Windows Password Recovery - hybrid dictionary attack
Hybrid dictionary attack is a form of simple dictionary attack. However, unlike the latter, hybrid attack allows user to set his own word mutation (variation) rules and attempt to validate the modified words as source passwords. For example, user could capitalize the first letter of a password being validated, append '2' to it, replace the number 8 in it with the letter B, O with 0, etc.
Actions, performed on source words from the dictionary, are called rules. Multiple rules can be applied to each source word. The rule definition syntax is partially compatible with John the Ripper and PassworsPro software. The author of the latter has kindly provided an extended set of rules, slightly edited, which comes with the distribution kit for Windows Password Recovery.
Hybrid dictionary attack settings are grouped in 6 tabs:
1. Dictionaries - for setting up source dictionaries.
2. Rules - files with set of rules.
3. Dictionary generator, where you can create files of words obtained from the hybrid attack.
4. Online dictionaries - for downloading new dictionaries to the application.
5. Attack syntax - complete description of all rules with examples.
6. Rule tester, where you can test your rules.
Windows Password Recovery distribution kit comes with extended sets of password mutation rules:
hybrid_rules/english_words.ini file contains basic rules for English passwords.
hybrid_rules/nonenglish_words.ini holds common rules for non-Eglish passwords.
hybrid_rules/simple_dates.ini - a lot of rules with dates, months, seasons, etc.
hybrid_rules/l33t.ini - rules to freak words (based on leet dictionary). For example, password->p@$$w0rd
Wordlists to be used in the attack are set on the first tab. Traditionally, the application supports wordlists in ASCII, UTF8, UNICODE, PCD, RAR and ZIP format. The position of the files on the list can be altered. For example, you may want to move smaller dictionaries up the list or the other way. During the attack, they will be used one after another, according to their position on the list.
On the 'Rules' tab, define at least one file with password mutation rules. The format of the rules file is quite trivial; it is a plain-text ASCII file with the '[Rules]' string. Anything above this string is considered comments and ignored by the program. Whatever goes below this string is considered rules. Each string can contain several rules, applicable to a source word. The exclusion is the aN rule. This rule must not be on the same line with other rules. If a string contains multiple rules per word, those rules are parsed left to right. For example, if you apply the rule '@pc$a$b$c' to the source word 'password', at the output you will get 'Asswordabc'. The maximum length of an output word may not exceed 256 characters.
The 'Dictionary generator' tab is designed for generating dictionaries obtained from an attack. Further on, those dictionaries could be used, for example, in other applications. To generate a dictionary, specify a source dictionary and a set of mutation rules for it. The size of a target file may exceed 2 GB.
Be careful, the dictionary generation process may take considerable time!
You can download additional wordlists for the attack using 'Online dictionaries' tab.
If you want to create your own set of rules, you can use the last two tabs as sources of help. While the 'Syntax' tab gives mere descriptions of available rules, on the last tab you can actually test them by specifying a source word and a rule for the hybrid attack. Forward your rule sets to us; if we find them interesting/useful, we will include them in the default distribution of the program.
Rules description for the hybrid dictionary attack
Several rules at a line are allowed to be set (except
aN rule).
Rules (if any) are processed from the left to the right.
Maximal line length is limited to 256 characters.
Maximal output word length is limited to 256 characters.
All text before the '[Rules]' line is considered as comment.
Rules
| : |
Do nothing to the input word |
| { |
Rotate the word left: password -> asswordp |
| } |
Rotate right: password -> dpasswor |
| [ |
Delete the first character: password -> assword |
| ] |
Delete the last character: password -> passwor |
| c |
Capitalize: password -> Password |
| C |
Anti-capitalize - lowercase the first character, uppercase the rest: password -> pASSWORD |
| d |
Duplicate word: password -> passwordpassword |
| f |
Reflect: password -> passworddrowssap |
| l |
Convert to lowercase: Password -> password |
| k |
Convert word using alternative (first after default) keyboard layout. The rule works in both directions. For example, if there's a Russian keyboard layout installed in the system, the rule will convert word 'password' to Russian 'зфыыцщкв', and Russian word 'пароль' to 'gfhjkm'. This is very helful when dealing with non-English passwords. If there's only one language installed in the system, the rule is ignored. |
| q |
Duplicate all symbols: password -> ppaasssswwoorrdd |
| r |
Reverse word: password -> drowssap |
| t |
Toggle case of all characters: PassWord -> pASSwORD |
| u |
Convert to uppercase: Password -> PASSWORD |
| V |
Vowels elite: password -> PaSSWoRD |
| v |
Vowels noelite: password -> pASSWoRD |
| |
|
| 'N |
Truncate the word to N character(s) length |
| <N |
Reject (skip) the word if it is greater than N characters long |
| >N |
Reject (skip) the word if it is less than N characters long |
| aN |
Check all possible symbol cases for the word. N is a maximal length of the word to apply this rule for. This rule CANNOT be used in conjunction with other ones! |
| DN |
Delete the character at position N |
| pN |
Copy word N times. N = 3 .. 9 |
| TN |
Toggle case of the character at position N. N = 0 .. 9 for the position 0 - 9, N = A .. Z for the position 10 - 35 |
| zN |
Duplicate the first character of the word N times. N = 1 .. 9 |
| ZN |
Duplicate the last character of the word N times. N = 1 .. 9 |
| |
|
| $X |
Add character X to the end of the word |
| ^X |
Insert character X at the beginning of the word |
| @X |
Remove all characters X from the word |
| !X |
Reject (skip) the word if it contains at least one character X |
| /X |
Reject (skip) the word if it does not contain character X |
| (X |
Reject (skip) the word if the first character is not X |
| )X |
Reject (skip) the word if the last character is not X |
| |
|
| %MX |
Reject (skip) the word if it does not contain at least M instances of the character X |
| =NX |
Reject (skip) the word if the character at position N is not equal to the X |
| iNX |
Insert the character X in position N |
| oNX |
Overwrite a character in position N with the character X |
| sXY |
Replace all characters X with Y |
| xNM |
Extract a substring of up to M characters length, starting from position N. M = 1 .. 9 for the length equal to 1 - 9, M = A .. Z for the length equal to 10 - 35 |
