Introduction
Hashcat is a powerful and versatile password recovery tool, widely recognized for its speed and support for numerous hashing algorithms and attack modes. One of its most innovative features is the PRINCE (Probabilistic Relevant Incremental Nonce-based Candidate-generator Extension) attack.
Unlike a standard dictionary attack that only tries words from a list, the PRINCE attack generates new password candidates by combining words from a given wordlist in various ways. This makes it highly effective against passwords that are concatenations of two or more dictionary words, a common pattern for creating memorable yet seemingly complex passwords.
In this lab, you will learn the fundamentals of the PRINCE attack mode in Hashcat. You will prepare a wordlist, execute a PRINCE attack against a sample hash, analyze the generated candidates, and finally, combine it with a rule file to tackle even more complex password variations.
Understand Probabilistic Word Generation with PRINCE
In this step, you will learn the core concept behind the PRINCE attack mode. The PRINCE attack is designated by the attack mode flag -a 8 in Hashcat. Its strength lies in creating new password candidates from a smaller wordlist, rather than relying on a massive dictionary. It algorithmically combines the words from your source list to generate a much larger, more complex set of potential passwords.
For example, if your wordlist contains "apple" and "pie", PRINCE can generate candidates like "apple", "pie", "applepie", "pieapple", "appleapple", and so on.
Let's start by confirming the PRINCE attack mode option in Hashcat's help menu. You can use grep to filter the extensive help output to find the relevant line.
Execute the following command in your terminal:
hashcat --help | grep "PRINCE"
You will see the line that defines the PRINCE attack mode, confirming its availability and its corresponding attack mode number.
8 | PRINCE
This confirms that -a 8 is the correct flag to invoke a PRINCE attack.
Prepare a Small Base Wordlist
In this step, you will create a small base wordlist. The effectiveness of a PRINCE attack is directly related to the quality of the input wordlist. Even a small, well-chosen list of words can be incredibly powerful. For this lab, we will create a file containing a few simple words.
Our target password for the first part of the lab is "labexrocks". Therefore, our wordlist should contain the base words "labex" and "rocks".
Use the echo command with output redirection to create a file named wordlist.txt in your current directory (~/project).
echo -e "labex\nrocks\npass\nword" > wordlist.txt
The -e flag enables interpretation of backslash escapes, so \n creates a new line for each word.
Now, verify the contents of your newly created wordlist using the cat command.
cat wordlist.txt
You should see the following output, confirming that the file was created correctly:
labex
rocks
pass
word
You now have a base wordlist ready for the PRINCE attack.
Execute a PRINCE Attack with -a 8
In this step, you will use the wordlist you created to crack a sample MD5 hash. The setup script for this lab has already created a file named hash.txt containing the MD5 hash of the password "labexrocks".
Let's construct the Hashcat command:
hashcat: The executable.-m 0: Specifies the hash mode.0corresponds to MD5.-a 8: Specifies the attack mode, which is PRINCE.hash.txt: The file containing the target hash.wordlist.txt: Your base wordlist.
Now, run the complete command in your terminal:
hashcat -m 0 -a 8 hash.txt wordlist.txt
Hashcat will initialize and begin the attack. Since the wordlist is small and the password is a direct combination of words in it, the process will be very fast. You will see output detailing the session, and most importantly, the cracked password.
The output will look similar to this (some details may vary):
...
Dictionary cache built:
* Filename..: wordlist.txt
* Passwords.: 4
* Bytes.....: 22
* Keyspace..: 468
2d4a2b23999534c734b26e1b31b5579d:labexrocks
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 2d4a2b23999534c734b26e1b31b5579d
Time.Started.....: ...
Time.Estimated...: ...
Guess.Base.......: File (wordlist.txt)
Guess.Mode.......: PRINCE
Speed.#*.........: ...
Recovered........: 1/1 (100.00%) Digests
Progress.........: 468/468 (100.00%)
Rejected.........: 0/468 (0.00%)
Restore.Point....: 468/468 (100.00%)
Restore.Sub.#*...: ...
Candidate.Engine.: PRINCE
Candidates.#*....: ...
Hardware.Mon.#*..: ...
...
The line 2d4a2b23999534c734b26e1b31b5579d:labexrocks clearly shows the original hash and the recovered password. You have successfully used the PRINCE attack to crack the password.
Analyze the Generated Candidate Passwords
In this step, you will explore what PRINCE is doing behind the scenes. Instead of cracking a hash, you can instruct Hashcat to simply output the password candidates it generates to the console. This is done using the --stdout flag. It's an excellent way to understand how your base wordlist is being transformed.
Let's use --stdout with our wordlist.txt to see the generated candidates.
hashcat --stdout -a 8 wordlist.txt
This will print a large number of combinations to your screen. To make the output more manageable, you can pipe it to the head command to view only the first 10 lines.
hashcat --stdout -a 8 wordlist.txt | head -n 10
The output will show the first few candidates generated by PRINCE.
pass
word
labex
rocks
passpass
password
passlabex
passrocks
wordpass
wordword
As you can see, PRINCE starts with the original words and then begins creating new combinations. The password we cracked earlier, "labexrocks", would be generated further down this list. This demonstrates the power of PRINCE to expand a small wordlist into a much larger and more effective set of password guesses.
Combine PRINCE with a Rule File for More Complexity
In this step, you will learn how to make the PRINCE attack even more powerful by combining it with a rule file. Rule files apply specific mutations to each candidate password generated by PRINCE. This allows you to test for common variations like capitalization, adding numbers, or appending special characters.
The lab setup has provided a hash file hash2.txt (for the password "Labexrocks") and a common rule file named best64.rule. This rule file contains 64 of the most effective password-mangling rules.
The attack flow will be:
- PRINCE generates a candidate (e.g., "labexrocks").
- Hashcat applies rules from
best64.ruleto that candidate (e.g., capitalize the first letter -> "Labexrocks"). - The modified candidate is tested against the hash.
To combine a PRINCE attack with a rule file, you simply add the -r flag followed by the path to the rule file.
Execute the following command:
hashcat -m 0 -a 8 hash2.txt wordlist.txt -r best64.rule
Hashcat will now run the PRINCE attack, but each generated candidate will be modified by the rules in best64.rule before being tested.
You will see a successful crack in the output:
...
15895e67271a552214b5e422d5752e47:Labexrocks
Session..........: hashcat
Status...........: Cracked
...
The recovered password is "Labexrocks". This was found because PRINCE generated "labexrocks", and one of the rules in best64.rule capitalized the first letter, matching the target password. This combination of attack modes is extremely effective in real-world scenarios.
Summary
In this lab, you have successfully learned how to use the PRINCE attack mode in Hashcat. You have gained hands-on experience with one of the most creative and effective password cracking techniques available.
You have learned to:
- Understand the concept of the PRINCE attack (
-a 8) and how it probabilistically generates password candidates. - Prepare a simple, targeted wordlist to serve as a base for the attack.
- Execute a basic PRINCE attack to crack a password formed by concatenating words.
- Use the
--stdoutflag to analyze the candidates generated by PRINCE and understand its logic. - Combine the PRINCE attack with a rule file (
-r) to crack more complex passwords with variations like capitalization.
The PRINCE attack is a powerful tool in any security professional's arsenal, especially when dealing with passwords created from multiple words. Mastering its use and its combination with other attack modes will significantly enhance your password recovery capabilities.



