🛡️ Methodology Checklist
- Primary wordlist: rockyou.txt (
/usr/share/wordlists/rockyou.txt) - Target-specific wordlist: CeWL from target website
cewl http://[TARGET] -d 3 -m 6 > custom.txt - Combine with rule:
hashcat -m [MODE] hash.txt rockyou.txt -r best64.rule - John rules:
john --rules=Jumbo --wordlist=rockyou.txt hash.txt - Cupp for personalised wordlist (social engineering context)
- SecLists password lists for specific services
- Try top 10 most common passwords before full wordlist
🎯 Operational Context
Use when: Basic rockyou wordlist exhausted — apply Hashcat rules to generate mutations (capitalizations, substitutions, appended numbers) from base wordlists.
Think Dumber First: hashcat -a 0 -m [MODE] hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule generates 64 mutations per word = 900M+ candidates from rockyou. This covers most corporate passwords. Use dive.rule for deeper coverage.
Skip when: Hash is bcrypt with high cost factor — rule expansion makes an already slow attack exponentially worse.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
cewl https://[DOMAIN] -d 4 -m 6 --lowercase -w target.wordlist | Spider website to build targeted wordlist |
hashcat --force base_words.txt -r custom.rule --stdout | sort -u > mutated_list.txt | Test rules — generate mutations without cracking |
hashcat -a 0 -m [ID] hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule | Attack with built-in best64 ruleset |
hashcat -a 1 passlist.txt passlist.txt --stdout > combined.txt | Combinator: join wordlist with itself |
hashcat -a 0 -m [ID] hash.txt combined.txt -r custom.rule | Attack combined list with custom rules |
ls /usr/share/hashcat/rules/ | List built-in rule files |
🔬 Deep Dive & Workflow
Psychology of Passwords — Why Users Are Predictable
Even under strict complexity policies, users make predictable choices:
- Base on personal info (OSINT target): name, birth year, pet, hometown, employer
- Capitalize the first letter:
Password - Append year or digits:
Password2023 - Substitute letters:
P@ssw0rd!(l33t speak) - Combine two words to meet length:
baseball1998
This predictability is what makes targeted cracking far more efficient than pure brute-force.
Hashcat Rule Syntax
Rules transform each wordlist candidate at runtime:
| Function | Description | Example |
|---|---|---|
: | Do nothing | word → word |
l | Lowercase all | Word → word |
u | Uppercase all | word → WORD |
c | Capitalize first | word → Word |
sXY | Replace X with Y | so0 → replaces o with 0 |
$X | Append character X | $! → word! |
^X | Prepend character X | ^1 → 1word |
Writing a Custom Rule File
# custom.rule contents
: # keep word as-is
c # capitalize first letter
so0 # substitute o → 0
$! # append !
c so0 # capitalize + substitute
c $! # capitalize + append !
c so0 $! # all threeTest the mutations (no cracking, just see output):
hashcat --force base_words.txt -r custom.rule --stdout | sort -u > mutated_list.txt
head mutated_list.txtCeWL — Website-Based Wordlist Generation
CeWL spiders a site and extracts unique words — highly targeted for organization-specific terms:
cewl https://www.company.com -d 4 -m 6 --lowercase -w company.wordlist-d 4— spider 4 levels deep-m 6— minimum word length of 6 characters--lowercase— normalize for consistent matching
Then pair with a complexity rule:
hashcat -a 0 -m 1000 hash.txt company.wordlist -r /usr/share/hashcat/rules/best64.ruleTargeted Profiling Attack — Full Workflow
Scenario: crack hash for a specific user from OSINT data.
# 1. Build base wordlist from OSINT (name, company, city, pets, dates)
cat > passlist.txt << EOF
San
Francisco
August
1998
Nexura
Bella
Maria
baseball
EOF
# 2. Check minimum length requirement (e.g., policy = 12 chars)
# Single keywords like "Bella" = 5 chars → fail
# Need combinator: "baseball" + "1998" = 12 chars → try
# 3. Generate combined candidates
hashcat -a 1 passlist.txt passlist.txt --stdout > combined.txt
# "baseball1998", "NexuraBella", "MariaAugust", etc.
# 4. Apply complexity rules
hashcat -a 0 -m 1000 hash.txt combined.txt -r custom.ruleBuilt-In Rulesets Priority
- best64.rule — start here, covers most real-world patterns
- dive.rule — larger, more aggressive (slower)
- rockyou-30000.rule — designed to pair with rockyou wordlist
- Custom rules — when you have OSINT on the specific target
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Rules not improving crack rate | Wrong rules for target | For corporate: OneRuleToRuleThemAll.rule; for personal: best64 + Clem9669; for AD: corporate.rule |
| Rule file not found | Default hashcat rules path | Check: /usr/share/hashcat/rules/ on Kali; download from hashcat GitHub if missing |
| Combination of wordlist + rules too large | Memory exhausted | Use -S (slow candidates mode) or pipe through hashcat stdin for streaming |
| Hashcat mask attack syntax wrong | Character set format | Example 8-char: hashcat -a 3 -m [MODE] hash.txt ?u?l?l?l?l?l?d?d for one upper, 5 lower, 2 digits |
| Prince attack not available | PRINCE rule not in hashcat | Use princeprocessor separately: pp.bin wordlist.txt | hashcat -a 0 -m [MODE] hash.txt - |
📝 Reporting Trigger
Finding Title: Password Mutation Rules Crack Complexity-Compliant Passwords Impact: Hashcat rule-based attacks crack passwords that technically meet complexity requirements (uppercase, number, special char) but follow predictable mutation patterns (e.g., Password1!, Welcome@1), rendering complexity policies ineffective without passphrase enforcement. Root Cause: Password policy enforces complexity without prohibiting predictable mutation patterns. Users systematically apply minimal complexity to memorable base words. Recommendation: Implement passphrase-based password policy (4+ random words, 20+ chars) over traditional complexity rules. Deploy password breach checking that detects rule-predictable patterns. Consider hardware MFA tokens to reduce password-only authentication risk.