Skip to main content
Profile picture Blog | Rane Villanueva
Advanced Password Attacks

Advanced Password Attacks with Hashcat Rules

2 min 325 words
offensive hashcat password

Hashcat rules

Hashcat rules are derived from the name itself: “rules.” They define transformations applied to inputs—in this case, passwords or wordlists. Essentially, rules mutate the input data to increase cracking coverage.

For example, using a specific rule, the word password will mutate into the following (depending on the specific ruleset used):

Password
P4ssw0rd
Password1
drowssap

There are mainly two ways to use Hashcat rules:

  1. Password Cracking: Attacking hashes directly using rule-based mutations.
  2. Wordlist Generation: Creating a new wordlist with mutated passwords for use in other tools (like SSH or Web login testing).

Using rules works with the following Hashcat attack modes:

  • Mode 0: Straight (Wordlist)
  • Mode 6: Hybrid (Mask + Wordlist)
  • Mode 7: Hybrid (Mask + Wordlist)

For more technical details, visit the Hashcat Rule-based Attack Wiki.

Hashcat includes built-in rules on Kali Linux located at /usr/share/hashcat/rules/. For more aggressive and comprehensive sets, community resources like OneRuleToRuleThemStill are highly recommended.

Password Cracking

First, select the ruleset to use. For this example, we will use OneRuleToRuleThemStill. Second, select your wordlist. I recommend creating a custom wordlist when using rules or using CeWL.

Creating the rule

In this example, we will download the OneRuleToRuleThemStill ruleset:

wget https://raw.githubusercontent.com/stealthsploit/OneRuleToRuleThemStill/refs/heads/main/OneRuleToRuleThemStill.rule

Creating the wordlist

We will create a simple seed wordlist (wordlist.txt):

tonystark

By this time, we should have the two files we need:

$ ls    
OneRuleToRuleThemStill.rule  wordlist.txt

Cracking

For this example, we will crack the MD5 hash: 9d2d3c02bec02cd8741d4c570baa22.
Run the command below:

hashcat -m0 '9d2d3c02bec02cd8741d4c53570baa22' wordlist.txt -r OneRuleToRuleThemStill.rule

Result: If the hash matches a mutated version of tonystark, Hashcat will find it. The output will display the result in the format Hash:Password, such as:

9d2d3c02bec02cd8741d4c570baa22:t0nyst4rk

Wordlist Creation

Instead of directly cracking a password, you can use Hashcat Rules to generate a new wordlist. This mutated wordlist is useful for testing authentication mechanisms like SSH logins or Web login forms where you want to bypass basic dictionary defenses.

Similar to the example above, we use the same seed wordlist and ruleset to generate mutations:

hashcat --force wordlist.txt  -r OneRuleToRuleThemStill.rule --stdout | sort -u > mutated_passwords.txt

This will create the mutated_passwords.txt file. Depending on the ruleset, it may contain entries like:

$$tonystark
$onystark
$onystArk
$ONYSTARK
$tonystark
$Tonystark
$tonystark$
0000onystark
0000tonystark
000tonystark
...