Content-type: text/html Man page of HASHKILL

HASHKILL

Section: User Manual (8)
Updated: November 2011
Index Return to Main Contents

 

NAME

hashgen - hashkill's rule engine

 

SYNOPSIS

hashkill -r <rule>

 

DESCRIPTION

hashkill This manual page documents briefly the hashkill's rule engine language (hashgen). The hashkill program is a multi-threaded password cracker. It currently supports four cracking modes and has more than 30 different plugins to crack about 35 different types of password hashes. GPU-based attacks are supported on NVidia and AMD cards.  

LANGUAGE

Hashgen's language provides a simple way to generate candidates for cracking or generate wordlists based on certain simple logic. The basic hashgen unit is the rule and each rule can contain one or more statements. A rule file may contain one or more rules and may include other external rule files.

Each rule starts with the begin keyword and ends with the end keyword. All the statements are strictrly lowercase. Only one statement per line is acceptable and parsed.

Statements can be divided in to several categories:

Preprocessor directives

Prerequisite directives

Add statements

Enhancer statements

Delete statements

Remove statements

Insert statements

Replace statements

Additionally, there are several modifiers regarding stack usage and mode of operation.

In essence, each rule generates candidates based on the cumulative result of the statements. This means that the order of statements is important.

 

Statement modifiers

Each statement starts with either the must or the may keyword.

must
This indicates that the statement is always applied to the previous result.

may
This indicates that the statement will be applied to the previous result, but alternatively, it may not be applied.

Example:

begin
must add str hello
may add str world
end

This rule will generate the candidates "hello" and "helloworld"

 

Preprocessor directives

Currently there are a few preprocessor directives:

include <rulefile>
Includes the rulefile. Not that the include directive is allowed in the top-level rulefile only, otherwise it is ignored.

begin
Marks the start of a rule

end
Marks the end of a rule

 

Prerequisite directives

Currently there are three prerequisite directives:

table <char> <set>
Adds an entry to the character replacement table. <char> is the character to be replaced, <set> is a string that consists of all the characters that we are going to replace it with. This should only be used in conjunction with the replace table command

Example:

table a @4
table e 3

table clear
Clears all entries from the character replacement table.

genmarkov
Generates a markov statfile based on the currently cracked hashes. This generates a new statfile, named "cracked". It can be then used for markov-generated candidates

 

Add statements

Those add certain strings or patterns.

add str <string>
Adds a string

Example:

must add str mypassword

add numrange <min>:<max>
Adds all the numbers from a numeric range

Example:

begin
must add str hello
must add numrange 1000:2000
end

This will generate all the candidates from "hello1000" up to "hello2000"

add set <min>:<max>:<specifier>:<extras>
Adds all permutations of a set of a given length range. The arguments are specified the same way as hashkill's bruteforce parameters.

Specifier can be either:

none
Empty set
lalpha
Lower-alpha set (a..z)
ualpha
Upper-alpha set (A..Z)
lalphanum
Lower-alpha-numeric set (a..z,0..9)
ualphanum
Upper-alpha-numeric set (A..Z,0..9)
alphanum
alpha-numeric set (A..Z,a..z,0..9)
cons
Consonants, upper/lower case
vowels
Vowels, upper/lower case
ucons
Consonants, upper case
uvowels
Vowels, upper case
lcons
Consonants, lower case
lvowels
Vowels, lower case
num
Numbers 0..9
ascii
All printable characters

Extras is a string comprising all additional characters you want to be added
Example:

must add set 2:4:lalpha:$%

This will generate all candidates (len 2..4) containing lower alpha and $%. Example would be "a$", "bhf" and "b$%z"

add cset <min>:<max>:<specifier>:<extras>
This follows the same syntax as the previous command, however instead all the permutations being generated, cset generates all combinations (meaning that repetition of characters is not allowed).

In the example above, abac is a valid candidate for "set", but not for "cset".

add markov <min>:<max>:<statfile>:<threshold>

This generates all markov candidates length <min> to <max> using statfile <statfile> and threshold <threshold> (0 being the default one)

add dict <dictfile>
This adds all the words from a dictionary file named <dictfile>

add usernames
This adds all the usernames from the hashlist (if any)

add passwords
This adds all the currently cracked passwords

add binstrings <binary_file>
This statement works much like Unix "strings" command. It carves strings from the binary file. This is useful for forensic purposes where passwords from memory or swap images are extracted

add pipe <command>
This executes <command> and pipes the result to the engine.

Example:

begin
must add pipe ls
end

This will generate candidates based on the filenames in the current directory (stupid). This command allows hashkill to use external wordlist generators/expanders.

add revstr
Adds the reverse of the current candidate

Example:

begin
must add str hello
may add revstr
end

This rule will generate candidates "hello" and "helloolleh"

add lastchar
Adds the last character of a candidate again

Example:

begin
must add str hello
may add lastchar
end

This rule will generate candidates "hello" and "helloo"

add samestr
Adds the candidate again

Example:

begin
must add str hello
may add samestr
end

This rule will generate candidates "hello" and "hellohello"

 

Enhance statements

Those apply certain filters to the current candidates

leetify
Generates leetified combinations (following some hardcoded rules).

Example:

begin
must add str hello
must leetify
end

This will generate "h3llo", "h3ll0", "hell0", "he11o", "he1l0", etc

togglecase
Generates all togglecase combinations

Example:

begin
must add str hello
must togglecase
end

This will generate "hellO", "hEllo", "HEllo", "HELlI", "HeLlO", etc

pasttense
Generates the "past-tense" versions.

Example:

begin
must add str welcome
may pasttense
end

This will generate "welcome" and "welcomed"

WARNING: irregular verbs are not handled as well as some specific cases.

conttense
Generates the "present continuous tense" versions.

Example:

begin
must add str welcome
may conttense
end

This will generate "welcome" and "welcoming"

WARNING: some specific cases are not handled correctly

rot13
Generates the "rot13"-encoded version

trunc <maxlen>
Truncates the candidate to length <maxlen>

insertp str <string>
Inserts string <string> at all possible positions.

Example:

begin
must add str abc
must insertp str !
end

This rule will generate candidates "!abc", "a!bc", "ab!c" and "abc!"

insertp numrange <start>:<end>
Same as before but insert all numbers from a numeric range

Example:

begin
must add str abc
must insertp numrange 1:5
end

This rule will generate candidates such as "3abc", "a1bc", "ab2c" and "abc5"

permute
This will generate all string combinations of the current candidate

Example:

begin
must add str abc
must permute
end

This rule will generate candidates such as "abc", "acb", "bac" and "bca"

insertp dict <dictfile>
Same as before but insert all entries from a dictionary

deletep
Generate all combinations where one of the characters is "deleted"

Example:

begin
must add str abc
must deletep
end

This rule will generate candidates "ac", "ab" and "bc"

 

Delete statements

Those delete certain parts the current candidates

delete char <number> <pos>
Deletes <number> characters starting from <pos>. Negative <pos> can be used to indicate offset from the end of the candidate.

Example:

begin
must add str hello
must delete 2 -1
end

This rule will generate "hel"

delete match <string>
Deletes <string>

delete match <dictmatch>
Deletes all matches from a dictionary named <dictmatch>

delete repeating
Deletes all repeating characters from candidate

Example:

begin
must add str hello
must delete repeating
end

This rule will generate "helo"

 

Remove statements

Those eliminate certain candidates based on statement

eliminate match <string>
Eliminates all candidates containing <string>

Example:

begin
must add dict english
must remove ee
end

This rule will try all the candidates from "english" dictionary except those that contain "ee" (such as "feel" or "speed")

eliminate dictmatch <dictionary>
Eliminates all candidates that contain a match from a <dictionary> file

 

Insert statements

Those insert certain string at certain position

insert str <pos> <string>
Inserts a <string> at <pos>. Negative <pos> indicates offset from end of the candidate

Example:

begin
must add str hello
must insert 123 1
end

This rule will generate "h123ello"

insert dict <pos> <dictionary>
Inserts all <dictionary> entries at <pos>. Negative <pos> indicates offset from end of the candidate

insert usernames <pos>
Inserts all usernames at <pos>. Negative <pos> indicates offset from end of the candidate

insert passwords <pos>
Inserts all cracked passwords at <pos>. Negative <pos> indicates offset from end of the candidate

 

Replace statements

Those replace certain patterns in candidates based on statement

replace table
Does a table replacement

Example:

table a @4
begin
must add base
must replace table
end

This rule will generate "base", "b@se" and "b4se"

replace str <haystack> <needle>
Replaces all occurences of <haystack> with <needle>

Example:

begin
must add base
may replace str as AS
end

This rule will generate "base" and "bASe"

replace dict <string> <dictionary>
Replaces all occurences of <string> with all entries from <dictionary> file

 

Stack modifier

Add statements may be forced to push new strings into stack instead (later on they can be pop'd). To do this, use the push keyword.

Example:

begin
push must add str hello
push may add str 123
pop
must add .
pop
end

This will generate the following candidates: "hello.hello", "hello123.hello"

The pop command may be used multiple times even when the stack is "emptied" - it returns the same string.

 

Comments

Two types of comments are available.

Each line starting with # is a "silent" comment and each line starting with $ is a "noisy" comment.

Difference is that hashkill will print to stderr the "noisy" comments but will supress the "silent" ones.

 

Advanced examples


Advanced additive rule example

The following rule will generate all the dates starting from 1/1/1980 to 31/12/2010 (according to the dd/mm/yyyy convention):

begin
must add numrange 1:31
must add str /
must add numrange 1:12
must add str /
must add numrange 1980:2010
end


Table attack example

The built-in leetify enhance statement may not be adequate for leetify attack. A better leetify rule may be written. This leetifies all the entries from a dictionary using advanced custom table rules. Additionally, it togglecases (so that we become independant on upper/lowercase) and applies certain multi-char leetify rules (like d=|), etc)

table a @4.
table b 86
table c (
table e 3
table g 6
table i 1|!
table l 1|!
table o 0@
table s $5
table r 2
begin
must add dict dictionary.txt
may togglecase
must replace table
may replace str d |)
may replace str n |\|
end


Permutation attack example

Permutation attack is simple - we just need to use the permute statement. The following rule permutes all words from a dictionary concatenated with all numbers from numrange 1:99 applied

begin
must add dict dictionary.txt
must add numrange 1:99
must permute
end

Combinator attack example

Hashkill's rule engine (hashgen) gives a lot of freedom to combine different dictionaries. In the following example, we combine 2 dictionaries in the following pattern:
<word1>_<word2>_<word1>
Where <word1> is any word from the first dictionary, <word2> is any word from the second one, <word1> is the same <word1> from the first dictionary:

begin
must push add dict dictionary1.txt
must pop
must add str _
must add dict dictionary2.txt
must add str _
must pop
end

Advanced fingerprint attack example

Fingerprint attacks are made possible via using add/insert passwords or genmarkov and add markov keywords

An example for that is the following iterative attack: first we apply a rule to generate candidates from big_dictionary.txt wordlist.

Then we do 3 iterations, generating markov statfiles from the cracked files and trying candidates based on them:

begin
must add dict big_dictionary.txt
end
genmarkov
$Iteration 1:
begin
must add markov 1:10:cracked:0
end
genmarkov
$teration 2
begin
must add markov 1:10:cracked:0
end
genmarkov
$teration 3
begin
must add markov 1:10:cracked:0
end

Another approach would be using the add passwords statement and a set of subsequent rule statements. Rather than generating markov models, we can directly use cracked passwords and apply filters/add. E.g:

begin
must add dict big_dictionary.txt
end
$Iteration 1:
begin
must add passwords
may togglecase
may leetify
may add cset 1:5:num
end
$Iteration 2:
begin
must add passwords
may togglecase
may leetify
may add cset 1:5:num
end
$Iteration 3:
begin
must add passwords
may togglecase
may leetify
may add cset 1:5:num
end

 

BUGS


 As of 0.3.0, there are still probably lots of bugs

 

AUTHOR


 Milen Rangelov <gat3way@gat3way.eu>

 

Index

NAME
SYNOPSIS
DESCRIPTION
LANGUAGE
Statement modifiers
Preprocessor directives
Prerequisite directives
Add statements
Enhance statements
Delete statements
Remove statements
Insert statements
Replace statements
Stack modifier
Comments
Advanced examples
BUGS
AUTHOR
This document was created by man2html, using the manual pages.
Time: 22:34:10 GMT, October 25, 2011