. Files with masks
The algorithm is the following:
1. We convert the dictionary into a set of masks with the parameters we need.
2. Generating a new dictionary based on the mask file
For example, there is a list of words d1.txt with the following content:
seesaw samuelsonmarian samuelspence samuelspevak samuelsrie samuelss samuelsstarr SAMUELSTERNA samuelstevens samuelsux1 samuels-x samuelt** samuelta. samueltad samueltan samueltanner samueltapia2 samueltas21 samuel+teadoro samuelteall samuelteama samuel te amo samuel,te,amo samuelteamo SAMUELTEAMO samuelteamo21 SAMUELTEAMOMUCHO samueltequiero samuelthane99
The task is to replace the character "s" with the character "$" in all possible combinations, so that, for example, from the word “seesaw” it turns out
seesaw $eesaw see$aw $ee$aw
We start by generating a mask file. In this command, the lines of the d1.txt file that contain the characters “s” are replaced by “?1”, the result is saved to the masks.hcmask file:
cat d1.txt | sed 's/s/\?1/g' > masks.hcmask
As you already understood, we got a set of masks. For example, “seesaw” became “?1ee?1aw”.
The format of .hcmask files is as follows:
CUSTOM-CHARSET1,CUSTOM-CHARSET2,CUSTOM-CHARSET3,CUSTOM-CHARSET4,MASK
In my simple example, I will use only one custom character set, so the final format of the masks.hcmask file will be:
CUSTOM-CHARSET1,MASK
Adding a prefix to each line of a file can be done with the following command:
sed -i -e 's/^/PREFIX/' FILE
In my case, the user character set is “s$”, that is, in place of “?1” I need to insert “s” or “$”. Then the command is:
sed -i -e 's/^/s$,/' masks.hcmask
Now the content of the masks.hcmask file is:
s$,?1ee?1aw s$,?1amuel?1onmarian s$,?1amuel?1pence s$,?1amuel?1pevak s$,?1amuel?1rie s$,?1amuel?1?1 s$,?1amuel?1?1tarr s$,SAMUELSTERNA s$,?1amuel?1teven?1 s$,?1amuel?1ux1 s$,?1amuel?1-x s$,?1amuelt** s$,?1amuelta. s$,?1amueltad s$,?1amueltan s$,?1amueltanner s$,?1amueltapia2 s$,?1amuelta?121 s$,?1amuel+teadoro s$,?1amuelteall s$,?1amuelteama s$,?1amuel te amo s$,?1amuel,te,amo s$,?1amuelteamo s$,SAMUELTEAMO s$,?1amuelteamo21 s$,SAMUELTEAMOMUCHO s$,?1amueltequiero s$,?1amuelthane99
Now, in Hashcat, I start generating dictionaries based on the masks.hcmask file with masks:
hashcat -a 3 --stdout masks.hcmask
We got the desired result with all possible variants for replacing a character in different positions. Beginning of output data:
seesaw $eesaw see$aw $ee$aw samuelsonmarian $amuelsonmarian samuel$onmarian $amuel$onmarian samuelspence $amuelspence samuel$pence $amuel$pence samuelspevak $amuelspevak samuel$pevak $amuel$pevak samuelsrie $amuelsrie samuel$rie $amuel$rie samuelss $amuelss samuel$$ $amuel$$ samuels$ $amuels$ samuel$s $amuel$s samuelsstarr $amuelsstarr samuel$$tarr $amuel$$tarr samuels$tarr $amuels$tarr samuel$starr $amuel$starr ……………………. ……………………. …………………….
Up to four custom character sets can be used at a time, that is, up to four characters can be replaced in this way. If you need to replace more characters, then the actions according to a similar algorithm can be repeated as many times as necessary.
Related articles:
- Advanced wordlist generating techniques (98.4%)
- How to generate dictionaries by any parameters with pydictor (94%)
- How to create dictionaries that comply with specific password strength policies (using Rule-based attack) (84.5%)
- Comprehensive Guide to John the Ripper. Part 5: Rule-based attack (71%)
- How to generate candidate passwords that match password strength policies (filtering words with grep) (69.9%)
- Generation and modification of dictionaries according to the specified rules (RANDOM - 65.5%)
Great article!