Note: table-lookup attacks are only available in hashcat-legacy.
With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.
The Table-Lookup attack is not to be confused with rainbow tables.
If our dictionary contains the word
word1
… then it is split into single characters:
The next step is to “look up” each of these chars against a “table”. Just continue reading…
--table-file
The following box shows what we call a “table”. What we configure here are assignments. As usual in assignments, we have a left and a right side.
o=o o=O o=0 o=. w=w 1=1 1=2 1=3 1=9
Hashcat-legacy has two command-line parameters to fine-tune this attack. But why does this simple attack require a configuration at all? The reason for this is that it can create so many combinations that it will never finish.
For example, if we have a long word like “111111111111111” in our dictionary, which has length 15, and a table file containing:
1=0 1=1 1=2 1=3 1=4 1=5 1=6 1=7 1=8 1=9
…hashcat-legacy has to generate 10^15 (1.000.000.000.000.000) combinations.
The following commands enable the user to define the length of password they wish to modify.
--table-min=NUM
Default is set to: 2
--table-max=NUM
Default is set to: 15
Any word outside of the defined length range will be skipped.
Before hashcat-legacy generates the mask, it takes each char from the split result and matches them against the table configuration. If it matches, it replaces the char with all the chars from the right assignment. Yes, exactly, and creates new words this way. That's exactly what we want here. If it does not match, it will not replace it and use the original char.
word1 wOrd1 w0rd1 w.rd1 word2 wOrd2 w0rd2 w.rd2 word3 wOrd3 w0rd3 w.rd3 word9 wOrd9 w0rd9 w.rd9
This attack is extremely efficient against leetspeak passwords if we choose a table like this:
a=a a=@ a=4 c=c c=< c=[ c={ e=e e=3 i=i i=I i=! i=| i=. etc..
It can also fully replace the Toggle-case attack if we choose a table like this:
a=a a=A b=b b=B c=c c=C d=d d=D etc..
But the best thing, we can do both at once.
a=a a=A a=@ a=4 b=b b=B c=c c=C c=< c=[ c={ d=d d=D e=e e=E e=3 etc..
Another nice idea is to fill holes in our dictionaries. For example, if our dictionary contains:
pass0 pass1 pass2 pass3 pass5
We can see that this dictionary is missing “pass4”, “pass6”, etc. A single line in a table can fill the missing ones:
0=0 0=1 0=2 0=3 0=4 0=5 0=6 0=7 0=8 0=9
Hint: To avoid dupes, replace all digits with 0 and unique what's left.
$ sed -e 's/[0123456789]/0/g' < passes.dict | sort -u > passes_table_optimized.dict
See the table/ folder for more inspiration.
This attack is currently supported by:
We can use the –stdout parameter in hashcat-legacy to pipe generated password candidates into Hashcat.