Home > Information > Blog > Show blog article
Show blog article
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Analyzing rule efficiency in a hybrid dictionary attack

11:34:10 25.08.2017 posted by Passcape_Admin at 11:34:10 25.08.2017
 

When it comes to password decryption, a hybrid dictionary attack is a very flexible and indispensable tool. Unlike a common dictionary attack, which uses a custom though, but nevertheless a fixed set of word mutation rules, a hybrid attack can be completely adjusted according to your needs.

Many users when decrypting passwords use their own password mutations rules, starting hybrid dictionary attack several times with different settings. For example, the first attack starts with the most frequently used and limited set of rules for searching popular passwords quickly, then there goes a hybrid attack rules to locate non-Latin passwords, and then a slow attack with a full set of rules for finding out all possible combinations, etc. By the way, a full collection of more than 600000 mutation rules is available at the following link: hybrid_all.ini

Often users are asking: what is the most effective rule-file in a given situation? The problem is, some sets of rules were made to search for passwords based on popular mutations, others for finding certain types of passwords. For example, like these ones:
overwrite.ini, insert.ini - search for passwords with replaced or inserted character
numbers.ini - searching for passwords with numbers at the beginning or end of a word
simple_dates.ini - searching for passwords with dates
nonenglish_words.ini - mutation of non-Latin passwords
l33t.ini - for passwords written in leet, like password -> p@$$w0rd
dotcom.ini - domains at the end of words

We tried to abstract from the fact that some sets are specific to a certain type of passwords, and tried to evaluate the effectiveness of each rule-file that comes with our Windows Password Recovery tool. We made a list of 30819 NTLM hashes taken from the Defcon Crack Me if You Can 2010 contest. Then sequentially started the hybrid attack with each (one) set to evaluate their effectiveness, check the working time, etc. The attack was carried out using the built-in wpr.pcd dictionary consisting of 5398185 words. Used hardware - Nvidia GTX 1060. The table below shows the list of the most effective sets, sorted by the maximum number of found items.

Rule-file name Passwords found % found Number of rules Work time (sec) Found pwds per rule Speed (found pwds/sec)
hybrid_all.ini 11248 36,5% 616716 3487 0,02 3,23
Hashcat_generated2.ini 7552 24,5% 304062 1775 0,02 4,25
nsa.ini 7270 23,6% 123286 552 0,06 13,17
english_words.ini 6758 21,9% 30055 208 0,22 32,49
Hashcat_d3ad0ne.ini 6492 21,1% 35323 189 0,18 34,35
InsidePro-HashManager.ini 5785 18,8% 6469 28 0,89 206,61
yurets.ini 5724 18,6% 74585 394 0,08 14,53
Hashcat_rockyou-30000.ini 5324 17,3% 29999 139 0,18 38,30
Hashcat_T0XlCv1.ini 5130 16,6% 11936 53 0,43 96,79
InsidePro-PasswordsPro.ini 4819 15,6% 3119 16 1,55 301,19
d3adhob0.ini 4764 15,5% 57536 308 0,08 15,47
Hashcat_generated.ini 4531 14,7% 14726 71 0,31 63,82
Hashcat_T0XlC.ini 3687 12,0% 4086 21 0,90 175,57
overwrite.ini 3239 10,5% 3 7 1079,67 462,71
insert.ini 3174 10,3% 3 7 1058,00 453,43
fasthash.ini 2112 6,9% 2943 16 0,72 132,00
Hashcat_T0XlC-insert_00-99_1950-2050_toprules_0_F.ini 2105 6,8% 4015 19 0,52 110,79
megatron-1.ini 1994 6,5% 450 2 4,43 997,00
megatron-2.ini 1804 5,9% 10664 50 0,17 36,08
Hashcat_best64.ini 1661 5,4% 77 1 21,57 1661,00
numbers.ini 1457 4,7% 650 5 2,24 291,40
simple_dates.ini 1300 4,2% 4828 32 0,27 40,63
Hashcat_combinator.ini 1287 4,2% 39 2 33,00 643,50
Hashcat_toggles5.ini 1215 3,9% 4943 26 0,25 46,73
Hashcat_toggles4.ini 1178 3,8% 1940 10 0,61 117,80
Hashcat_toggles3.ini 1153 3,7% 575 3 2,01 384,33
Hashcat_toggles2.ini 1136 3,7% 120 1 9,47 1136,00
Hashcat_toggles1.ini 1107 3,6% 15 2 73,80 553,50
Hashcat_T0XlC-insert_space_and_special_0_F.ini 1023 3,3% 480 2 2,13 511,50
Hashcat_specific.ini 997 3,2% 176 1 5,66 997,00
Hashcat_Incisize_leetspeak.ini 869 2,8% 15487 120 0,06 7,24
Hashcat_T0XlC-insert_top_100_passwords_1_G.ini 856 2,8% 1600 10 0,54 85,60
nonenglish_words.ini 824 2,7% 4448 82 0,19 10,05
hashcat_ninja_leetspeak.ini 733 2,4% 2047 15 0,36 48,87
Hashcat_leetspeak.ini 704 2,3% 17 2 41,41 352,00
l33t.ini 583 1,9% 1046 11 0,56 53,00
Hashcat_oscommerce.ini 135 0,4% 256 2 0,53 67,50
dotcom.ini 127 0,4% 40 2 3,18 63,50


The first column shows the number of passwords found by the given set of rules. The second displays the number of found passwords in percentage. The third column shows the total number of rules for the file. In the fourth, the time took to verify all the rules. The next two columns are a little bit more interesting and output the most effective rules. More specifically, the number of found passwords for a single rule and the number of found passwords per second.

Quite funny to see the significant superiority of some sets (for example, insert.ini and overwrite.ini) and the failure of others, such as Hashcat_Incisize_leetspeak.ini. But this is understandable, taking into account that they were mainly designed to search for passwords of certain types. In general, the results can be useful for those who face strict time frames when recovering passwords. For instance, a good balanced rule set is InsidePro-HashManager.ini, which has found 5785 passwords in only 28 seconds. For comparison, the set of all mutation rules found 11248 password for ~ 1 hour using the above-mentioned hardware.

Some more additional statistics.

Top 10 best rule-sets (sorted by the number of found passwords)

Rule-file name Passwords found % found
hybrid_all.ini 11248 36,5%
Hashcat_generated2.ini 7552 24,5%
nsa.ini 7270 23,6%
english_words.ini 6758 21,9%
Hashcat_d3ad0ne.ini 6492 21,1%
InsidePro-HashManager.ini 5785 18,8%
yurets.ini 5724 18,6%
Hashcat_rockyou-30000.ini 5324 17,3%
Hashcat_T0XlCv1.ini 5130 16,6%
InsidePro-PasswordsPro.ini 4819 15,6%



Top 10 biggest rule-sets (by the number of rules)

Rule-file name Number of rules
hybrid_all.ini 616716
Hashcat_generated2.ini 304062
nsa.ini 123286
yurets.ini 74585
d3adhob0.ini 57536
Hashcat_d3ad0ne.ini 35323
english_words.ini 30055
Hashcat_rockyou-30000.ini 29999
Hashcat_Incisize_leetspeak.ini 15487
Hashcat_generated.ini 14726



Top 10 most efficient rule-sets (by the number of found passwords per rule)

Rule-file name Found passwords per rule
overwrite.ini 1079,67
insert.ini 1058,00
Hashcat_toggles1.ini 73,80
Hashcat_leetspeak.ini 41,41
Hashcat_combinator.ini 33,00
Hashcat_best64.ini 21,57
Hashcat_toggles2.ini 9,47
Hashcat_specific.ini 5,66
megatron-1.ini 4,43
dotcom.ini 3,18



Top 10 fastest rule-sets (by the number of found passwords in second)

Rule-file name Found passwords in second
Hashcat_best64.ini 1661,00
Hashcat_toggles2.ini 1136,00
Hashcat_specific.ini 997,00
megatron-1.ini 997,00
Hashcat_combinator.ini 643,50
Hashcat_toggles1.ini 553,50
Hashcat_T0XlC-insert_space_and_special_0_F.ini 511,50
overwrite.ini 462,71
insert.ini 453,43
Hashcat_toggles3.ini 384,33
 
Rating
Current rating RatingRatingRatingRatingRating
Avarage rating Ø 5.69
Number of votes 13
Your vote Rate this message: 1Rate this message: 2Rate this message: 3Rate this message: 4Rate this message: 5Rate this message: 6Rate this message: 7Rate this message: 8Rate this message: 9Rate this message: 10

Comments

hybrid dictionary attack
posted by bala at 22:21:25 19.05.2018
admin i need help about hybrid dictionary attack
Passcape_Admin
RE: hybrid dictionary attack
posted by Passcape_Admin at 23:13:36 19.05.2018
Hi, you are welcome to ask any question.
Add comment

Spamprotection