> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/custom-wordlists-and-rules.md).

# Custom Wordlists and Rules

#### Why Custom Wordlists

Generic wordlists like rockyou.txt fail against policy-enforced passwords. But users are predictable — they take a simple word and mutate it just enough to satisfy the policy.

```
bella → Bella1998! → B3lla@1998!
```

So instead of brute-forcing, you: **OSINT → base wordlist → mutation rules → crack.**

***

#### Common User Password Patterns

| Pattern                 | Example         |
| ----------------------- | --------------- |
| Capitalize first letter | `Password`      |
| Append numbers          | `Password123`   |
| Append year             | `Password2022`  |
| Append month number     | `Password02`    |
| Append `!`              | `Password2022!` |
| Leet substitutions      | `P@ssw0rd2022!` |

***

#### Hashcat Rule Syntax

Each line in a rule file = one transformation applied to every word in your wordlist. Chain multiple functions on one line with spaces.

**Core functions:**

| Rule       | What it does            | Example                 |
| ---------- | ----------------------- | ----------------------- |
| `:`        | Do nothing (keep as-is) | `bella` → `bella`       |
| `c`        | Capitalize first letter | `bella` → `Bella`       |
| `u`        | All uppercase           | `bella` → `BELLA`       |
| `l`        | All lowercase           | `BELLA` → `bella`       |
| `r`        | Reverse the word        | `bella` → `allab`       |
| `so0`      | Replace `o` with `0`    | `password` → `passw0rd` |
| `sa@`      | Replace `a` with `@`    | `maria` → `m@ri@`       |
| `se3`      | Replace `e` with `3`    | `nexura` → `n3xura`     |
| `$!`       | Append `!` at end       | `bella` → `bella!`      |
| `$1$9$9$8` | Append `1998` at end    | `bella` → `bella1998`   |
| `^2`       | Prepend `2` at start    | `bella` → `2bella`      |

**Chaining example:**

```
c so0 sa@ $1$9$9$8$!
```

`password` → capitalize + o→0 + a→@ + append 1998! → `P@ssw0rd1998!`

***

#### Example Rule File

```bash
cat custom.rule

:
c
u
c $!
c $1
c $1$2$3
c $1$9$9$8
c $1$9$9$8$!
c so0
c sa@
c so0 sa@
c so0 sa@ $!
c so0 sa@ $1$9$9$8$!
```

***

#### Generating a Mutated Wordlist

```bash
# Preview mutations (no cracking)
hashcat --force wordlist.txt -r custom.rule --stdout | sort -u

# Save to file
hashcat --force wordlist.txt -r custom.rule --stdout | sort -u > mut_wordlist.txt

# Crack with mutated wordlist
hashcat -a 0 -m 0 <hash> mut_wordlist.txt
```

***

#### CeWL — Scrape Company Websites for Words

Pulls real words from a target's website — employees often use company-specific terms as passwords.

```bash
cewl https://www.targetcompany.com -d 4 -m 6 --lowercase -w target.wordlist

# Check how many words were collected
wc -l target.wordlist
```

| Flag          | Meaning                       |
| ------------- | ----------------------------- |
| `-d 4`        | Spider 4 links deep           |
| `-m 6`        | Only words 6+ characters long |
| `--lowercase` | Save all words lowercase      |
| `-w`          | Output file                   |

Then combine with rules:

```bash
hashcat --force target.wordlist -r custom.rule --stdout | sort -u > mut_target.wordlist
hashcat -a 0 -m 0 <hash> mut_target.wordlist
```

***

#### Full Attack Flow

```
1. OSINT target (name, DOB, pets, company, hobbies, location)
2. Build base wordlist from gathered info
3. Write mutation rules matching known/suspected password policy
4. Generate mutated wordlist with hashcat --stdout
5. Crack: hashcat -a 0 -m <type> <hash> mut_wordlist.txt
```

> **Tip:** 20 base words × 15 rules = 300 candidates. Tiny wordlist, very targeted, fast to crack.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/custom-wordlists-and-rules.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
