> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/dictionary-generation/trick-0002.md).

# Hashcat Ruleset Dictionary Generation

***

Take a string potentially related to a password, such as one found in configuration files or notes. Output this string to a temporary file.

```bash
echo 'LEAKED_STRING' > input.txt
```

Then, use `hashcat` with the `--stdout` flag and a relevant ruleset (like `best64.rule`) to apply mutations to the string from the input file. Redirect the output to a password list file.

```bash
hashcat --stdout input.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt
```

The rule-based attack is one of the most complicated of all the attack modes in hashcat. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack. The rule-engine in Hashcat was written so that all functions that share the same letter-name are 100% compatible to John the Ripper and PasswordsPro rules and vice versa for those specific functions.

Rules are instructions that tell hashcat how to manipulate a word. For example, a common pattern is that people append a digit to their passwords. To append the digit "1", the rule would be:

```
$1
```

You can also use `\xNN` syntax to use hex bytes in rules, which is useful for non-printable ASCII characters or multibyte work. For instance, to append the character 'd' (hex 64):

```bash
echo "Penguin" | hashcat -j '$\x64' --stdout
```

This would output:

```
Penguind
```

This generated list, `passlist.txt`, contains potential password variations based on common modifications and can be significantly more effective than generic dictionaries for specific targets, especially when the source string came from user files (e.g., a `.reminder` file). The resulting `passlist.txt` can then be used in brute-force attacks against services like SSH using tools such as `hydra`.

Hydra is an open-source tool designed for performing brute-force attacks on various protocols and services to test the authentication mechanisms. Its primary uses include:

* Brute-Force Attacks: Using the Hydra tool performs a brute force attack with a large number of username and password combination attempts to gain unauthorised access to systems. It is well suited for the detection of login credentials containing weak passwords.
* Protocol Support: The Hydra tool supports various protocols such as HTTP, FTP, SSH, etc., enabling users to use the tool according to their security needs.
* Password Lists: Hydra tool users can significantly increase the probability of success in password cracking with customised wordlists, such as the `passlist.txt` we generated.

To use `hydra` with our `passlist.txt` for an SSH brute-force attack, you would typically specify the target, username, and the password list. Here are some common command parameters:

* `-l <username>`: Specify a single username.
* `-L <FILE>`: Load several logins from a file.
* `-P <path/to/wordlist>`: Use a specific password list file. In our case, this will be `passlist.txt`.
* `-s <port>`: If the service is on a different default port, define it here. For SSH, the default is 22.
* `-t <TASKS>`: Run a specified number of connections in parallel per target (default: 16). Increasing this may affect target performance or detection.
* `-o <output_file>`: Write found login/password pairs to a file instead of stdout.
* `server`: The target, which can be a DNS name, IP address.
* `service`: The service to crack, e.g., `ssh`, `ftp`, `http-post-form`.

An example command to attack SSH on a target host using a specific username and our generated `passlist.txt` would be:

```bash
hydra -l target_username -P passlist.txt <target_ip_or_hostname> ssh
```

If the SSH service is running on a non-standard port, for instance 2222, and you want to use 32 parallel tasks and save the output:

```bash
hydra -l target_username -P passlist.txt -s 2222 -t 32 -o found_credentials.txt <target_ip_or_hostname> ssh
```
