# Mutating Wordlists ## **Mutating Wordlists for John the Ripper and Hashcat** When it comes to password cracking with tools like **John the Ripper** and **Hashcat**, the quality and size of the wordlist you use are crucial for success. Often, attackers and security professionals need to mutate or enhance their wordlists to increase the chance of success. This guide will walk you through how to mutate and enhance wordlists to be used with John the Ripper and Hashcat, using a variety of tools and techniques. ### **Introduction** Mutating wordlists can significantly improve the chances of cracking passwords by incorporating different variations, patterns, and formats into the wordlist. These mutations can include things like adding numbers, appending special characters, converting text to uppercase, or using common password patterns. By using such enhanced wordlists, you can cover more attack vectors and increase the likelihood of success in password cracking tasks. #### **Tools for Mutating Wordlists** 1. **CeWL**: A custom wordlist generator that scrapes websites for keywords. 2. **Crunch**: A tool for generating custom wordlists with specified character sets and lengths. 3. **Hashcat Rules**: Rules that modify existing wordlists by adding variations (e.g., appending digits, capitalizing the first letter). 4. **John the Ripper Rules**: John the Ripper's internal rules for generating mutated wordlist versions. *** ### **1. Mutating Wordlists with CeWL** **CeWL** is a powerful tool that allows you to scrape a website for keywords and generate a custom wordlist based on the content of the website. This is useful when you want to create a targeted wordlist based on a specific domain or service. #### **Installing CeWL** To install CeWL on Linux: ```bash sudo apt install cewl ``` #### **Using CeWL to Generate a Wordlist** You can use CeWL to scrape a website and generate a wordlist by running the following command: ```bash cewl https://www.targetwebsite.com -w target_wordlist.txt ``` * `https://www.targetwebsite.com`: The website URL from which you want to scrape words. * `-w target_wordlist.txt`: The output wordlist file. You can also adjust the depth of the scrape to include more or fewer pages: ```bash cewl https://www.targetwebsite.com -d 3 -w target_wordlist.txt ``` * `-d 3`: Scrape pages up to a depth of 3 (adjust as necessary). *** ### **2. Mutating Wordlists with Crunch** **Crunch** is a tool that allows you to generate custom wordlists by specifying character sets, lengths, and patterns. This is useful for creating brute-force style wordlists or generating wordlists based on known patterns. #### **Installing Crunch** To install Crunch on Linux: ```bash sudo apt install crunch ``` #### **Using Crunch to Generate Wordlists** Here's an example of generating a wordlist of 6-character passwords consisting of lowercase letters: ```bash crunch 6 6 -o wordlist.txt -p abcdefghijklmnopqrstuvwxyz ``` * `6 6`: Specifies the minimum and maximum password length (both 6 in this case). * `-o wordlist.txt`: The output wordlist file. * `-p abcdefghijklmnopqrstuvwxyz`: The character set to use (you can combine multiple sets, e.g., `-p abc123!@#`). You can also generate wordlists with numbers, special characters, or a combination: ```bash crunch 8 8 -o wordlist.txt -p ?l?d?u ``` * `?l?d?u`: Tells Crunch to use lowercase letters, digits, and uppercase letters. *** ### **3. Mutating Wordlists with Hashcat Rules** Hashcat allows you to apply mutation rules to existing wordlists, creating variations of the original words by applying common password patterns. Hashcat comes with several default rules, but you can also create your own. #### **Using Hashcat Rules** Here’s how to use a wordlist with a rule file in Hashcat: ```bash hashcat -m 1000 -a 0 hashes.txt wordlist.txt -r /path/to/rules.txt ``` * `-m 1000`: Specifies the hash type (e.g., NTLM). * `-a 0`: Dictionary attack mode. * `wordlist.txt`: The wordlist you want to use. * `-r /path/to/rules.txt`: Specifies the rule file you want to apply. #### **Popular Hashcat Rule Files** Hashcat provides several built-in rule files that apply variations to your wordlist, such as: * **best64.rule**: Adds common variations like appending `123`, capitalizing the first letter, etc. * **rockyou-30000.rule**: More advanced rules for cracking common passwords. * **generated.rule**: Rules based on statistics or known password patterns. To use one of these built-in rule files, just specify the rule in the command: ```bash hashcat -m 1000 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule ``` *** ### **4. Mutating Wordlists with John the Ripper Rules** **John the Ripper** (John) also has its own set of built-in rules for mutating wordlists. These rules allow you to generate variations of common passwords by adding numbers, symbols, or changing the case of letters. #### **Using John the Ripper Rules** Here’s an example of how to use John the Ripper with a custom rule: ```bash john --wordlist=wordlist.txt --rules --format=NTLM hashes.txt ``` * `--wordlist=wordlist.txt`: Specifies the wordlist to use. * `--rules`: Applies John’s built-in mutation rules to the wordlist. * `--format=NTLM`: Specifies the hash format (e.g., NTLM, MD5). * `hashes.txt`: The file containing the hashes to crack. #### **Creating Custom Rules in John the Ripper** John the Ripper’s rules are flexible and allow for custom rule creation. You can modify the default rules in the **john.conf** file or create a new rule file. Here’s an example of a custom rule: ``` [List.Rules:Custom] A1 # Add "1" at the end of the word Q # Capitalize the first letter ``` Then, apply the custom rules with the `--rules=Custom` option: ```bash john --wordlist=wordlist.txt --rules=Custom --format=NTLM hashes.txt ``` *** ### **5. Combining Wordlist Mutations with Tools** A powerful strategy for cracking hashes is combining multiple wordlist mutation techniques. You can use tools like **CeWL**, **Crunch**, **Hashcat Rules**, and **John Rules** to create a large, diverse wordlist. Here’s how you can do it: 1. **Generate a base wordlist** using **CeWL** from a target site. 2. **Mutate the wordlist** using **Crunch** to add more variations (e.g., numbers, special characters). 3. **Apply rules** in Hashcat or John the Ripper to generate more variations based on common password patterns. #### **Example Workflow** ```bash # Step 1: Scrape words from a target website cewl https://www.targetwebsite.com -w base_wordlist.txt # Step 2: Generate a custom wordlist using Crunch (including numbers and special characters) crunch 6 12 -o mutated_wordlist.txt -p ?l?u?d # Step 3: Use Hashcat with rules to apply mutations hashcat -m 1000 -a 0 hashes.txt mutated_wordlist.txt -r /usr/share/hashcat/rules/best64.rule ``` *** ### **6. Conclusion** Mutating wordlists is an essential part of cracking passwords with tools like **John the Ripper** and **Hashcat**. By using tools like **CeWL**, **Crunch**, **Hashcat Rules**, and **John's Rules**, you can generate wordlists that cover a wide range of common password variations, significantly improving your chances of success. By applying these mutations strategically, you can increase the effectiveness of your cracking attempts and speed up the process of recovering passwords. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zero-day-archives.gitbook.io/zero-day-archives/password-attacks-1/password-attacks/mutating-wordlists-for-john-and-hashcat/mutating-wordlists.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.