hashcat 使用笔记

Hashcat 简述

Hashcat 是自称世界上最快的密码恢复工具。

在 Debian 系的 Linux 中可以使用 apt install hashcat 获取。

也可以在 github 官方页面中获取更多信息:https://github.com/hashcat/hashcat

支持 hashcat 的散列算法有 Microsoft LM 哈希,MD4,MD5,SHA系列,Unix 加密格式,MySQL 和 Cisco PIX 等。

同时也支持多种计算核心:GPU、CPU、APU、DSP、FPGA、Coprocessor

常用参数

参数 作用
-m 指定哈希类型,不指定默认为 md5
-a 指定破解模式
-V 查看版本信息
-o 将输出结果储存到指定文件
--force 忽略警告
--show 仅显示破解的hash密码和对应的明文
--remove 从源文件中删除破解成功的hash
--username 忽略hash表中的用户名
-b 测试计算机破解速度和相关硬件信息
-O 限制密码长度
-T 设置线程数
-r 使用规则文件
-1 / -2 / -3 自定义字符集
-i 启用增量破解模式
--increment-min 设置密码最小长度
--increment-max 设置密码最大长度
--hash-info 展示对应哈希模式的示例

-a 破解模式

-a 参数 攻击模式
0 Straight(字段破解)
1 Combination(组合破解)
3 Brute-force(掩码暴力破解)
6 Hybrid Wordlist + Mask(字典+掩码破解)
7 Hybrid Mask + Wordlist(掩码+字典破解)

掩码字符集

掩码字符集 指代
?l 代表小写字母 abcdefghijklmnopqrstuvwxyz [a-z]
?u 代表大写字母 ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
?d 代表数字 0123456789 [0-9]
?h 小写十六进制字符 0123456789abcdef [0-9a-f]
?H 大写十六进制字符 0123456789ABCDEF [0-9A-F]
?s 代表特殊字符,包括空格 !"#$%&'()*+,-./:;<=>?@[\]^_`{
?a 代表大小写字母、数字以及特殊字符 ?l?u?d?s
?b 0x00 - 0xff

同时支持自定义字符集,即

1
hashcat -1 abc123 ?1?1?1

hash id 对照表

-m 参数 Name Category
900 MD4 Raw Hash
0 MD5 Raw Hash
5100 Half MD5 Raw Hash
100 SHA1 Raw Hash
1300 SHA2-224 Raw Hash
1400 SHA2-256 Raw Hash
10800 SHA2-384 Raw Hash
1700 SHA2-512 Raw Hash
17300 SHA3-224 Raw Hash
17400 SHA3-256 Raw Hash
17500 SHA3-384 Raw Hash
17600 SHA3-512 Raw Hash
17700 Keccak-224 Raw Hash
17800 Keccak-256 Raw Hash
17900 Keccak-384 Raw Hash
18000 Keccak-512 Raw Hash
600 BLAKE2b-512 Raw Hash
10100 SipHash Raw Hash
6000 RIPEMD-160 Raw Hash
6100 Whirlpool Raw Hash
6900 GOST R 34.11-94 Raw Hash
11700 GOST R 34.11-2012 (Streebog) 256-bit, big-endian Raw Hash
11800 GOST R 34.11-2012 (Streebog) 512-bit, big-endian Raw Hash
10 md5($pass.$salt) Raw Hash, Salted and/or Iterated
20 md5($salt.$pass) Raw Hash, Salted and/or Iterated
30 md5(utf16le($pass).$salt) Raw Hash, Salted and/or Iterated
40 md5($salt.utf16le($pass)) Raw Hash, Salted and/or Iterated
3800 md5($salt.$pass.$salt) Raw Hash, Salted and/or Iterated
3710 md5($salt.md5($pass)) Raw Hash, Salted and/or Iterated
4010 md5($salt.md5($salt.$pass)) Raw Hash, Salted and/or Iterated
4110 md5($salt.md5($pass.$salt)) Raw Hash, Salted and/or Iterated
2600 md5(md5($pass)) Raw Hash, Salted and/or Iterated
3910 md5(md5($pass).md5($salt)) Raw Hash, Salted and/or Iterated
4300 md5(strtoupper(md5($pass))) Raw Hash, Salted and/or Iterated
4400 md5(sha1($pass)) Raw Hash, Salted and/or Iterated
110 sha1($pass.$salt) Raw Hash, Salted and/or Iterated
120 sha1($salt.$pass) Raw Hash, Salted and/or Iterated
130 sha1(utf16le($pass).$salt) Raw Hash, Salted and/or Iterated
140 sha1($salt.utf16le($pass)) Raw Hash, Salted and/or Iterated
4500 sha1(sha1($pass)) Raw Hash, Salted and/or Iterated
4520 sha1($salt.sha1($pass)) Raw Hash, Salted and/or Iterated
4700 sha1(md5($pass)) Raw Hash, Salted and/or Iterated
4900 sha1($salt.$pass.$salt) Raw Hash, Salted and/or Iterated
14400 sha1(CX) Raw Hash, Salted and/or Iterated
1410 sha256($pass.$salt) Raw Hash, Salted and/or Iterated
1420 sha256($salt.$pass) Raw Hash, Salted and/or Iterated
1430 sha256(utf16le($pass).$salt) Raw Hash, Salted and/or Iterated
1440 sha256($salt.utf16le($pass)) Raw Hash, Salted and/or Iterated
1710 sha512($pass.$salt) Raw Hash, Salted and/or Iterated
1720 sha512($salt.$pass) Raw Hash, Salted and/or Iterated
1730 sha512(utf16le($pass).$salt) Raw Hash, Salted and/or Iterated
1740 sha512($salt.utf16le($pass)) Raw Hash, Salted and/or Iterated
50 HMAC-MD5 (key = $pass) Raw Hash, Authenticated
60 HMAC-MD5 (key = $salt) Raw Hash, Authenticated
150 HMAC-SHA1 (key = $pass) Raw Hash, Authenticated
160 HMAC-SHA1 (key = $salt) Raw Hash, Authenticated
1450 HMAC-SHA256 (key = $pass) Raw Hash, Authenticated
1460 HMAC-SHA256 (key = $salt) Raw Hash, Authenticated
1750 HMAC-SHA512 (key = $pass) Raw Hash, Authenticated
1760 HMAC-SHA512 (key = $salt) Raw Hash, Authenticated
11750 HMAC-Streebog-256 (key = $pass), big-endian Raw Hash, Authenticated
11760 HMAC-Streebog-256 (key = $salt), big-endian Raw Hash, Authenticated
11850 HMAC-Streebog-512 (key = $pass), big-endian Raw Hash, Authenticated
11860 HMAC-Streebog-512 (key = $salt), big-endian Raw Hash, Authenticated
14000 DES (PT = $salt, key = $pass) Raw Cipher, Known-Plaintext attack
14100 3DES (PT = $salt, key = $pass) Raw Cipher, Known-Plaintext attack
14900 Skip32 (PT = $salt, key = $pass) Raw Cipher, Known-Plaintext attack
15400 ChaCha20 Raw Cipher, Known-Plaintext attack
400 phpass Generic KDF
8900 scrypt Generic KDF
11900 PBKDF2-HMAC-MD5 Generic KDF
12000 PBKDF2-HMAC-SHA1 Generic KDF
10900 PBKDF2-HMAC-SHA256 Generic KDF
12100 PBKDF2-HMAC-SHA512 Generic KDF
23 Skype Network Protocols
2500 WPA-EAPOL-PBKDF2 Network Protocols
2501 WPA-EAPOL-PMK Network Protocols
16800 WPA-PMKID-PBKDF2 Network Protocols
16801 WPA-PMKID-PMK Network Protocols
4800 iSCSI CHAP authentication, MD5(CHAP) Network Protocols
5300 IKE-PSK MD5 Network Protocols
5400 IKE-PSK SHA1 Network Protocols
5500 NetNTLMv1 Network Protocols
5500 NetNTLMv1+ESS Network Protocols
5600 NetNTLMv2 Network Protocols
7300 IPMI2 RAKP HMAC-SHA1 Network Protocols
7500 Kerberos 5 AS-REQ Pre-Auth etype 23 Network Protocols
8300 DNSSEC (NSEC3) Network Protocols
10200 CRAM-MD5 Network Protocols
11100 PostgreSQL CRAM (MD5) Network Protocols
11200 MySQL CRAM (SHA1) Network Protocols
11400 SIP digest authentication (MD5) Network Protocols
13100 Kerberos 5 TGS-REP etype 23 Network Protocols
16100 TACACS+ Network Protocols
16500 JWT (JSON Web Token) Network Protocols
18200 Kerberos 5 AS-REP etype 23 Network Protocols
121 SMF (Simple Machines Forum) > v1.1 Forums, CMS, E-Commerce, Frameworks
400 phpBB3 (MD5) Forums, CMS, E-Commerce, Frameworks
2611 vBulletin < v3.8.5 Forums, CMS, E-Commerce, Frameworks
2711 vBulletin >= v3.8.5 Forums, CMS, E-Commerce, Frameworks
2811 MyBB 1.2+ Forums, CMS, E-Commerce, Frameworks
2811 IPB2+ (Invision Power Board) Forums, CMS, E-Commerce, Frameworks
8400 WBB3 (Woltlab Burning Board) Forums, CMS, E-Commerce, Frameworks
11 Joomla < 2.5.18 Forums, CMS, E-Commerce, Frameworks
400 Joomla >= 2.5.18 (MD5) Forums, CMS, E-Commerce, Frameworks
400 WordPress (MD5) Forums, CMS, E-Commerce, Frameworks
2612 PHPS Forums, CMS, E-Commerce, Frameworks
7900 Drupal7 Forums, CMS, E-Commerce, Frameworks
21 osCommerce Forums, CMS, E-Commerce, Frameworks
21 xt:Commerce Forums, CMS, E-Commerce, Frameworks
11000 PrestaShop Forums, CMS, E-Commerce, Frameworks
124 Django (SHA-1) Forums, CMS, E-Commerce, Frameworks
10000 Django (PBKDF2-SHA256) Forums, CMS, E-Commerce, Frameworks
16000 Tripcode Forums, CMS, E-Commerce, Frameworks
3711 MediaWiki B type Forums, CMS, E-Commerce, Frameworks
13900 OpenCart Forums, CMS, E-Commerce, Frameworks
4521 Redmine Forums, CMS, E-Commerce, Frameworks
4522 PunBB Forums, CMS, E-Commerce, Frameworks
12001 Atlassian (PBKDF2-HMAC-SHA1) Forums, CMS, E-Commerce, Frameworks
12 PostgreSQL Database Server
131 MSSQL (2000) Database Server
132 MSSQL (2005) Database Server
1731 MSSQL (2012, 2014) Database Server
200 MySQL323 Database Server
300 MySQL4.1/MySQL5 Database Server
3100 Oracle H: Type (Oracle 7+) Database Server
112 Oracle S: Type (Oracle 11+) Database Server
12300 Oracle T: Type (Oracle 12+) Database Server
8000 Sybase ASE Database Server
141 Episerver 6.x < .NET 4 HTTP, SMTP, LDAP Server
1441 Episerver 6.x >= .NET 4 HTTP, SMTP, LDAP Server
1600 Apache $apr1$ MD5, md5apr1, MD5 (APR) HTTP, SMTP, LDAP Server
12600 ColdFusion 10+ HTTP, SMTP, LDAP Server
1421 hMailServer HTTP, SMTP, LDAP Server
101 nsldap, SHA-1(Base64), Netscape LDAP SHA HTTP, SMTP, LDAP Server
111 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA HTTP, SMTP, LDAP Server
1411 SSHA-256(Base64), LDAP {SSHA256} HTTP, SMTP, LDAP Server
1711 SSHA-512(Base64), LDAP {SSHA512} HTTP, SMTP, LDAP Server
16400 CRAM-MD5 Dovecot HTTP, SMTP, LDAP Server
15000 FileZilla Server >= 0.9.55 FTP Server
11500 CRC32 Checksums
3000 LM Operating Systems
1000 NTLM Operating Systems
1100 Domain Cached Credentials (DCC), MS Cache Operating Systems
2100 Domain Cached Credentials 2 (DCC2), MS Cache 2 Operating Systems
15300 DPAPI masterkey file v1 Operating Systems
15900 DPAPI masterkey file v2 Operating Systems
12800 MS-AzureSync PBKDF2-HMAC-SHA256 Operating Systems
1500 descrypt, DES (Unix), Traditional DES Operating Systems
12400 BSDi Crypt, Extended DES Operating Systems
500 md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) Operating Systems
3200 bcrypt $2*$, Blowfish (Unix) Operating Systems
7400 sha256crypt $5$, SHA256 (Unix) Operating Systems
1800 sha512crypt $6$, SHA512 (Unix) Operating Systems
122 macOS v10.4, MacOS v10.5, MacOS v10.6 Operating Systems
1722 macOS v10.7 Operating Systems
7100 macOS v10.8+ (PBKDF2-SHA512) Operating Systems
6300 AIX {smd5} Operating Systems
6700 AIX {ssha1} Operating Systems
6400 AIX {ssha256} Operating Systems
6500 AIX {ssha512} Operating Systems
2400 Cisco-PIX MD5 Operating Systems
2410 Cisco-ASA MD5 Operating Systems
500 Cisco-IOS $1$ (MD5) Operating Systems
5700 Cisco-IOS type 4 (SHA256) Operating Systems
9200 Cisco-IOS $8$ (PBKDF2-SHA256) Operating Systems
9300 Cisco-IOS $9$ (scrypt) Operating Systems
22 Juniper NetScreen/SSG (ScreenOS) Operating Systems
501 Juniper IVE Operating Systems
15100 Juniper/NetBSD sha1crypt Operating Systems
7000 FortiGate (FortiOS) Operating Systems
5800 Samsung Android Password/PIN Operating Systems
13800 Windows Phone 8+ PIN/password Operating Systems
8100 Citrix NetScaler Operating Systems
8500 RACF Operating Systems
7200 GRUB 2 Operating Systems
9900 Radmin2 Operating Systems
125 ArubaOS Operating Systems
7700 SAP CODVN B (BCODE) Enterprise Application Software (EAS)
7701 SAP CODVN B (BCODE) via RFC_READ_TABLE Enterprise Application Software (EAS)
7800 SAP CODVN F/G (PASSCODE) Enterprise Application Software (EAS)
7801 SAP CODVN F/G (PASSCODE) via RFC_READ_TABLE Enterprise Application Software (EAS)
10300 SAP CODVN H (PWDSALTEDHASH) iSSHA-1 Enterprise Application Software (EAS)
8600 Lotus Notes/Domino 5 Enterprise Application Software (EAS)
8700 Lotus Notes/Domino 6 Enterprise Application Software (EAS)
9100 Lotus Notes/Domino 8 Enterprise Application Software (EAS)
133 PeopleSoft Enterprise Application Software (EAS)
13500 PeopleSoft PS_TOKEN Enterprise Application Software (EAS)
11600 7-Zip Archives
12500 RAR3-hp Archives
13000 RAR5 Archives
13200 AxCrypt Archives
13300 AxCrypt in-memory SHA1 Archives
13600 WinZip Archives
14700 iTunes backup < 10.0 Backup
14800 iTunes backup >= 10.0 Backup
62XY TrueCrypt Full-Disk Encryption (FDE)
X 1 = PBKDF2-HMAC-RIPEMD160 Full-Disk Encryption (FDE)
X 2 = PBKDF2-HMAC-SHA512 Full-Disk Encryption (FDE)
X 3 = PBKDF2-HMAC-Whirlpool Full-Disk Encryption (FDE)
X 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure AES Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Serpent Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure AES Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Serpent Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded AES-Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Serpent-AES Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Twofish-Serpent Full-Disk Encryption (FDE)
Y 3 = XTS 1536 bit all Full-Disk Encryption (FDE)
8800 Android FDE <= 4.3 Full-Disk Encryption (FDE)
12900 Android FDE (Samsung DEK) Full-Disk Encryption (FDE)
12200 eCryptfs Full-Disk Encryption (FDE)
137XY VeraCrypt Full-Disk Encryption (FDE)
X 1 = PBKDF2-HMAC-RIPEMD160 Full-Disk Encryption (FDE)
X 2 = PBKDF2-HMAC-SHA512 Full-Disk Encryption (FDE)
X 3 = PBKDF2-HMAC-Whirlpool Full-Disk Encryption (FDE)
X 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode Full-Disk Encryption (FDE)
X 5 = PBKDF2-HMAC-SHA256 Full-Disk Encryption (FDE)
X 6 = PBKDF2-HMAC-SHA256 + boot-mode Full-Disk Encryption (FDE)
X 7 = PBKDF2-HMAC-Streebog-512 Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure AES Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Serpent Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Twofish Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Camellia Full-Disk Encryption (FDE)
Y 1 = XTS 512 bit pure Kuznyechik Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure AES Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Serpent Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Camellia Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit pure Kuznyechik Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded AES-Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Camellia-Kuznyechik Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Camellia-Serpent Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Kuznyechik-AES Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Kuznyechik-Twofish Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Serpent-AES Full-Disk Encryption (FDE)
Y 2 = XTS 1024 bit cascaded Twofish-Serpent Full-Disk Encryption (FDE)
Y 3 = XTS 1536 bit all Full-Disk Encryption (FDE)
14600 LUKS Full-Disk Encryption (FDE)
16700 FileVault 2 Full-Disk Encryption (FDE)
18300 Apple File System (APFS) Full-Disk Encryption (FDE)
9700 MS Office <= 2003 $0/$1, MD5 + RC4 Documents
9710 MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 Documents
9720 MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 Documents
9800 MS Office <= 2003 $3/$4, SHA1 + RC4 Documents
9810 MS Office <= 2003 $3, SHA1 + RC4, collider #1 Documents
9820 MS Office <= 2003 $3, SHA1 + RC4, collider #2 Documents
9400 MS Office 2007 Documents
9500 MS Office 2010 Documents
9600 MS Office 2013 Documents
10400 PDF 1.1 - 1.3 (Acrobat 2 - 4) Documents
10410 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 Documents
10420 PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 Documents
10500 PDF 1.4 - 1.6 (Acrobat 5 - 8) Documents
10600 PDF 1.7 Level 3 (Acrobat 9) Documents
10700 PDF 1.7 Level 8 (Acrobat 10 - 11) Documents
16200 Apple Secure Notes Documents
9000 Password Safe v2 Password Managers
5200 Password Safe v3 Password Managers
6800 LastPass + LastPass sniffed Password Managers
6600 1Password, agilekeychain Password Managers
8200 1Password, cloudkeychain Password Managers
11300 Bitcoin/Litecoin wallet.dat Password Managers
12700 Blockchain, My Wallet Password Managers
15200 Blockchain, My Wallet, V2 Password Managers
16600 Electrum Wallet (Salt-Type 1-3) Password Managers
13400 KeePass 1 (AES/Twofish) and KeePass 2 (AES) Password Managers
15500 JKS Java Key Store Private Keys (SHA1) Password Managers
15600 Ethereum Wallet, PBKDF2-HMAC-SHA256 Password Managers
15700 Ethereum Wallet, SCRYPT Password Managers
16300 Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 Password Managers
16900 Ansible Vault Password Managers
18100 TOTP (HMAC-SHA1) One-Time Passwords
99999 Plaintext Plaintext

实例演示

使用字典进行爆破

1
hashcat -a 0 0192023a7bbd73250516f069df18b500 password.txt --force

使用指定字符集爆破

1
hashcat -a 3 63a9f0ea7bb98050796b649e85481845 ?l?l?l?l --force

使用字典+掩码进行爆破

1
hashcat -a 6 1844156d4166d94387f1a4ad031ca5fa password.txt ?d?d?d --force

使用掩码+字典进行破解

1
hashcat -a 7 f8def8bcecb2e7925a2b42d60d202deb ?d?d password.txt --force

注意 hashcat 优先选择的规则不一样

Mysql4.1/5的 PASSWORD 函数

1
hashcat -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?d

sha512crypt \(6\), SHA512 (Unix)破解

可以通过 cat /etc/shadow 获取

1
hashcat -a 3 -m 1800 --force $6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. ?l?l?l?l

不需要整理用户名,可以使用 --username 参数

1
hashcat -a 3 -m 1800 --force qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 ?l?l?l?l?l --username

Windows NT-hash,LM-hash破解

可以用 saminside 获取 NT-hash 或 LM-hash 的值

  • NT-hash

    1
    hashcat64.exe -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?l
  • LM-hash

    1
    hashcat64.exe -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?l

mssql 破解

1
hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?d

LUKS 破解

hashcat 只需要加密文件系统的前 2 MB 即可推断密码是否已被破解,所以一般建议切割以加速爆破。

1
dd if=file of=file-cut bs=512 count=4097

随后跑命令

1
hashcat -m 14600 -a 3 file-cut ?d?d?d?d?d?d

wordpress 密码 hash 破解

具体加密脚本在./wp-includes/class-phpass.phpHashPassword函数

1
hashcat -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?d

discuz 用户密码 hash 破解

其密码加密方式 md5(md5($pass).$salt)

1
hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?d

RAR 压缩包密码破解

先用 rar2john 获取 RAR 文件 hash 值

1
2
> rar2john 1.rar
1.rar:$rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e

然后再使用 hashcat 爆破

1
hashcat -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d

注意到

-m 参数 类型 示例 hash
12500 RAR3-hp $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
13000 RAR5 $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe

ZIP 压缩包密码破解

先用 zip2john 获取 RAR 文件 hash 值

1
2
> zip2john.exe 1.zip
1.zip:$zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$:::::1.zip-1.txt

然后再使用 hashcat 爆破

1
hashcat -a 3 -m 13600 $zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d

office 密码破解

先用 zip2john 获取 RAR 文件 hash 值

1
2
> python office2john.py 11.docx
11.docx:$office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9

然后再使用 hashcat 爆破

1
hashcat -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d

Keepass 爆破

先用 zip2john 获取 RAR 文件 hash 值

1
2
> keepass2john.exe .\clients.kdbx
clients:$keepass$*2*9090908*0*f7d1170d7371a17281aa3f2a26c7388ca5725c21fcbc29d2ace56292eff8eb79*da67f7ac407dca58cbdf4470f411f0f816b93e09e691cc4fbe0d9ce4acaa28c0*706a344c94d1eb4d7e356d67c6b3189b*ef40e4466434309c67248c2ad1e6bb0d4319447268f862c53a196e4ca12e29a0*7ff7758edbc9b8cde051228494e36af1edd750edc398e84422268956dc942876

然后再使用 hashcat 爆破

1
hashcat -a 3 -m 13400 $keepass$*2*9090908*0*f7d1170d7371a17281aa3f2a26c7388ca5725c21fcbc29d2ace56292eff8eb79*da67f7ac407dca58cbdf4470f411f0f816b93e09e691cc4fbe0d9ce4acaa28c0*706a344c94d1eb4d7e356d67c6b3189b*ef40e4466434309c67248c2ad1e6bb0d4319447268f862c53a196e4ca12e29a0*7ff7758edbc9b8cde051228494e36af1edd750edc398e84422268956dc942876 --force ?d?d?d?d

NetNTLMv2 密码破解

NTLMSSP 包分为三部分,Negotiate、Challenge 和 Authenticate。

首先进行抓包,得到 NTLMSSP 包(主要关注 Challenge 和 Authenticate),其中寻找到相应信息组成哈希,格式为

1
username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response

可以直接获取 NTLMSSP 的 base64 值,然后使用脚本组装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import base64
from scapy.layers import ntlm

auth_b64 = 'TlRMTVNTUAADAAAAGAAYAIIAAABYAVgBmgAAABIAEgBYAAAACAAIAGoAAAAQABAAcgAAABAAEADyAQAAFYKI4goAYUoAAAAPVS6RhfnytMqt5hsgL2wgnFcASQBEAEcARQBUAEwATABDAGoAYQBjAGsAQwBMAEkARQBOAFQAMAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0dJFcrFf5UQENDHFmWXTABAQAAAAAAAAQNlisC7dkB5plBR9ajSvIAAAAAAgASAFcASQBEAEcARQBUAEwATABDAAEACABEAEMAMAAxAAQAJABXAGkAZABnAGUAdABMAEwAQwAuAEkAbgB0AGUAcgBuAGEAbAADAC4ARABDADAAMQAuAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAUAJABXAGkAZABnAGUAdABMAEwAQwAuAEkAbgB0AGUAcgBuAGEAbAAHAAgABA2WKwLt2QEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAB4zcUgkQdiJn5ASItgAyg1xqN2BNHpvj7O5YgC+1+RUKABAAAAAAAAAAAAAAAAAAAAAAAAkAIABIAFQAVABQAC8AMQA5ADIALgAxADYAOAAuADAALgAxAAAAAAAAAAAAlbkMmv5SCuQVUPyZtIn4uA=='
chal_b64 = 'TlRMTVNTUAACAAAAEgASADgAAAAVgoniKvcbXKckYmgAAAAAAAAAALQAtABKAAAACgA5OAAAAA9XAEkARABHAEUAVABMAEwAQwACABIAVwBJAEQARwBFAFQATABMAEMAAQAIAEQAQwAwADEABAAkAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAMALgBEAEMAMAAxAC4AVwBpAGQAZwBlAHQATABMAEMALgBJAG4AdABlAHIAbgBhAGwABQAkAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAcACAAEDZYrAu3ZAQAAAAA='

auth_bytes = base64.b64decode(auth_b64)
chal_bytes = base64.b64decode(chal_b64)

auth = ntlm.NTLM_Header(auth_bytes)
chal = ntlm.NTLM_Header(chal_bytes)
payload = dict(auth.Payload)
hash = f"{payload['UserName']}::{payload['DomainName']}:{chal.ServerChallenge.hex()}:{payload['NtChallengeResponse'].NTProofStr.hex()}:{payload['NtChallengeResponse'].original[16:].hex()}"
print(hash)

例如

1
jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000

使用 john 或 hashcat 爆破即可,hashcat 哈希代码为 5600,即

1
hashcat -m 5600 hash.txt table.txt

参考链接:https://www.jianshu.com/p/45b85006641a

CRC32 爆破

例如 CRC 值是 eb32038d,原值是四个可见字符,那么

1
hashcat -m 11500 -a 3 eb32038d:00000000 '?a?a?a?a-'

也可以自定义字符集,例如

1
hashcat -m 11500 -a 3 -1 '0123456789' 0972d361:00000000 '?1?1?1?1?1?1'

WIFI 密码破解

首先先把握手包转化为 hccapx 格式

现在最新版的 hashcat 只支持 hccapx 格式了,以前的 hccap 格式已经不支持了

可以使用 https://hashcat.net/cap2hccapx/ 进行转换

1
hashcat -a 3 -m 2500 1.hccapx 1391040?d?d?d?d

网络包嗅探

使用指令

1
ettercap -Tqr ospf.pcapng

可以一键嗅探出流量包中的哈希值。

使用建议

  1. 对于破解过的hash值,用hashcat64.exe hash --show查看结果

  2. 所有的hash破解结果都在hashcat.potfile文件中

  3. 如果破解的时间太长,可以按s键可以查看破解的状态,p键暂停,r键继续破解,q键退出破解。

  4. 在使用GPU模式进行破解时,可以使用-O参数自动进行优化

  5. 在实际破解中的建议,如果我们盲目的去破解,会占用我们大量的时间和资源

    1. 首先走一遍常用的弱口令字典
    2. 组合密码,如:zhang1999,用姓氏和出生年组合,当然也可以用其它的组合,这里举个例子而已
    3. 把常用的掩码组合整理起来放在masks中的.hcmask文件中,然后让它自动加载破解
    4. 如果实在不行,你可以尝试低位数的所有组合去跑,不过不建议太高位数的组合去破解,因为如果对方设置的密码很复杂的话,到头来你密码没有破解到,却浪费了大量的时间和资源,得不偿失
  6. Hashcat 参数优化

    1. Workload tuning 负载调优

      该参数支持的值有1,8,40,80,160,可以让GPU发挥最大性能

      1
      --gpu-accel 160
    2. Gpu loops 负载微调

      该参数支持的值的范围是8-1024(有些算法只支持到1000),可以让GPU发挥最大性能。

      1
      --gpu-loops 1024
    3. Segment size 字典缓存大小

      该参数是设置内存缓存的大小,作用是将字典放入内存缓存以加快字典破解速度,默认为32MB,可以根据自身内存情况进行设置,当然是越大越块了。

      1
      --segment-size 512
  7. 如果遇到不熟悉的哈希值,可以使用 hash-identifier hash 进行识别。

  8. 同时如果遇到不熟悉的哈希格式,可以使用 hashcat -m 0 --hash-info 获取某种攻击方式的具体哈希格式,例如上面这个命令是获取 md5 格式的哈希攻击方式。