generate-hashcat-toggle-rules.py is a Python program to generate hashcat toggle rules. Toggle rules toggle the case of letters in words present in a dictionary.
Hashcat comes with toggle rule files for candidate passwords up to 15 characters long. There’s a rules file that will toggle exactly one letter (toggles1.rule), another rule file for up to two letters (toggles2.rule), three, four, and finally a rule file for up to five letters (toggles5.rule). Hashcat does not provide rules with more than five toggles, as empirical data shows that passwords chosen by users only contain a couple of uppercase letters.
These toggle rule files can also be generated with generate-hashcat-toggle-rules.py.
This command generates rules identical to toggles5.rule:
generate-hashcat-toggle-rules.py 5
But I want to crack NTLM hashes for randomly generated passwords, and for which I already cracked the LM hash. So I must toggle up to 14 letters. I can use the following command to generate this toggle rule file:
generate-hashcat-toggle-rules.py -n -p 14 14 > toggles-lm-ntlm.rule
-n will include rule :. This rule makes no changes (nothing) to the candidate password. This way I can run hashcat only once with the rule file. I don’t need to run hashcat with and without rule file.
-p 14 generates toggles up to position 14 (the default is up to position 15, but since LM hash passwords are maximum 14 characters long, it’s useless to generate toggles for position 15).
Here is part of this generated file toggles-lm-ntlm.rule:
: T0 T1 T2 T3 T4 T5 T6 T7 T8 T9 TA TB TC TD T0T1 T0T2 T0T3 T0T4 T0T5 ... T1T3T4T5T6T7T8T9TATBTCTD T2T3T4T5T6T7T8T9TATBTCTD T0T1T2T3T4T5T6T7T8T9TATBTC T0T1T2T3T4T5T6T7T8T9TATBTD T0T1T2T3T4T5T6T7T8T9TATCTD T0T1T2T3T4T5T6T7T8T9TBTCTD T0T1T2T3T4T5T6T7T8TATBTCTD T0T1T2T3T4T5T6T7T9TATBTCTD T0T1T2T3T4T5T6T8T9TATBTCTD T0T1T2T3T4T5T7T8T9TATBTCTD T0T1T2T3T4T6T7T8T9TATBTCTD T0T1T2T3T5T6T7T8T9TATBTCTD T0T1T2T4T5T6T7T8T9TATBTCTD T0T1T3T4T5T6T7T8T9TATBTCTD T0T2T3T4T5T6T7T8T9TATBTCTD T1T2T3T4T5T6T7T8T9TATBTCTD T0T1T2T3T4T5T6T7T8T9TATBTCTD
The generated toggle rule file toggles-lm-ntlm.rule is included in the ZIP file:
generate-hashcat-toggle-rules_v0_0_1.zip (https)
MD5: 170F54D69C8581B9379E11E14F31C39E
SHA256: 93AE3CC8123425CEBC85D6CA4DE1ED1DD14F492AB744368729FB38D24436B5D9
[…] And now we can use this list of passwords for a dictionary attack on the NTLM hashes. But passwords recovered from NTLM hashes can contain lowercase and uppercase letters. So we need to generate all possible combinations of lowercase and uppercase letters for our password list. This can be done with the toggle rule file toggles-lm-ntlm.rule I created with this new tool. […]
Pingback by Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM | Didier Stevens — Monday 18 July 2016 @ 0:00
Also you can use John The Ripper with NT rule.
Comment by Ender — Monday 18 July 2016 @ 16:38
John allows you to do this in a few lines, it will create the expanded rules in the background, but you only need to specify 14 lines total.
[List.Rules:NT]
-c T0Q
-c T1QT[z0]
-c T2QT[z0]T[z1]
-c T3QT[z0]T[z1]T[z2]
-c T4QT[z0]T[z1]T[z2]T[z3]
-c T5QT[z0]T[z1]T[z2]T[z3]T[z4]
-c T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]
-c T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]
-c T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]
-c T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]
-c TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]
-c TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]
-c TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]
-c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]
Comment by Frick-n-frack — Monday 18 July 2016 @ 17:50
Thanks, I know, I’ve written three blogposts about John-the-Ripper, they will be published starting tomorrow.
Comment by Didier Stevens — Monday 18 July 2016 @ 18:06
[…] Tool To Generate Hashcat Toggle Rules […]
Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01
If I want generate up to 20 case i must use command: generate-hashcat-toggle-rules.py -n -p 20 20 > toggles-lm-ntlm.rule ?
Comment by Rajoth — Friday 5 April 2019 @ 19:01
Yes, but you should use another filename.
Comment by Didier Stevens — Saturday 6 April 2019 @ 22:17