Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Attacking hashes > Combined dictionary attack
Recovering Windows hashes - combined dictionary attack
19.10.2017
New blog post
Farewell to Syskey!
11.10.2017
Wireless Password Recovery 4.2.5
Support for NVidia Volta
04.10.2017
Office password recovery tools
Support for new GPU devices, some improvements
22.09.2017
Reset Windows Password v8.0
Support for domain cached credentials, new bootable environment

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - combined dictionary attack

Combined dictionary attack (developed by Passcape Software) is great at recovering passwords that consist of 2,3 and even 4 words. This type of attack on difficult and compound passwords is very similar to the simple dictionary attack, except that instead of using a single word for password verification here we use a combination of words or a phrase created by combining words from specified dictionaries. To successfully utilize this attack, set at least two dictionaries and the rules for generating passwords. You can set the regular dictionaries used in the simple dictionary attack, but it is recommended to use rather small dictionaries with the most common words.

Perfect dictionaries for the attack are those that have different forms of words in them; e.g. jump, jumper, jumped, jumping.

Combined attack sets a certain limit to the number of dictionaries that can be used; that's not more than 4. Thus, the general limitation of this attack is that only password phrases of not more than 4 words can be recovered using this attack.

Another essential drawback is the wide range of phrases generated. And, as the consequence, the proportional increase of the time spent on the validation of a password. Keep in mind that when generating passwords that consist of 3 or 4 words, the generation process takes considerable time

If finding the right dictionary is difficult, don't worry. The software comes with a special dictionary for the combined attack. You can also take advantage of the Online Dictionaries tab or the corresponding button to download such dictionaries from the Passcape website.



Dictionaries

Combined dictionary attack

The way the combined attack works is really simple. For example, if you have set two dictionaries, the program will generate the passwords as follows: it will take the first word from the first dictionary and glue it with the first word from the second dictionary, then with the second word, and so on until the end. Then it checks the second word from the first dictionary and goes the same route, and so on.

To understand how the combined attack works, let's take a look at a couple of password generation examples that involve, in the first case, the same dictionary and in the second case - two different ones.

1. Suppose we’ve got a single dictionary with three words: action, bad, and computer. We will set this dictionary as two original sources: primary dictionary & secondary dictionary2 (see the figure). After these dictionaries have been processed, at the output we have the following phrases (they will be used when checking the password sought):
actionaction, actionbad, actioncomputer,
badaction, badbad, badcomputer,
computeraction, computerbad, computercomputer,
9 phrases total.

2. In the second case, we have got two different dictionaries. For example, the first dictionary consists of three words: action, bad, and computer. The second one also has three words: date, eagle, fail. In this case, we are going to have the following phrases:
actiondate, actioneagle, actionfail,
baddate, badeagle, badfail,
computerdate, computereagle, computerfail

The example is plain but demonstrative. The idea is that for multiple sources you can successfully use both a single dictionary and multiple ones. It all depends on your imagination. The last example shows that a special attention should be paid to the order of the dictionaries if they are different. The order of the words in the phrases to be created depends directly on the order of the source dictionaries. In our second example, if we swap the primary and the secondary dictionaries, at the output we will obtain a completely different set of phrases.



Mutation rules

Password generation rules

Passwords created by the combined attack are generated according to special rules that are to be set on the second tab. By default, when password generation rules are disabled, the program generates passwords by simply gluing up the words from the dictionaries, without separating them with a space. For example, of the two words are 'my' and 'computer', you will get 'mycomputer'.

If word insertion option is set, the program additionally creates passwords by inserting words from second dictionary into every position of the word from dictionary 1. For example, if the first dictionary's word is Admin, and the word from the second dictionary is 12345, the program will generate the following passwords:
12345Admin
A12345dmin
Ad12345min
Adm12345in
Admi12345n

And so on for all words of the second dictionary. Then goes another word from dictionary 1, etc. The option is active if only 2 dictionaries were set.

The generation rules are made to extend the password search options. For example: Mycomputer, MyComputer, MY COMPUTER, my-computer, etc. There are special rules available for this purpose; you don't have to know the syntax of them, for the mutation rule creation dialog is simple and intuitive. 


Creating new rule

Each mutation rule consists of five elements:

  1. Prefix - text that will appear before each phrase. This element can be a character, plain text string, one digit between 0 and 9 or a number. For instance, if you set a one-digit prefix, the phrases created with this rules will look as follows: '0 aaa bbb', '1 aaa bbb' : '9 aaa bbb'.
  2. First word - the action to be performed over the first word of each phrase. There are only four options. Namely: leave intact as is in dictionary, convert all characters to lowercase, convert all characters to uppercase or capitalize only the first letter of the word.
  3. Word separator. It may be absent. Then all the words will be concatenated. Example: 'aaabbb', 'aaaccc','aaaddd', etc. You can otherwise set a custom separator; e.g. the '-' character: 'aaa-bbb', 'aaa-ccc','aaa-ddd'.
  4. Other words. With this attribute, similarly to 2., you can set rules for the other words of a phrase.
  5. Postfix - text that will finalize each phrase. For example, if you set Postfix to the '?' or ' ?', all phrases created with this rule will have the question mark at the end.

Certainly, the more password generation rules you set, the more chances you have to pick the right password. But, on the other hand, the more time you will have spent on the attack.

The 'Statistics' group shows the average and recommended average size of a dictionary, number of words in source dictionaries, total number of passwords being generated and other helpful information.



Dictionary generator

Creating new dictionaries

The third tab of options serves for creating combined attack-based dictionaries (available not for all editions).


Additional wordlists can be downloaded from our online database.