Collection of hashcat lists and things.

List of the top 5,000 masks created from all publicly available password dumps, with 9+ characters, meeting Microsoft password complexity requirements (6+ characters in length, 3/4 categories: A-Z, a-z, 0-9, special characters). The collection of generated masks was sorted by a score of computational complexity versus occurrence, selecting the top 5,000 most occurring and easiest to run through. This creates mask attacks that make it through the most frequently used key-spaces, as fast as possible. It should be used after running through the entire 8-character bruteforce.

List of the top 5,000 masks created from all publicly available password dumps, with 9+ characters. The collection of generated masks was sorted by a score of computational complexity versus occurrence, selecting the top 5,000 most occurring and easiest to run through. This creates mask attacks that make it through the most frequently used key-spaces, as fast as possible. It should be used after running through the entire 8-character bruteforce.

List of combined rules from all publicly available rule lists out there, plus some extra rules from a very long session of plugging random rules in. I believe they are sorted by occurrence, which is heavily influenced by what rules worked while cracking a very large set of hashes; rules were recorded in a log each time they individually lead to a successful match. These rules and the randomly generated ones were run on a combined password list of all publicly available password dumps.

PowerShell script that divines words from the ether. Generates random words and then runs them through Bing, to get a popularity score. Anything with 1000 or more hits is added to the final output list. I wrote this to solve the problem of running out of source words while cracking. It's not very efficient and might get you blacklisted by Bing, but it netted me a few cracked hashes when I was out of ideas. It's also based off someone else's scripts, but I can't remember who...

Shitty PowerShell script that does work. Fill in all the variables at the top, and it should keep your house warm during the winter. I wrote this while ultra hungover, one afternoon, and this was the best my dumb hangover brain could do; it's a summary of what I typically try during an engagement, with an eye for prioritizing quick gains upfront over full keyspace coverage. I also wanted to cut down on a lot of the workloads with overlapping keyspaces that I hand hashcat, so that I'm not running over the exact same keyspace as frequently as I do when I'm freeballing it. After roughly 16 hours (running at ~4 gigahash/sec and using rockyou as the wordlist), I've recovered about 20% of all current and active NT hashes taken from an NTDS.dit dump, from a large domain (during an engagement). This domain is one I have done password strength assessment for, multiple times, over the span of years. The best I was eaver able to achieve was 95% of hashes cracked, though this was against only the active users and current password hashes, over a long span of time. Including things like the 10 passwords from a user's password history (as dumped from the JET db), service accounts, and deactivated accounts adds a lot of crap to churn through, with most of it being meaningless. Filtering down your target hashes to just those that are active and current helps you get those quick returns you can take back to tomorrow's pwnfest.