Didier Stevens

Saturday 16 July 2016

Tool To Generate Hashcat Toggle Rules

Filed under: My Software — Didier Stevens @ 0:00

generate-hashcat-toggle-rules.py is a Python program to generate hashcat toggle rules. Toggle rules toggle the case of letters in words present in a dictionary.

Hashcat comes with toggle rule files for candidate passwords up to 15 characters long. There’s a rules file that will toggle exactly one letter (toggles1.rule), another rule file for up to two letters (toggles2.rule), three, four, and finally a rule file for up to five letters (toggles5.rule). Hashcat does not provide rules with more than five toggles, as empirical data shows that passwords chosen by users only contain a couple of uppercase letters.

These toggle rule files can also be generated with generate-hashcat-toggle-rules.py.

This command generates rules identical to toggles5.rule:

generate-hashcat-toggle-rules.py 5

 

But I want to crack NTLM hashes for randomly generated passwords, and for which I already cracked the LM hash. So I must toggle up to 14 letters. I can use the following command to generate this toggle rule file:

generate-hashcat-toggle-rules.py -n -p 14 14 > toggles-lm-ntlm.rule

-n will include rule :. This rule makes no changes (nothing) to the candidate password. This way I can run hashcat only once with the rule file. I don’t need to run hashcat with and without rule file.

-p 14 generates toggles up to position 14 (the default is up to position 15, but since LM hash passwords are maximum 14 characters long, it’s useless to generate toggles for position 15).

Here is part of this generated file toggles-lm-ntlm.rule:

:
T0
T1
T2
T3
T4
T5
T6
T7
T8
T9
TA
TB
TC
TD
T0T1
T0T2
T0T3
T0T4
T0T5
...
T1T3T4T5T6T7T8T9TATBTCTD
T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTC
T0T1T2T3T4T5T6T7T8T9TATBTD
T0T1T2T3T4T5T6T7T8T9TATCTD
T0T1T2T3T4T5T6T7T8T9TBTCTD
T0T1T2T3T4T5T6T7T8TATBTCTD
T0T1T2T3T4T5T6T7T9TATBTCTD
T0T1T2T3T4T5T6T8T9TATBTCTD
T0T1T2T3T4T5T7T8T9TATBTCTD
T0T1T2T3T4T6T7T8T9TATBTCTD
T0T1T2T3T5T6T7T8T9TATBTCTD
T0T1T2T4T5T6T7T8T9TATBTCTD
T0T1T3T4T5T6T7T8T9TATBTCTD
T0T2T3T4T5T6T7T8T9TATBTCTD
T1T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTCTD

The generated toggle rule file toggles-lm-ntlm.rule is included in the ZIP file:

generate-hashcat-toggle-rules_v0_0_1.zip (https)
MD5: 170F54D69C8581B9379E11E14F31C39E
SHA256: 93AE3CC8123425CEBC85D6CA4DE1ED1DD14F492AB744368729FB38D24436B5D9

7 Comments »

  1. […] And now we can use this list of passwords for a dictionary attack on the NTLM hashes. But passwords recovered from NTLM hashes can contain lowercase and uppercase letters. So we need to generate all possible combinations of lowercase and uppercase letters for our password list. This can be done with the toggle rule file toggles-lm-ntlm.rule I created with this new tool. […]

    Pingback by Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM | Didier Stevens — Monday 18 July 2016 @ 0:00

  2. Also you can use John The Ripper with NT rule.

    Comment by Ender — Monday 18 July 2016 @ 16:38

  3. John allows you to do this in a few lines, it will create the expanded rules in the background, but you only need to specify 14 lines total.
    [List.Rules:NT]
    -c T0Q
    -c T1QT[z0]
    -c T2QT[z0]T[z1]
    -c T3QT[z0]T[z1]T[z2]
    -c T4QT[z0]T[z1]T[z2]T[z3]
    -c T5QT[z0]T[z1]T[z2]T[z3]T[z4]
    -c T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]
    -c T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]
    -c T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]
    -c T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]
    -c TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]
    -c TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]
    -c TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]
    -c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]

    Comment by Frick-n-frack — Monday 18 July 2016 @ 17:50

  4. Thanks, I know, I’ve written three blogposts about John-the-Ripper, they will be published starting tomorrow.

    Comment by Didier Stevens — Monday 18 July 2016 @ 18:06

  5. […] Tool To Generate Hashcat Toggle Rules […]

    Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01

  6. If I want generate up to 20 case i must use command: generate-hashcat-toggle-rules.py -n -p 20 20 > toggles-lm-ntlm.rule ?

    Comment by Rajoth — Friday 5 April 2019 @ 19:01

  7. Yes, but you should use another filename.

    Comment by Didier Stevens — Saturday 6 April 2019 @ 22:17


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.