Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Attacking hashes > Hybrid dictionary attack
Recovering Windows hashes - hybrid dictionary attack
27.12.2016
Happy New Year!
New Year greetings and holidays discount
27.12.2016
Windows Password Recovery v11.1
Some minor improvements, changes in DPAPI engine
06.12.2016
New blog post
Hash encryption in Windows 10 Anniversary Update
30.11.2016
WPA password recovery benchmarks
New devices

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - hybrid dictionary attack


Hybrid dictionary attack is a form of simple dictionary attack. However, unlike the latter, hybrid attack allows user to set his own word mutation (variation) rules and attempt to validate the modified words as source passwords. For example, user could capitalize the first letter of a password being validated, append '2' to it, replace the number 8 in it with the letter B, O with 0, etc.

Actions, performed on source words from the dictionary, are called rules. Multiple rules can be applied to each source word. The rule definition syntax is partially compatible with John the Ripper and PassworsPro software. The author of the latter has kindly provided an extended set of rules, slightly edited, which comes with the distribution kit for Windows Password Recovery.

 Hybrid dictionary attack settings are grouped in 7 tabs:
 1. Dictionaries - for setting up source dictionaries.
 2. Rules - files with set of rules.
 3. Super-rules - ones to be applied over the top of regular rules.
 4. Dictionary generator, where you can create files of words obtained from the hybrid attack.
 5. Online dictionaries - for downloading new dictionaries to the application.
 6. Attack syntax - complete description of all rules with examples.
 7. Rule tester, where you can test your rules.

Windows Password Recovery   distribution kit comes with extended sets of password mutation rules:
hybrid_rules/english_words.ini file contains basic rules for English passwords.
hybrid_rules/nonenglish_words.ini holds common rules for non-Eglish passwords.
hybrid_rules/simple_dates.ini - a lot of rules with dates, months, seasons, etc.
hybrid_rules/l33t.ini - rules to freak words (based on leet dictionary). For example, password->p@$$w0rd

Dictionaries

Wordlists to be used in the attack are set on the first tab. Traditionally, the application supports wordlists in ASCII, UTF8, UNICODE, PCD, RAR and ZIP format. The position of the files on the list can be altered. For example, you may want to move smaller dictionaries up the list or the other way. During the attack, they will be used one after another, according to their position on the list.
Hybrid dictionary attack



Rules

On the 'Rules' tab, define at least one file with password mutation rules. The format of the rules file is quite trivial; it is a plain-text ASCII file with the '[Rules]' string. Anything above this string is considered comments and ignored by the program. Whatever goes below this string is considered rules. Each string can contain several rules, applicable to a source word. The exclusion is the aN rule. This rule must not be on the same line with other rules. If a string contains multiple rules per word, those rules are parsed left to right. For example, if you apply the rule '@pc$a$b$c' to the source word 'password', at the output you will get 'Asswordabc'. The maximum length of an output word may not exceed 256 characters.
Hybrid dictionary rules



Super-rules

Super-rule is a rule (or several rules) to be applied over the top of all other regular ones, before or after them. For example, you can set 'a8' tail super-rule to create all possible case combinations after a common mutation has been done. So '/asa4' rule from l33t.ini file will become '/asa4a8', '/csc(' will become '/csc(a8', etc. Yet another one example: setting the '>6<G' head rule allows you to skip all words of less than 6 or greater than 16 characters, before starting a common mutation. This is a helpful feature once you decide to add the same rule to all text lines of the selected *.ini files. So there's no need to modify them all.

Be careful though, the 'aN' super-rule may increase the total number of generated passwords drastically.
Hybrid super-rules



Dictionary generator

The Dictionary generator tab is designed for generating dictionaries obtained from an attack. Further on, those dictionaries could be used, for example, in other applications. To generate a dictionary, specify a source dictionary and a set of mutation rules for it. The size of a target file may exceed 2 GB.

Be careful, the dictionary generation process may take considerable time!

Hybrid dictionary generator


 

Online dictionaries

You can download additional wordlists for the attack using 'Online dictionaries' tab.



Syntax

If you want to create your own set of rules, you can use the last two tabs as sources of help. While the 'Syntax' tab gives mere descriptions of available rules, on the last tab you can actually test them by specifying a source word and a rule for the hybrid attack. Forward your rule sets to us; if we find them interesting/useful, we will include them in the default distribution of the program.
Hybrid dictionary rules tester


Rules description for the hybrid dictionary attack

  • Several rules at a line are allowed to be set.
  • Rules are processed from the left to the right.
  • Maximal line length is limited to 256 characters.
  • Maximal output word length is limited to 256 characters.
  • All text before the [Rules] line is considered as comment.
  • White space is ignored as long as it is not used as a parameter.
  • A line started with # character considered as a comment.
  • N and M always start at 0. For values greater than 9 use A..Z (A=10, B=11, etc.)
Forward your rule files to us; if we find them interesting, we will include them in the default distribution of the program.

Rules

Rule Example Input Output Description
: : password password Do nothing to the input word.
{ { password asswordp Rotate the word left.
} } password dpasswor Rotate right.
[ [ password assword Delete the first character.
] ] password passwor Delete the last character.
c c password Password Capitalize.
C C password pASSWORD Anti-capitalize - lowercase the first character, uppercase the rest.
d d password passwordpassword Duplicate word.
f f password passworddrowssap Reflect word.
k k password
пароль
зфыыцщкв
gfhjkm
Convert word using alternative (first after default) keyboard layout. The rule works in both directions. For example, if there's Russian keyboard layout installed previously in the system, the rule should convert word 'password' to Russian 'зфыыцщкв', and Russian word 'пароль' to 'gfhjkm'. This is very helpful when looking for non-English passwords. If only one language is installed in the system, the rule does nothing.
K K password passwodr Swap last two characters.
l l PassWord password Convert all characters to lowercase.
q q password ppaasssswwoorrdd Duplicate all symbols in a word.
r r password drowssap Reverse word.
t t PassWord pASSwORD Toggle case of all characters
u u password PASSWORD Convert to uppercase.
U U my own password My Own Password Capitalize all words delimited with space (upper-case the first character and every character after a space).
V V password PaSSWoRD Vowels elite.
v v password pASSWoRD Vowels noelite.
   
'N '4 password pass Truncate the word to N character(s) length.
+N +1 password pbssword Increment character at position N by 1 ASCII value.
-N -0 password obssword Decrement character at position N by 1.
.N .4 password passoord Replace character at position N with character at position N+1
,N ,1 password ppssword Replace character at position N with character at position N-1. Where N > 0.
<N       Reject (skip) the word if it is greater than N characters long.
>N       Reject (skip) the word if it is less than N characters long.
aN a8     Check all possible symbol cases for the word. N is a maximal length of the word to apply this rule for.
DN D2D2 password paword Delete the character at position N.
pN p3 key keykeykey Copy word N times.
SLN SL2 012345678 01d345678 Bitwise shift left character at position N.
SRN SR2 password pa9sword Bitwise shift right character at position N.
TN T1T5 password pAsswOrd Toggle case of the character at position N.
yN y3 password paspasword Duplicate first N characters.
YN Y3 password paswordord Duplicate last N characters.
zN z3 password ppppassword Duplicate the first character of the word N times.
ZN Z3 password passwordddd Duplicate the last character of the word N times.
   
$X $0$0$7 password password007 Add character X to the end of the word.
^X ^3^2^1 password 123password Insert character X at the beginning of the word.
@X @s password paword Remove all characters X from the word.
!X !.     Reject (skip) the word if it contains at least one character X.
/X /1/2/3     Reject (skip) the word if it does not contain character X.
(X (p     Reject (skip) the word if the first character is not X.
)X )d     Reject (skip) the word if the last character is not X.
eX e@ mike@yahoo.com mike Extract a substring starting at position 0 and ending up before first occurrence of X character (do nothing if X is not found).
EX E@e. mike@yahoo.com yahoo Extract a substring starting right after first found X character and till the end of the string (do nothing if X is not found).
   
%MX %20     Reject (skip) the word if it does not contain at least M instances of the character X.
*XY *15 password possward Swap characters at positions X and Y.
=NX =01     Reject (skip) the word if the character at position N is not equal to the X
iNX i4ai5bi6c password passabcword Insert the character X in position N.
oNX o4*o5* password pass**rd Overwrite a character in position N with the character X.
sXY ss$so0 password pa$$w0rd Replace all characters X with Y.
xNM x4Z password word Extract a substring of up to M characters length, starting from position N.
         
INX-Y rI0/-/r google.com google.com/ Insert the character X at position N if previous character at position N is not Y.
INX+Y rI0.+.r password. password.. Insert the character X at position N if previous character at position N is Y.
ONX-Y O0-+p password -assword If the character at position N is not Y, overwrite it with X character.
ONX+Y O0P+p password Password If the character at position N is Y, overwrite it with X character.
RNM+Y R01+a password assword Remove character at position N if character at position M is Y
RNM-Y R40-b password passord Remove character at position N if character at position M is not Y
         
?iN[C] ?i0[digits] password 0password
..
9password
Insert a character from a charset [C] into position N of the word. Where C should be either a predefined charset name or a custom character set itself.
?iZ[C] ?iZ[digits] password password0
..
password9
Insert a character from a charset [C] into the last position of the input word.
?i[C] ?i[special] password ~password
..
password+
Insert a character from a charset [C] into every position of the word. [C] should be either a predefined charset name or a custom character set itself.
?oN[C] ?o1[upperalpha] password pAssword
..
pZssword
Overwrite a character at position N with a character taken from the charset [C]. Where C should be either a predefined charset name or a custom character set itself.
?oZ[C] ?oZ[upperalpha] password passworA
..
passworZ
Overwrite a character at the last position with a character taken from the charset [C].
?o[C] ?o[-=.] password -assword
..
password.
Overwrite a character at every position of the word with a character taken from a charset [C]. Where C should be either a predefined charset name or a custom character set itself. The given example (?o[C] rule for the word password) will generate the following combinations: -password, =password, .password, -assword, =asswords, .assword, p-ssword, p=ssword ... password.

Looking for a convenient way to handle as much passwords as possible? Downloading the full set of over a half of a million sorted and duplicate-free rules.