Last updated: March 2026
Hashcat Rule-Based Attacks: Crack Complex Passwords (2026 Guide)
A Hashcat rule-based attack applies transformation functions to each word in your wordlist — capitalizing letters, appending numbers, substituting characters, and more — without creating a larger file on disk. To run one: hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/best64.rule hashes.txt rockyou.txt. Rules are the most efficient way to crack passwords that follow common patterns like Password1! or p@ssw0rd.
Legal disclaimer: Only use these techniques on systems you own or have explicit written authorization to test. Unauthorized password cracking is illegal.
What Are Hashcat Rules?
Rules are single-character function codes that Hashcat applies to each candidate password before testing it against the hash. Instead of storing every variation in a wordlist file, rules generate variations in memory at cracking speed.
For example, the rule : is a no-op (do nothing). The rule c capitalizes the first letter. Combined on one line as c applied to password produces Password. Add $1 (append character "1") and you get Password1.
Rules dramatically multiply your coverage: - rockyou.txt has 14.3 million words - best64.rule has 64 rules - Combined: 14.3M × 64 = ~916 million candidates — all generated in RAM, no extra disk space
Built-In Rule Files on Kali Linux
Hashcat ships with rule files in /usr/share/hashcat/rules/. List them:
ls /usr/share/hashcat/rules/
Key rule files:
| File | Rules | Description |
|---|---|---|
best64.rule |
64 | Most effective rules statistically; good starting point |
rockyou-30000.rule |
30,000 | Derived from rockyou cracking patterns |
d3ad0ne.rule |
34,096 | Large general-purpose ruleset |
dive.rule |
99,089 | Very large, thorough coverage |
toggles1.rule |
2 | Toggle case of first character |
toggles5.rule |
32 | Toggle case of first 5 characters |
leetspeak.rule |
14 | Classic leet substitutions (a→4, e→3) |
combinator.rule |
36 | Combines multiple transformations |
T0XlC.rule |
7,253 | Complex transformations |
Step 1: Run a Basic Rule Attack with best64.rule
hashcat -m 0 -a 0 \
-r /usr/share/hashcat/rules/best64.rule \
hashes.txt \
/usr/share/wordlists/rockyou.txt
best64.rule is derived from analysis of millions of cracked passwords. It covers the most statistically common mutations:
- Append digits:
password1,password123,password2024 - Capitalize first letter:
Password - All uppercase:
PASSWORD - Reverse word:
drowssap - Duplicate:
passwordpassword - Leet speak:
p@ssw0rd - Append common suffixes:
password!,password#1
Step 2: Use rockyou-30000.rule for Deeper Coverage
hashcat -m 0 -a 0 \
-r /usr/share/hashcat/rules/rockyou-30000.rule \
hashes.txt \
/usr/share/wordlists/rockyou.txt
This generates 14.3M × 30,000 = ~430 billion candidates. On an RTX 4090 at 164 GH/s for MD5, this completes in about 44 minutes. For WPA2 (2,600 kH/s), the same keyspace would take over 1,900 days — highlighting why WPA2 is significantly harder to crack than MD5.
Check the Hashcat GPU Benchmark Table for speed estimates on your specific GPU.
Step 3: Understand Rule Syntax
Rules use single-character functions. Here are the most important ones:
Case Transformations
| Rule | Function | Example (input: hello) |
|---|---|---|
l |
Lowercase all | hello |
u |
Uppercase all | HELLO |
c |
Capitalize first | Hello |
C |
Lowercase first, uppercase rest | hELLO |
t |
Toggle case of all | HELLO |
T N |
Toggle case at position N | hEllo (T1) |
Append/Prepend
| Rule | Function | Example |
|---|---|---|
$X |
Append character X | $1 → hello1 |
^X |
Prepend character X | ^! → !hello |
] |
Delete last character | hell |
[ |
Delete first character | ello |
Substitution
| Rule | Function | Example |
|---|---|---|
sXY |
Replace X with Y | sa@ → hell@ (if a in word) |
@X |
Remove all instances of X | @l → heo |
Duplication and Reversal
| Rule | Function | Example |
|---|---|---|
d |
Duplicate word | hellohello |
r |
Reverse word | olleh |
p2 |
Append word twice | hellohellohello |
Position-Based
| Rule | Function | Example |
|---|---|---|
DN |
Delete at position N | D0 → ello |
iNX |
Insert X at position N | i2! → he!llo |
oNX |
Overwrite at position N with X | o0H → Hello |
Step 4: Write Custom Rules
Create a file custom.rule and add one rule per line. Each line is applied independently to every candidate:
cat > custom.rule << 'EOF'
:
c
u
$1
$!
c$1
c$1$2$3
c$2$0$2$6
se3
sa@
so0
EOF
Each line represents one transformation. The : (no-op) tests the word as-is. c$2$0$2$6 capitalizes and appends "2026" — catching passwords like Password2026.
Run with your custom rule:
hashcat -m 0 -a 0 -r custom.rule hashes.txt /usr/share/wordlists/rockyou.txt
Compound Rules (Multiple Functions per Line)
You can chain multiple functions on a single line. They are applied left to right:
# Capitalize, replace 'a' with '@', append '1'
c sa@ $1
Applied to password: c → Password, sa@ → P@ssword, $1 → P@ssword1.
Step 5: Generate and Test Rules with --stdout
Before running a full attack, preview what your rule generates:
# See first 20 candidates generated by best64.rule from rockyou.txt
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout /usr/share/wordlists/rockyou.txt | head -20
This is essential when debugging custom rules — you can visually confirm the transformations before burning GPU time.
Step 6: Combining Multiple Rule Files
You can stack multiple -r flags. Each combination of rules is applied:
# Apply best64.rule AND a custom append rule
hashcat -m 0 -a 0 \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/leetspeak.rule \
hashes.txt \
/usr/share/wordlists/rockyou.txt
Warning: Multiple rule files multiply the keyspace. Two 64-rule files = 64 × 64 = 4,096 candidates per word. Use --keyspace to calculate before starting:
hashcat -m 0 -a 0 \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/leetspeak.rule \
--keyspace \
/usr/share/wordlists/rockyou.txt
Step 7: OneRuleToRuleThemAll
OneRuleToRuleThemAll is a community-developed mega-ruleset containing over 52,000 rules derived from statistical analysis of billions of cracked passwords. It consistently outperforms all built-in Hashcat rulesets in real-world benchmarks.
Download and Use
# Download
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
# Run
hashcat -m 0 -a 0 \
-r OneRuleToRuleThemAll.rule \
hashes.txt \
/usr/share/wordlists/rockyou.txt
OneRuleToRuleThemAll generates ~52,000 candidates per wordlist entry. With rockyou.txt:
- MD5 (164 GH/s, RTX 4090): ~745 billion candidates, completes in ~76 minutes
- NTLM (288 GH/s, RTX 4090): completes in ~43 minutes
- WPA2 (2,600 kH/s, RTX 4090): ~745 billion candidates = impractical with rockyou.txt alone; use targeted wordlists
Performance Impact of Rules
Rules add minimal CPU overhead since the transformation is applied on the GPU. The effective speed is nearly unchanged from a plain dictionary attack. The keyspace multiplier is what matters:
| Configuration | Candidates | RTX 4090 MD5 Time |
|---|---|---|
| rockyou.txt alone | 14.3M | < 1ms |
| rockyou.txt + best64 | 916M | ~6ms |
| rockyou.txt + d3ad0ne | 487B | ~50 min |
| rockyou.txt + OneRuleToRuleThemAll | 745B | ~76 min |
Practical Strategy: Layered Rule Attacks
A professional approach escalates from fast to thorough:
# Round 1: Plain wordlist (seconds)
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
# Round 2: best64 rules (minutes)
hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/best64.rule hashes.txt /usr/share/wordlists/rockyou.txt
# Round 3: d3ad0ne rules (hours)
hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/d3ad0ne.rule hashes.txt /usr/share/wordlists/rockyou.txt
# Round 4: OneRuleToRuleThemAll (hours, highest coverage)
hashcat -m 0 -a 0 -r OneRuleToRuleThemAll.rule hashes.txt /usr/share/wordlists/rockyou.txt
Start with the fastest options. If hashes remain uncracked, escalate. This avoids spending hours on thorough rulesets for passwords that simple rules would have caught immediately.
FAQ
Q: How many rules should I use at once?
A: Start with best64.rule (64 rules). It recovers the majority of real-world passwords that any ruleset would find. Only escalate to larger rulesets if best64 fails — the time cost grows linearly with the number of rules.
Q: Can I use rules with WPA2 cracking? A: Yes, rules work with any hash mode. However, WPA2 is very slow to crack (~2,600 kH/s on RTX 4090 vs 164 GH/s for MD5). With rockyou.txt and best64.rule (916M candidates), WPA2 cracking takes about 6 minutes on an RTX 4090. For deeper rulesets, the time becomes impractical without a powerful GPU.
Q: What is the difference between a rule and a mask attack?
A: Rules transform existing words from a wordlist. A mask attack (-a 3) generates all combinations matching a character-class pattern (e.g., ?u?l?l?l?d?d for uppercase + 4 lowercase + 2 digits). Rules are faster for dictionary-based attacks; masks are better when you know the password structure.
Q: How do I write a rule to append years (2020-2026)? A: Create a file with one rule per line for each year:
$2$0$2$0
$2$0$2$1
$2$0$2$2
$2$0$2$3
$2$0$2$4
$2$0$2$5
$2$0$2$6
This appends 2020, 2021, ..., 2026 to every word in your wordlist.