Dictionary + rules produces different results than dictionary alone.

[ECGBQ]

I have a file of 97 hashes that I uploaded and a file of 41 passwords that are all legit, and they all crack, but adding a rule set file to it only cracked 1 out of 97.

[c6fc]

Can you provide screenshots of the campaign configurations for both?

[ECGBQ]

This will one crack 1 out of 97 with this config

[c6fc]

I mean from the 'Manage Campaigns' view, so that I can see the actual settings that were used.

[c6fc]

Also - if you run it locally with the same dictionary and rule file, does it behave the same way? If the rules file doesn't include an entry for the raw dictionary entry, it won't try the raw dictionary entry.

[c6fc]

Does your megaUniq rule file have a 'nothing' or 'passthrough' entry?

https://hashcat.net/wiki/doku.php?id=rule_based_attack

[ECGBQ]

[ECGBQ]

^: ^: ^< ^: ^= ^: ^> ^: ^_ ^: ^- ^: ^: ^: ^! ^+ $% ^+ $+ ^+ $+ ^+$+ ^+ : : [ [^= [^- [^, [^;

[c6fc]

1. Does the same thing happen when running locally with and without the rule file?
2. Does the cracked_hashes for the second campaign actually only contain a single entry?

[c6fc]

Also, you should consider joining the discord channel. We can troubleshoot more quickly there.

[ECGBQ]

When running locally it works. I will try to get on the discord channel now.

[ECGBQ]

Ah, my company is blocking me from going there. I will jump on when I get home. How late will you be around today?

[c6fc]

What version of hashcat are you running locally, and what commands are you using?

You can look at the instance logs under 'file management' to see what parameters are being used with Hashcat, to make sure you're running it the same.

[ECGBQ]

Hashcat -m 1000 /path/to/ntds /path /to/wordlist -r /path/to/rulesfile

What version of hashcat are you running locally, and what commands are you using?

You can look at the instance logs under 'file management' to see what parameters are being used with Hashcat, to make sure you're running it the same.

[c6fc]

Use the parameters and arguments from the instance logs. If it behaves the same, it's an issue with Hashcat, not with NPK

[c6fc]

I just tested it myself - ran two NTLM campaigns with RockYou, with and without OneRuleToRuleThemAll ruleset, and got 3/4 hashes cracked on both.

Can you pull the instance log for the campaign with the rule list and DM it to me?

[ECGBQ]

I emailed it to you

[c6fc]

I see no issues with the output log. Can you send me the hashlist and point me at the dictionary you're using so I can test it myself?

[ECGBQ]

sent

[ECGBQ]

I can only get it to work by uploading all the passwords I cracked with my coworker's on-prem cracker as the wordlist. If I use that wordlist with any of the rules, it doesn't work.

[c6fc]

I just used this hashlist with RockYou and OneRuleToRuleThemAll and cracked 25 of the 97 unique hashes. It seems to be working fine.

[c6fc]

Without rules on the top, with rules on the bottom. The results are exactly what I'd expect.

[ECGBQ]

Ok, I got the same results. When using those together. I'll mess around with it more. Thanks for all your help.

[ECGBQ]

If you run a rule set with a dictionary list it will still run through that word list right before applying any rules correct?

[c6fc]

Ok, sounds like it's an issue with your rule list, then. I'll close this out for now. Feel free to reopen if you discover that this isn't the case.

As for your question about rules, Hashcat won't attempt the raw dictionary candidate before applying rules. The rule list needs to have a passthrough rule if you want the unmodified candidate to be checked. NPK used to add one to avoid this confusion, but I removed that functionality quite a while ago to keep the behavior the same as Hashcat.

I hope this helps.