Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Attacking hashes > Dictionary attack
Recovering Windows hashes - dictionary attack
27.12.2016
Happy New Year!
New Year greetings and holidays discount
27.12.2016
Windows Password Recovery v11.1
Some minor improvements, changes in DPAPI engine
06.12.2016
New blog post
Hash encryption in Windows 10 Anniversary Update
30.11.2016
WPA password recovery benchmarks
New devices

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - dictionary attack


Dictionary attack

In contrast with a brute-force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to succeed, typically derived from a wordlist or a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short, single words in a dictionary, or are simple variations that are easy to predict.

On the Dictionaries tab, set up the list of dictionaries to be used in the attack. Supported are plain-text dictionaries in the formats ASCII, UNICODE and UTF8, as well as encrypted/compressed dictionaries in the native PCD format, developed in Passcape Software. ZIP and RAR packed wordlist are supported as well with some restrictions. To deactivate a dictionary, simply clear the checkbox by its name. In this case, the dictionary, although it remains on the list, will be skipped during an attack. The software comes with a 360000-word dictionary. For complete list of dictionaries, check out our wordlist collection please. Or you can use our Online dictionaries as an alternative.

The Filters tab filters the words from a dictionary by the include/exclude principle. If the first, inclusive, filter is enabled, the attack will accept only the words that contain at least one of the characters entered in the filter. If the second, exclusive, filter is set, the program will skip the words that contain at least one of the entered characters.

You can use Dictionary Generator to create your own wordlists based on options of the first three tabs.

The Mutation tab allows setting all kinds of possible combinations of the words to be searched. For example, if you set a strong mutation, the program will create several hundreds of analogs for each word from the dictionary. For example, secret - Secret - s3cr3t - secret123, and so on. You can set up to three mutation rules: Weak - less number of mutations and, in its turn, greater verification speed; Strong - for greater number of mutations, to the prejudice of the speed, and the happy medium, Default option.
 

Customizing mutations

Starting with version 4.0, the program has ability to customize the smart mutation of the Dictionary attack. All mutation rules are clustered into 16 primary groups. You can set one of three mutation levels or disable mutation separately for each group.
Password mutation in dictionary attack

For example, you can turn off OEM mutation (and thus double your Dictionary attack speed) if you sure the password you're looking for contains Latin characters only. Simple description of what all these mutation groups mean is given below:
 

Group name Description Examples (for word 'password') Comments
Character case Checks case combinations of the input word. Password, PassworD, PaSsWoRd Maximal (Strong) level of the mutation group DOES NOT generate all possible case combinations of input words. To check all possible case variants, consider using Hybrid dictionary attack (aN rule).
Digits append/prepend Adds digits to the beginning or to the end of the word. password99, 2Password, PASSWORD3 Maximal level adds 2 digits.
Head and tail Almost the same as previous one, but appends or prepends words, abbreviations, characters, keyboard combinations, etc. #Password#, password12345, 4everPASSWORD, Passwordqwerty
 
l33t Creates different combinations using leet language. p@ssword, P@$$w0rd, P@$$W0RD
 
Abbreviation Converts several character combinations (if the initial word contains any) into abbreviations. ihateyou -> ih8you, Ih8u
 
Dups and revers Revers, duplicates the word, etc. drowssap, passwordpassword, PasswordDrowssap
 
Vowels and consonants Mutates vowels and consonants (English characters only). Psswrd, PaSSWoRD, pAsswOrd
 
Character skip Skips a single character of the original word. assword, Passwrd, Pasword
 
Character swap Exchanges two adjacent characters. apssword, Passowrd
 
Character duplicate Duplicates characters. ppasword, ppaasswwoorrdd, Passworddddd
 
Delimiters Separates characters with delimiters. p.a.s.s.w.o.r.d, P-a-s-s-w-o-r-d Maximal level uses 10 delimiters.
Dates Adds dates to the end of the word. Password2010, password1980 Even though the mutation engine can generate more complicated variations (for example, password03171998 or Password19710830), this feature if turned off here even in maximal mutation level.
Oem convertion Converts English word into another language and vice-versa using alternative keyboard layout (second language of the OS). If your OS has 2 languages installed (let it be English and Russian), the program will convert initial word password into Russian зфыыцщкв, and Russian пароль will be converted into gfhjkm. The program works correctly for 2 or even more languages. So if you have 5 languages installed locally (including English one), there will be 4 different combinations of the input word.
Word shift Simply shifts all characters of the word to the right or to the left. asswordp, dpasswor
 
Character substitution Replaces a character of the initial word. oassword, passqord This is quite helpful rule assuming the fact that the characters for substitution are taken from a special table. For example, the character 's' will be replaced with the following ones: 'a', 'w', 'e', 'd', 'x', 'z'. You can notice that all of these characters are located near 's' on any qwerty keyboard.
Length truncate Truncates word length to probe all possible length combinations. passwor, passwo, passw
 

The program has a great feature that allows downloading and using existing dictionaries available on the Passcape website. We have accumulated quite a large dictionary collection - over 250 items. That should get you rid from the extra hassle on finding the required content on the Net.