hashcat 使用笔记

发表于 2022-02-23 更新于 2024-04-28 本文字数： 20k 阅读时长 ≈ 18 分钟

hashcat 的使用笔记

Hashcat 简述

Hashcat 是自称世界上最快的密码恢复工具。

在 Debian 系的 Linux 中可以使用 apt install hashcat 获取。

也可以在 github 官方页面中获取更多信息：https://github.com/hashcat/hashcat

支持 hashcat 的散列算法有 Microsoft LM 哈希，MD4，MD5，SHA系列，Unix 加密格式，MySQL 和 Cisco PIX 等。

同时也支持多种计算核心：GPU、CPU、APU、DSP、FPGA、Coprocessor

常用参数

参数	作用
-m	指定哈希类型，不指定默认为 md5
-a	指定破解模式
-V	查看版本信息
-o	将输出结果储存到指定文件
--force	忽略警告
--show	仅显示破解的hash密码和对应的明文
--remove	从源文件中删除破解成功的hash
--username	忽略hash表中的用户名
-b	测试计算机破解速度和相关硬件信息
-O	限制密码长度
-T	设置线程数
-r	使用规则文件
-1 / -2 / -3	自定义字符集
-i	启用增量破解模式
--increment-min	设置密码最小长度
--increment-max	设置密码最大长度
--hash-info	展示对应哈希模式的示例

-a 破解模式

-a 参数	攻击模式
0	Straight（字段破解）
1	Combination（组合破解）
3	Brute-force（掩码暴力破解）
6	Hybrid Wordlist + Mask（字典+掩码破解）
7	Hybrid Mask + Wordlist（掩码+字典破解）

掩码字符集

掩码字符集	指代
?l	代表小写字母 `abcdefghijklmnopqrstuvwxyz [a-z]`
?u	代表大写字母 `ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]`
?d	代表数字 `0123456789 [0-9]`
?h	小写十六进制字符 `0123456789abcdef [0-9a-f]`
?H	大写十六进制字符 `0123456789ABCDEF [0-9A-F]`
?s	代表特殊字符，包括空格 !"#$%&'()*+,-./:;<=>?@[\]^_`{
?a	代表大小写字母、数字以及特殊字符 `?l?u?d?s`
?b	0x00 - 0xff

同时支持自定义字符集，即
1
hashcat -1 abc123 ?1?1?1

hash id 对照表

-m 参数	Name	Category
900	`MD4`	Raw Hash
0	`MD5`	Raw Hash
5100	`Half MD5`	Raw Hash
100	`SHA1`	Raw Hash
1300	`SHA2-224`	Raw Hash
1400	`SHA2-256`	Raw Hash
10800	`SHA2-384`	Raw Hash
1700	`SHA2-512`	Raw Hash
17300	`SHA3-224`	Raw Hash
17400	`SHA3-256`	Raw Hash
17500	`SHA3-384`	Raw Hash
17600	`SHA3-512`	Raw Hash
17700	`Keccak-224`	Raw Hash
17800	`Keccak-256`	Raw Hash
17900	`Keccak-384`	Raw Hash
18000	`Keccak-512`	Raw Hash
600	`BLAKE2b-512`	Raw Hash
10100	`SipHash`	Raw Hash
6000	`RIPEMD-160`	Raw Hash
6100	`Whirlpool`	Raw Hash
6900	`GOST R 34.11-94`	Raw Hash
11700	`GOST R 34.11-2012 (Streebog) 256-bit, big-endian`	Raw Hash
11800	`GOST R 34.11-2012 (Streebog) 512-bit, big-endian`	Raw Hash
10	`md5($pass.$salt)`	Raw Hash, Salted and/or Iterated
20	`md5($salt.$pass)`	Raw Hash, Salted and/or Iterated
30	`md5(utf16le($pass).$salt)`	Raw Hash, Salted and/or Iterated
40	`md5($salt.utf16le($pass))`	Raw Hash, Salted and/or Iterated
3800	`md5($salt.$pass.$salt)`	Raw Hash, Salted and/or Iterated
3710	`md5($salt.md5($pass))`	Raw Hash, Salted and/or Iterated
4010	`md5($salt.md5($salt.$pass))`	Raw Hash, Salted and/or Iterated
4110	`md5($salt.md5($pass.$salt))`	Raw Hash, Salted and/or Iterated
2600	`md5(md5($pass))`	Raw Hash, Salted and/or Iterated
3910	`md5(md5($pass).md5($salt))`	Raw Hash, Salted and/or Iterated
4300	`md5(strtoupper(md5($pass)))`	Raw Hash, Salted and/or Iterated
4400	`md5(sha1($pass))`	Raw Hash, Salted and/or Iterated
110	`sha1($pass.$salt)`	Raw Hash, Salted and/or Iterated
120	`sha1($salt.$pass)`	Raw Hash, Salted and/or Iterated
130	`sha1(utf16le($pass).$salt)`	Raw Hash, Salted and/or Iterated
140	`sha1($salt.utf16le($pass))`	Raw Hash, Salted and/or Iterated
4500	`sha1(sha1($pass))`	Raw Hash, Salted and/or Iterated
4520	`sha1($salt.sha1($pass))`	Raw Hash, Salted and/or Iterated
4700	`sha1(md5($pass))`	Raw Hash, Salted and/or Iterated
4900	`sha1($salt.$pass.$salt)`	Raw Hash, Salted and/or Iterated
14400	`sha1(CX)`	Raw Hash, Salted and/or Iterated
1410	`sha256($pass.$salt)`	Raw Hash, Salted and/or Iterated
1420	`sha256($salt.$pass)`	Raw Hash, Salted and/or Iterated
1430	`sha256(utf16le($pass).$salt)`	Raw Hash, Salted and/or Iterated
1440	`sha256($salt.utf16le($pass))`	Raw Hash, Salted and/or Iterated
1710	`sha512($pass.$salt)`	Raw Hash, Salted and/or Iterated
1720	`sha512($salt.$pass)`	Raw Hash, Salted and/or Iterated
1730	`sha512(utf16le($pass).$salt)`	Raw Hash, Salted and/or Iterated
1740	`sha512($salt.utf16le($pass))`	Raw Hash, Salted and/or Iterated
50	`HMAC-MD5 (key = $pass)`	Raw Hash, Authenticated
60	`HMAC-MD5 (key = $salt)`	Raw Hash, Authenticated
150	`HMAC-SHA1 (key = $pass)`	Raw Hash, Authenticated
160	`HMAC-SHA1 (key = $salt)`	Raw Hash, Authenticated
1450	`HMAC-SHA256 (key = $pass)`	Raw Hash, Authenticated
1460	`HMAC-SHA256 (key = $salt)`	Raw Hash, Authenticated
1750	`HMAC-SHA512 (key = $pass)`	Raw Hash, Authenticated
1760	`HMAC-SHA512 (key = $salt)`	Raw Hash, Authenticated
11750	`HMAC-Streebog-256 (key = $pass), big-endian`	Raw Hash, Authenticated
11760	`HMAC-Streebog-256 (key = $salt), big-endian`	Raw Hash, Authenticated
11850	`HMAC-Streebog-512 (key = $pass), big-endian`	Raw Hash, Authenticated
11860	`HMAC-Streebog-512 (key = $salt), big-endian`	Raw Hash, Authenticated
14000	`DES (PT = $salt, key = $pass)`	Raw Cipher, Known-Plaintext attack
14100	`3DES (PT = $salt, key = $pass)`	Raw Cipher, Known-Plaintext attack
14900	`Skip32 (PT = $salt, key = $pass)`	Raw Cipher, Known-Plaintext attack
15400	`ChaCha20`	Raw Cipher, Known-Plaintext attack
400	`phpass`	Generic KDF
8900	`scrypt`	Generic KDF
11900	`PBKDF2-HMAC-MD5`	Generic KDF
12000	`PBKDF2-HMAC-SHA1`	Generic KDF
10900	`PBKDF2-HMAC-SHA256`	Generic KDF
12100	`PBKDF2-HMAC-SHA512`	Generic KDF
23	`Skype`	Network Protocols
2500	`WPA-EAPOL-PBKDF2`	Network Protocols
2501	`WPA-EAPOL-PMK`	Network Protocols
16800	`WPA-PMKID-PBKDF2`	Network Protocols
16801	`WPA-PMKID-PMK`	Network Protocols
4800	`iSCSI CHAP authentication, MD5(CHAP)`	Network Protocols
5300	`IKE-PSK MD5`	Network Protocols
5400	`IKE-PSK SHA1`	Network Protocols
5500	`NetNTLMv1`	Network Protocols
5500	`NetNTLMv1+ESS`	Network Protocols
5600	`NetNTLMv2`	Network Protocols
7300	`IPMI2 RAKP HMAC-SHA1`	Network Protocols
7500	`Kerberos 5 AS-REQ Pre-Auth etype 23`	Network Protocols
8300	`DNSSEC (NSEC3)`	Network Protocols
10200	`CRAM-MD5`	Network Protocols
11100	`PostgreSQL CRAM (MD5)`	Network Protocols
11200	`MySQL CRAM (SHA1)`	Network Protocols
11400	`SIP digest authentication (MD5)`	Network Protocols
13100	`Kerberos 5 TGS-REP etype 23`	Network Protocols
16100	`TACACS+`	Network Protocols
16500	`JWT (JSON Web Token)`	Network Protocols
18200	`Kerberos 5 AS-REP etype 23`	Network Protocols
121	`SMF (Simple Machines Forum) > v1.1`	Forums, CMS, E-Commerce, Frameworks
400	`phpBB3 (MD5)`	Forums, CMS, E-Commerce, Frameworks
2611	`vBulletin < v3.8.5`	Forums, CMS, E-Commerce, Frameworks
2711	`vBulletin >= v3.8.5`	Forums, CMS, E-Commerce, Frameworks
2811	`MyBB 1.2+`	Forums, CMS, E-Commerce, Frameworks
2811	`IPB2+ (Invision Power Board)`	Forums, CMS, E-Commerce, Frameworks
8400	`WBB3 (Woltlab Burning Board)`	Forums, CMS, E-Commerce, Frameworks
11	`Joomla < 2.5.18`	Forums, CMS, E-Commerce, Frameworks
400	`Joomla >= 2.5.18 (MD5)`	Forums, CMS, E-Commerce, Frameworks
400	`WordPress (MD5)`	Forums, CMS, E-Commerce, Frameworks
2612	`PHPS`	Forums, CMS, E-Commerce, Frameworks
7900	`Drupal7`	Forums, CMS, E-Commerce, Frameworks
21	`osCommerce`	Forums, CMS, E-Commerce, Frameworks
21	`xt:Commerce`	Forums, CMS, E-Commerce, Frameworks
11000	`PrestaShop`	Forums, CMS, E-Commerce, Frameworks
124	`Django (SHA-1)`	Forums, CMS, E-Commerce, Frameworks
10000	`Django (PBKDF2-SHA256)`	Forums, CMS, E-Commerce, Frameworks
16000	`Tripcode`	Forums, CMS, E-Commerce, Frameworks
3711	`MediaWiki B type`	Forums, CMS, E-Commerce, Frameworks
13900	`OpenCart`	Forums, CMS, E-Commerce, Frameworks
4521	`Redmine`	Forums, CMS, E-Commerce, Frameworks
4522	`PunBB`	Forums, CMS, E-Commerce, Frameworks
12001	`Atlassian (PBKDF2-HMAC-SHA1)`	Forums, CMS, E-Commerce, Frameworks
12	`PostgreSQL`	Database Server
131	`MSSQL (2000)`	Database Server
132	`MSSQL (2005)`	Database Server
1731	`MSSQL (2012, 2014)`	Database Server
200	`MySQL323`	Database Server
300	`MySQL4.1/MySQL5`	Database Server
3100	`Oracle H: Type (Oracle 7+)`	Database Server
112	`Oracle S: Type (Oracle 11+)`	Database Server
12300	`Oracle T: Type (Oracle 12+)`	Database Server
8000	`Sybase ASE`	Database Server
141	`Episerver 6.x < .NET 4`	HTTP, SMTP, LDAP Server
1441	`Episerver 6.x >= .NET 4`	HTTP, SMTP, LDAP Server
1600	`Apache $apr1$ MD5, md5apr1, MD5 (APR)`	HTTP, SMTP, LDAP Server
12600	`ColdFusion 10+`	HTTP, SMTP, LDAP Server
1421	`hMailServer`	HTTP, SMTP, LDAP Server
101	`nsldap, SHA-1(Base64), Netscape LDAP SHA`	HTTP, SMTP, LDAP Server
111	`nsldaps, SSHA-1(Base64), Netscape LDAP SSHA`	HTTP, SMTP, LDAP Server
1411	`SSHA-256(Base64), LDAP {SSHA256}`	HTTP, SMTP, LDAP Server
1711	`SSHA-512(Base64), LDAP {SSHA512}`	HTTP, SMTP, LDAP Server
16400	`CRAM-MD5 Dovecot`	HTTP, SMTP, LDAP Server
15000	`FileZilla Server >= 0.9.55`	FTP Server
11500	`CRC32`	Checksums
3000	`LM`	Operating Systems
1000	`NTLM`	Operating Systems
1100	`Domain Cached Credentials (DCC), MS Cache`	Operating Systems
2100	`Domain Cached Credentials 2 (DCC2), MS Cache 2`	Operating Systems
15300	`DPAPI masterkey file v1`	Operating Systems
15900	`DPAPI masterkey file v2`	Operating Systems
12800	`MS-AzureSync PBKDF2-HMAC-SHA256`	Operating Systems
1500	`descrypt, DES (Unix), Traditional DES`	Operating Systems
12400	`BSDi Crypt, Extended DES`	Operating Systems
500	`md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)`	Operating Systems
3200	`bcrypt $2*$, Blowfish (Unix)`	Operating Systems
7400	`sha256crypt $5$, SHA256 (Unix)`	Operating Systems
1800	`sha512crypt $6$, SHA512 (Unix)`	Operating Systems
122	`macOS v10.4, MacOS v10.5, MacOS v10.6`	Operating Systems
1722	`macOS v10.7`	Operating Systems
7100	`macOS v10.8+ (PBKDF2-SHA512)`	Operating Systems
6300	`AIX {smd5}`	Operating Systems
6700	`AIX {ssha1}`	Operating Systems
6400	`AIX {ssha256}`	Operating Systems
6500	`AIX {ssha512}`	Operating Systems
2400	`Cisco-PIX MD5`	Operating Systems
2410	`Cisco-ASA MD5`	Operating Systems
500	`Cisco-IOS $1$ (MD5)`	Operating Systems
5700	`Cisco-IOS type 4 (SHA256)`	Operating Systems
9200	`Cisco-IOS $8$ (PBKDF2-SHA256)`	Operating Systems
9300	`Cisco-IOS $9$ (scrypt)`	Operating Systems
22	`Juniper NetScreen/SSG (ScreenOS)`	Operating Systems
501	`Juniper IVE`	Operating Systems
15100	`Juniper/NetBSD sha1crypt`	Operating Systems
7000	`FortiGate (FortiOS)`	Operating Systems
5800	`Samsung Android Password/PIN`	Operating Systems
13800	`Windows Phone 8+ PIN/password`	Operating Systems
8100	`Citrix NetScaler`	Operating Systems
8500	`RACF`	Operating Systems
7200	`GRUB 2`	Operating Systems
9900	`Radmin2`	Operating Systems
125	`ArubaOS`	Operating Systems
7700	`SAP CODVN B (BCODE)`	Enterprise Application Software (EAS)
7701	`SAP CODVN B (BCODE) via RFC_READ_TABLE`	Enterprise Application Software (EAS)
7800	`SAP CODVN F/G (PASSCODE)`	Enterprise Application Software (EAS)
7801	`SAP CODVN F/G (PASSCODE) via RFC_READ_TABLE`	Enterprise Application Software (EAS)
10300	`SAP CODVN H (PWDSALTEDHASH) iSSHA-1`	Enterprise Application Software (EAS)
8600	`Lotus Notes/Domino 5`	Enterprise Application Software (EAS)
8700	`Lotus Notes/Domino 6`	Enterprise Application Software (EAS)
9100	`Lotus Notes/Domino 8`	Enterprise Application Software (EAS)
133	`PeopleSoft`	Enterprise Application Software (EAS)
13500	`PeopleSoft PS_TOKEN`	Enterprise Application Software (EAS)
11600	`7-Zip`	Archives
12500	`RAR3-hp`	Archives
13000	`RAR5`	Archives
13200	`AxCrypt`	Archives
13300	`AxCrypt in-memory SHA1`	Archives
13600	`WinZip`	Archives
14700	`iTunes backup < 10.0`	Backup
14800	`iTunes backup >= 10.0`	Backup
62XY	`TrueCrypt`	Full-Disk Encryption (FDE)
X	`1 = PBKDF2-HMAC-RIPEMD160`	Full-Disk Encryption (FDE)
X	`2 = PBKDF2-HMAC-SHA512`	Full-Disk Encryption (FDE)
X	`3 = PBKDF2-HMAC-Whirlpool`	Full-Disk Encryption (FDE)
X	`4 = PBKDF2-HMAC-RIPEMD160 + boot-mode`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure AES`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Serpent`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure AES`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Serpent`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded AES-Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Serpent-AES`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Twofish-Serpent`	Full-Disk Encryption (FDE)
Y	`3 = XTS 1536 bit all`	Full-Disk Encryption (FDE)
8800	`Android FDE <= 4.3`	Full-Disk Encryption (FDE)
12900	`Android FDE (Samsung DEK)`	Full-Disk Encryption (FDE)
12200	`eCryptfs`	Full-Disk Encryption (FDE)
137XY	`VeraCrypt`	Full-Disk Encryption (FDE)
X	`1 = PBKDF2-HMAC-RIPEMD160`	Full-Disk Encryption (FDE)
X	`2 = PBKDF2-HMAC-SHA512`	Full-Disk Encryption (FDE)
X	`3 = PBKDF2-HMAC-Whirlpool`	Full-Disk Encryption (FDE)
X	`4 = PBKDF2-HMAC-RIPEMD160 + boot-mode`	Full-Disk Encryption (FDE)
X	`5 = PBKDF2-HMAC-SHA256`	Full-Disk Encryption (FDE)
X	`6 = PBKDF2-HMAC-SHA256 + boot-mode`	Full-Disk Encryption (FDE)
X	`7 = PBKDF2-HMAC-Streebog-512`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure AES`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Serpent`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Twofish`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Camellia`	Full-Disk Encryption (FDE)
Y	`1 = XTS 512 bit pure Kuznyechik`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure AES`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Serpent`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Camellia`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit pure Kuznyechik`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded AES-Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Camellia-Kuznyechik`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Camellia-Serpent`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Kuznyechik-AES`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Kuznyechik-Twofish`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Serpent-AES`	Full-Disk Encryption (FDE)
Y	`2 = XTS 1024 bit cascaded Twofish-Serpent`	Full-Disk Encryption (FDE)
Y	`3 = XTS 1536 bit all`	Full-Disk Encryption (FDE)
14600	`LUKS`	Full-Disk Encryption (FDE)
16700	`FileVault 2`	Full-Disk Encryption (FDE)
18300	`Apple File System (APFS)`	Full-Disk Encryption (FDE)
9700	`MS Office <= 2003 $0/$1, MD5 + RC4`	Documents
9710	`MS Office <= 2003 $0/$1, MD5 + RC4, collider #1`	Documents
9720	`MS Office <= 2003 $0/$1, MD5 + RC4, collider #2`	Documents
9800	`MS Office <= 2003 $3/$4, SHA1 + RC4`	Documents
9810	`MS Office <= 2003 $3, SHA1 + RC4, collider #1`	Documents
9820	`MS Office <= 2003 $3, SHA1 + RC4, collider #2`	Documents
9400	`MS Office 2007`	Documents
9500	`MS Office 2010`	Documents
9600	`MS Office 2013`	Documents
10400	`PDF 1.1 - 1.3 (Acrobat 2 - 4)`	Documents
10410	`PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1`	Documents
10420	`PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2`	Documents
10500	`PDF 1.4 - 1.6 (Acrobat 5 - 8)`	Documents
10600	`PDF 1.7 Level 3 (Acrobat 9)`	Documents
10700	`PDF 1.7 Level 8 (Acrobat 10 - 11)`	Documents
16200	`Apple Secure Notes`	Documents
9000	`Password Safe v2`	Password Managers
5200	`Password Safe v3`	Password Managers
6800	`LastPass + LastPass sniffed`	Password Managers
6600	`1Password, agilekeychain`	Password Managers
8200	`1Password, cloudkeychain`	Password Managers
11300	`Bitcoin/Litecoin wallet.dat`	Password Managers
12700	`Blockchain, My Wallet`	Password Managers
15200	`Blockchain, My Wallet, V2`	Password Managers
16600	`Electrum Wallet (Salt-Type 1-3)`	Password Managers
13400	`KeePass 1 (AES/Twofish) and KeePass 2 (AES)`	Password Managers
15500	`JKS Java Key Store Private Keys (SHA1)`	Password Managers
15600	`Ethereum Wallet, PBKDF2-HMAC-SHA256`	Password Managers
15700	`Ethereum Wallet, SCRYPT`	Password Managers
16300	`Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256`	Password Managers
16900	`Ansible Vault`	Password Managers
18100	`TOTP (HMAC-SHA1)`	One-Time Passwords
99999	`Plaintext`	Plaintext

实例演示

使用字典进行爆破

1	hashcat -a 0 0192023a7bbd73250516f069df18b500 password.txt --force

使用指定字符集爆破

1	hashcat -a 3 63a9f0ea7bb98050796b649e85481845 ?l?l?l?l --force

使用字典+掩码进行爆破

1	hashcat -a 6 1844156d4166d94387f1a4ad031ca5fa password.txt ?d?d?d --force

使用掩码+字典进行破解

1	hashcat -a 7 f8def8bcecb2e7925a2b42d60d202deb ?d?d password.txt --force

注意 hashcat 优先选择的规则不一样

Mysql4.1/5的 `PASSWORD` 函数

1	hashcat -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?d

sha512crypt $6$, SHA512 (Unix)破解

可以通过 cat /etc/shadow 获取

1	hashcat -a 3 -m 1800 --force $6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. ?l?l?l?l

不需要整理用户名，可以使用 --username 参数

1	hashcat -a 3 -m 1800 --force qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 ?l?l?l?l?l --username

Windows NT-hash，LM-hash破解

可以用 saminside 获取 NT-hash 或 LM-hash 的值

NT-hash

1	hashcat64.exe -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?l

LM-hash

1	hashcat64.exe -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?l

mssql 破解

1	hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?d

LUKS 破解

hashcat 只需要加密文件系统的前 2 MB 即可推断密码是否已被破解，所以一般建议切割以加速爆破。

1	dd if=file of=file-cut bs=512 count=4097

随后跑命令

1	hashcat -m 14600 -a 3 file-cut ?d?d?d?d?d?d

wordpress 密码 hash 破解

具体加密脚本在./wp-includes/class-phpass.php的HashPassword函数

1	hashcat -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?d

discuz 用户密码 hash 破解

其密码加密方式 md5(md5($pass).$salt)

1	hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?d

RAR 压缩包密码破解

先用 rar2john 获取 RAR 文件 hash 值

1 2	> rar2john 1.rar 1.rar:$rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e

然后再使用 hashcat 爆破

1	hashcat -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d

注意到

-m 参数	类型	示例 hash
12500	RAR3-hp	`$RAR3$045109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317`
13000	RAR5	`$rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe`

ZIP 压缩包密码破解

先用 zip2john 获取 RAR 文件 hash 值

1 2	> zip2john.exe 1.zip 1.zip:$zip2$030554bb43ff71cb0cac76326f292119dfdff23524b28885eed4fe362bb1e91319ab53*$/zip2$:::::1.zip-1.txt

然后再使用 hashcat 爆破

1	hashcat -a 3 -m 13600 $zip2$030554bb43ff71cb0cac76326f292119dfdff23524b28885eed4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d

office 密码破解

先用 zip2john 获取 RAR 文件 hash 值

1
2

> python office2john.py 11.docx
11.docx:$office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9

然后再使用 hashcat 爆破

hashcat -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d

Keepass 爆破

先用 zip2john 获取 RAR 文件 hash 值

1
2

> keepass2john.exe .\clients.kdbx
clients:$keepass$*2*9090908*0*f7d1170d7371a17281aa3f2a26c7388ca5725c21fcbc29d2ace56292eff8eb79*da67f7ac407dca58cbdf4470f411f0f816b93e09e691cc4fbe0d9ce4acaa28c0*706a344c94d1eb4d7e356d67c6b3189b*ef40e4466434309c67248c2ad1e6bb0d4319447268f862c53a196e4ca12e29a0*7ff7758edbc9b8cde051228494e36af1edd750edc398e84422268956dc942876

然后再使用 hashcat 爆破

hashcat -a 3 -m 13400 $keepass$*2*9090908*0*f7d1170d7371a17281aa3f2a26c7388ca5725c21fcbc29d2ace56292eff8eb79*da67f7ac407dca58cbdf4470f411f0f816b93e09e691cc4fbe0d9ce4acaa28c0*706a344c94d1eb4d7e356d67c6b3189b*ef40e4466434309c67248c2ad1e6bb0d4319447268f862c53a196e4ca12e29a0*7ff7758edbc9b8cde051228494e36af1edd750edc398e84422268956dc942876 --force ?d?d?d?d

NetNTLMv2 密码破解

NTLMSSP 包分为三部分，Negotiate、Challenge 和 Authenticate。

首先进行抓包，得到 NTLMSSP 包（主要关注 Challenge 和 Authenticate），其中寻找到相应信息组成哈希，格式为

1	username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response

可以直接获取 NTLMSSP 的 base64 值，然后使用脚本组装

import base64
from scapy.layers import ntlm

auth_b64 = 'TlRMTVNTUAADAAAAGAAYAIIAAABYAVgBmgAAABIAEgBYAAAACAAIAGoAAAAQABAAcgAAABAAEADyAQAAFYKI4goAYUoAAAAPVS6RhfnytMqt5hsgL2wgnFcASQBEAEcARQBUAEwATABDAGoAYQBjAGsAQwBMAEkARQBOAFQAMAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0dJFcrFf5UQENDHFmWXTABAQAAAAAAAAQNlisC7dkB5plBR9ajSvIAAAAAAgASAFcASQBEAEcARQBUAEwATABDAAEACABEAEMAMAAxAAQAJABXAGkAZABnAGUAdABMAEwAQwAuAEkAbgB0AGUAcgBuAGEAbAADAC4ARABDADAAMQAuAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAUAJABXAGkAZABnAGUAdABMAEwAQwAuAEkAbgB0AGUAcgBuAGEAbAAHAAgABA2WKwLt2QEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAB4zcUgkQdiJn5ASItgAyg1xqN2BNHpvj7O5YgC+1+RUKABAAAAAAAAAAAAAAAAAAAAAAAAkAIABIAFQAVABQAC8AMQA5ADIALgAxADYAOAAuADAALgAxAAAAAAAAAAAAlbkMmv5SCuQVUPyZtIn4uA=='
chal_b64 = 'TlRMTVNTUAACAAAAEgASADgAAAAVgoniKvcbXKckYmgAAAAAAAAAALQAtABKAAAACgA5OAAAAA9XAEkARABHAEUAVABMAEwAQwACABIAVwBJAEQARwBFAFQATABMAEMAAQAIAEQAQwAwADEABAAkAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAMALgBEAEMAMAAxAC4AVwBpAGQAZwBlAHQATABMAEMALgBJAG4AdABlAHIAbgBhAGwABQAkAFcAaQBkAGcAZQB0AEwATABDAC4ASQBuAHQAZQByAG4AYQBsAAcACAAEDZYrAu3ZAQAAAAA='

auth_bytes = base64.b64decode(auth_b64)
chal_bytes = base64.b64decode(chal_b64)

auth = ntlm.NTLM_Header(auth_bytes)
chal = ntlm.NTLM_Header(chal_bytes)
payload = dict(auth.Payload)
hash = f"{payload['UserName']}::{payload['DomainName']}:{chal.ServerChallenge.hex()}:{payload['NtChallengeResponse'].NTProofStr.hex()}:{payload['NtChallengeResponse'].original[16:].hex()}"
print(hash)

例如

jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000

使用 john 或 hashcat 爆破即可，hashcat 哈希代码为 5600，即

1	hashcat -m 5600 hash.txt table.txt

参考链接：https://www.jianshu.com/p/45b85006641a

CRC32 爆破

例如 CRC 值是 eb32038d，原值是四个可见字符，那么

1	hashcat -m 11500 -a 3 eb32038d:00000000 '?a?a?a?a-'

也可以自定义字符集，例如

1	hashcat -m 11500 -a 3 -1 '0123456789' 0972d361:00000000 '?1?1?1?1?1?1'

WIFI 密码破解

首先先把握手包转化为 hccapx 格式

现在最新版的 hashcat 只支持 hccapx 格式了，以前的 hccap 格式已经不支持了

可以使用 https://hashcat.net/cap2hccapx/ 进行转换

1	hashcat -a 3 -m 2500 1.hccapx 1391040?d?d?d?d

网络包嗅探

使用指令

1	ettercap -Tqr ospf.pcapng

可以一键嗅探出流量包中的哈希值。

使用建议

对于破解过的hash值，用hashcat64.exe hash --show查看结果
所有的hash破解结果都在hashcat.potfile文件中
如果破解的时间太长，可以按s键可以查看破解的状态，p键暂停，r键继续破解，q键退出破解。
在使用GPU模式进行破解时，可以使用-O参数自动进行优化
在实际破解中的建议，如果我们盲目的去破解，会占用我们大量的时间和资源
1. 首先走一遍常用的弱口令字典
2. 组合密码，如：zhang1999，用姓氏和出生年组合，当然也可以用其它的组合，这里举个例子而已
3. 把常用的掩码组合整理起来放在masks中的.hcmask文件中，然后让它自动加载破解
4. 如果实在不行，你可以尝试低位数的所有组合去跑，不过不建议太高位数的组合去破解，因为如果对方设置的密码很复杂的话，到头来你密码没有破解到，却浪费了大量的时间和资源，得不偿失
Hashcat 参数优化
1. Workload tuning 负载调优
  
  该参数支持的值有1,8,40,80,160，可以让GPU发挥最大性能
  1
  --gpu-accel 160
2. Gpu loops 负载微调
  
  该参数支持的值的范围是8-1024（有些算法只支持到1000），可以让GPU发挥最大性能。
  1
  --gpu-loops 1024
3. Segment size 字典缓存大小
  
  该参数是设置内存缓存的大小，作用是将字典放入内存缓存以加快字典破解速度，默认为32MB，可以根据自身内存情况进行设置，当然是越大越块了。
  1
  --segment-size 512
如果遇到不熟悉的哈希值，可以使用 hash-identifier hash 进行识别。
同时如果遇到不熟悉的哈希格式，可以使用 hashcat -m 0 --hash-info 获取某种攻击方式的具体哈希格式，例如上面这个命令是获取 md5 格式的哈希攻击方式。

Hashcat 简述

常用参数

-a 破解模式

掩码字符集

hash id 对照表

实例演示

使用字典进行爆破

使用指定字符集爆破

使用字典+掩码进行爆破

使用掩码+字典进行破解

Mysql4.1/5的 PASSWORD 函数

sha512crypt \(6\), SHA512 (Unix)破解

Windows NT-hash，LM-hash破解

mssql 破解

LUKS 破解

wordpress 密码 hash 破解

discuz 用户密码 hash 破解

RAR 压缩包密码破解

ZIP 压缩包密码破解

office 密码破解

Keepass 爆破

NetNTLMv2 密码破解

CRC32 爆破

WIFI 密码破解

网络包嗅探

使用建议

Mysql4.1/5的 `PASSWORD` 函数