Hashcat Rules: More Cracks From the Same Wordlist

If you learn one technique beyond pointing hashcat at a wordlist, learn rules. A rule is a tiny program that mutates each word as it is read: capitalise it, append 123, swap letters for lookalike digits, reverse it. One word in your wordlist becomes hundreds of realistic candidates, the exact shapes people actually pick, at almost no extra cost. Rules are the best effort-to-reward ratio in password cracking, and this is how they work. Verified on hashcat 7.1.2.

TL;DR

A rule file (-r rules/best66.rule) applies a sequence of single-character functions to every wordlist word. c capitalises, $1 appends a 1, r reverses, sa@ substitutes a with @. hashcat ships rule files in its rules/ directory; the bundled best66.rule (the successor to the long-famous best64) is the standard starting point. Preview exactly what a rule generates with --stdout before you run it. Stack rule files with multiple -r flags to multiply candidates, and for a big single ruleset, the community OneRuleToRuleThemAll is the usual recommendation. Rules turn a plain dictionary run, which only catches passwords that are exactly a known password, into one that also catches every common variation of one.

Why rules matter

A plain dictionary attack only cracks a password if it appears verbatim in your wordlist. But people rarely use a raw dictionary word; they use Password1, p@ssw0rd, summer2024!, a base word dressed up to satisfy a policy. Those are not in rockyou.txt as-is, but they are one rule away from a word that is.

Rules close that gap. With a 66-rule file, your 14-million-word list tests roughly a billion candidates, still tiny next to brute force, but now it covers the capitalise-and-append-a-number shapes that dominate real passwords. This is why a wordlist plus rules out-cracks every other attack type on real-world hashes.

The rule functions

A rule is a string of single-character operations applied left to right. The ones you will use constantly (this is the core set, from the official reference):

:      do nothing (pass the word through unchanged)
l      lowercase all letters        u   uppercase all letters
c      capitalise (Xxxxx)           C   lowercase first, upper rest
t      toggle case of every char    TN  toggle case at position N
r      reverse the word             d   duplicate (word -> wordword)
f      reflect (word -> worddrow)   {   rotate left    }   rotate right
$X     append character X           ^X  prepend character X
[      delete first char            ]   delete last char
sXY    substitute every X with Y    @X  delete every X
zN     duplicate first char N times ZN  duplicate last char N times

So the rule c $1 means "capitalise, then append 1," turning password into Password1. The rule sa@ so0 ss$ means "substitute a with @, o with 0, and s with $," turning password into p@$$w0rd... you get the idea: leetspeak and decoration, encoded as a few characters.

best66 (the classic best64), with real output

The fastest way to understand rules is to watch one run. hashcat's --stdout prints the candidates a rule file would generate without cracking anything. Here is best66 (current hashcat's evolution of the famous best64) applied to the single word password:

printf 'password\n' > word.txt
hashcat --stdout word.txt -r rules/best66.rule

The real output begins:

password
drowssap
PASSWORD
Password
password0
password1
password2
password3
password4
password5
password6
password7

One word became the original, its reverse (drowssap), all-caps, capitalised, and the word with each digit appended, and best66 works through 66 such rules in total. That is the whole idea: cheap, plausible variations of every word in the list.

Running rules

The rule flag is -r, pointed at a rule file:

hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best66.rule

The bundled rule files worth knowing (in hashcat's rules/ directory):

• best66.rule : 66 high-value rules, the current successor to the classic best64.rule. The default first pass.
• rockyou-30000.rule : 30,000 rules derived from the RockYou breach. A heavier second pass.
• dive.rule : ~99,000 rules. Aggressive; long run, deep coverage.
• toggles.rule* / leetspeak.rule : focused sets for case toggling and leet substitutions.

Stacking rules

Pass -r more than once and hashcat combines the rule files: every rule in the first is applied with every rule in the second. This multiplies candidates fast, so stack small files, not large ones.

# Apply best64, then a case-toggle pass on top of each result
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best66.rule -r rules/toggles1.rule

Two 100-rule files stacked are 10,000 effective rules per word. Useful, but watch the keyspace: stacking two large files can balloon the run beyond what the time saves.

Writing your own rules

A custom rule file is just one rule per line. If you know a target appends the year and a bang, write exactly that:

c $2 $0 $2 $4 $!
c $2 $0 $2 $5 $!
$@ $1 $2 $3

Test it with --stdout first, then run it. To see which rule cracked which password during a real run, add --debug-mode=1 --debug-file=cracked-rules.txt; hashcat logs the rule responsible for each hit, which tells you what is working so you can build a better ruleset for that target.

For a strong general-purpose single file, the community OneRuleToRuleThemAll consolidates the best rules from many sources and is a common recommendation when you want one ruleset that does most of the job.

The slow-hash caveat

Rules multiply candidates, and candidates cost guesses. Against a fast hash that is free. Against a slow hash (bcrypt, Argon2), even a billion-candidate rules run can take a long time, so you lean on a smaller, smarter ruleset (best66) rather than a 99,000-rule monster. Rules are still the right tool against slow hashes, you just bring a scalpel, not a sledgehammer.

Where to go next

• The input rules mutate: wordlists.
• Where rules sit among the attacks: dictionary vs brute force vs mask vs hybrid.
• The fill-in-your-values commands: hashcat cheat sheet.
• John's equivalent: John the Ripper (--rules).