Building an AWS Password Cracker – Part 3
In the last installment of this series, I discussed installing Hashcat and the necessary drivers to take advantage of GPU processing for password cracking. In this installment, I’m going to briefly explore dictionary attacks vs. mask attacks and discuss wordlists for dictionary attacks.
A dictionary attack is the most commonly used method for password cracking. It works by running through a precompiled list of potential passwords—known as a wordlist—and testing each one against the target hash. This method shines when you have access to high-quality password lists derived from real-world data breaches or from a custom dictionary made up of your own captured credentials. Dictionary attacks are fast to set up and can be highly effective when paired with Hashcat’s rule system, which modifies base words to mimic human behavior (like adding numbers or capital letters). The downside, however, is that the method is limited by the contents of the list. If the password isn’t in your dictionary or cannot be generated through the applied rules, it won’t be cracked.
On the other hand, a mask attack is more strategic. Instead of guessing from a list, you define a pattern that the password is likely to follow—such as starting with a capital letter, followed by lowercase letters, and ending in numbers. The downside is that with a wide ruleset or large passwords, this method would take an extremely long time to complete and would be costly on an AWS instance that is being paid by the hour.
At Contextual Security Solutions, we maintain a custom dictionary, however, there are several public dictionaries available. We have been able to successfully crack passwords using these as well.
Examples of these lists include:
rockyou.txt
This is a small list, created from a 2009 breach. It tends to have shorter passwords that pair well with a larger rule set. This one is useful to quickly find the most insecure passwords and is even more powerful when combined with a rule set.
weakpass
Weakpass is an open-source, community collection of leaked passwords that is consistently updated. It is the largest wordlist that we regularly use and is currently on version 4.
realuniq
This wordlist is also built from real world leaks and is curated and deduplicated. It attempts to build a list that is lean and fast.
Rules
The rules system in Hashcat is one of its most powerful features—it lets you take an existing wordlist and systematically mutate the entries to create millions of password guesses without having to store them all in advance. Each rule set contains a set of instructions for the cracker, creating permutations for each password, like capitalizing letters, appending years, or adding numbers and symbols.
Three rule sets that I find useful are best66, dive, and OneRuleToRuleThemAll.
The best66 rule is a relatively small ruleset that is best used for quick wins against the most insecure passwords. The cracker that we have built can combine this rule set with both realuniq and weakpass_4 in under 10 minutes.
The dive rule set is very in-depth and very large, and can be used to crack more complex passwords. Because of this, I find it best used with a small, custom wordlist for each session, as it can take multiple hours with a large wordlist.
The OneRuleToRuleThemAll rule is a middle ground between the two. Its goal is to pick the most successful mutations to create a leaner, faster list. While it is not as small as best64, it is much faster than dive.
Now that we have our cracker build, Hashcat and drivers installed, and some wordlists, we’re ready to crack some passwords in the next installment of the series.
