hashcat 使用笔记
Hashcat 简述
Hashcat 是自称世界上最快的密码恢复工具。
在 Debian 系的 Linux 中可以使用 apt install hashcat
获取。
也可以在 github 官方页面中获取更多信息:https://github.com/hashcat/hashcat
支持 hashcat 的散列算法有 Microsoft LM 哈希,MD4,MD5,SHA系列,Unix 加密格式,MySQL 和 Cisco PIX 等。
同时也支持多种计算核心:GPU、CPU、APU、DSP、FPGA、Coprocessor
常用参数
参数 | 作用 |
---|---|
-m | 指定哈希类型,不指定默认为 md5 |
-a | 指定破解模式 |
-V | 查看版本信息 |
-o | 将输出结果储存到指定文件 |
--force | 忽略警告 |
--show | 仅显示破解的hash密码和对应的明文 |
--remove | 从源文件中删除破解成功的hash |
--username | 忽略hash表中的用户名 |
-b | 测试计算机破解速度和相关硬件信息 |
-O | 限制密码长度 |
-T | 设置线程数 |
-r | 使用规则文件 |
-1 / -2 / -3 | 自定义字符集 |
-i | 启用增量破解模式 |
--increment-min | 设置密码最小长度 |
--increment-max | 设置密码最大长度 |
--hash-info | 展示对应哈希模式的示例 |
-a 破解模式
-a 参数 | 攻击模式 |
---|---|
0 | Straight(字段破解) |
1 | Combination(组合破解) |
3 | Brute-force(掩码暴力破解) |
6 | Hybrid Wordlist + Mask(字典+掩码破解) |
7 | Hybrid Mask + Wordlist(掩码+字典破解) |
掩码字符集
掩码字符集 | 指代 |
---|---|
?l | 代表小写字母 abcdefghijklmnopqrstuvwxyz [a-z] |
?u | 代表大写字母 ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z] |
?d | 代表数字 0123456789 [0-9] |
?h | 小写十六进制字符 0123456789abcdef [0-9a-f] |
?H | 大写十六进制字符 0123456789ABCDEF [0-9A-F] |
?s | 代表特殊字符,包括空格
!"#$%&'()*+,-./:;<=>?@[\]^_`{ |
?a | 代表大小写字母、数字以及特殊字符 ?l?u?d?s |
?b | 0x00 - 0xff |
同时支持自定义字符集,即
1 hashcat -1 abc123 ?1?1?1
hash id 对照表
-m 参数 | Name | Category |
---|---|---|
900 | MD4 |
Raw Hash |
0 | MD5 |
Raw Hash |
5100 | Half MD5 |
Raw Hash |
100 | SHA1 |
Raw Hash |
1300 | SHA2-224 |
Raw Hash |
1400 | SHA2-256 |
Raw Hash |
10800 | SHA2-384 |
Raw Hash |
1700 | SHA2-512 |
Raw Hash |
17300 | SHA3-224 |
Raw Hash |
17400 | SHA3-256 |
Raw Hash |
17500 | SHA3-384 |
Raw Hash |
17600 | SHA3-512 |
Raw Hash |
17700 | Keccak-224 |
Raw Hash |
17800 | Keccak-256 |
Raw Hash |
17900 | Keccak-384 |
Raw Hash |
18000 | Keccak-512 |
Raw Hash |
600 | BLAKE2b-512 |
Raw Hash |
10100 | SipHash |
Raw Hash |
6000 | RIPEMD-160 |
Raw Hash |
6100 | Whirlpool |
Raw Hash |
6900 | GOST R 34.11-94 |
Raw Hash |
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian |
Raw Hash |
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian |
Raw Hash |
10 | md5($pass.$salt) |
Raw Hash, Salted and/or Iterated |
20 | md5($salt.$pass) |
Raw Hash, Salted and/or Iterated |
30 | md5(utf16le($pass).$salt) |
Raw Hash, Salted and/or Iterated |
40 | md5($salt.utf16le($pass)) |
Raw Hash, Salted and/or Iterated |
3800 | md5($salt.$pass.$salt) |
Raw Hash, Salted and/or Iterated |
3710 | md5($salt.md5($pass)) |
Raw Hash, Salted and/or Iterated |
4010 | md5($salt.md5($salt.$pass)) |
Raw Hash, Salted and/or Iterated |
4110 | md5($salt.md5($pass.$salt)) |
Raw Hash, Salted and/or Iterated |
2600 | md5(md5($pass)) |
Raw Hash, Salted and/or Iterated |
3910 | md5(md5($pass).md5($salt)) |
Raw Hash, Salted and/or Iterated |
4300 | md5(strtoupper(md5($pass))) |
Raw Hash, Salted and/or Iterated |
4400 | md5(sha1($pass)) |
Raw Hash, Salted and/or Iterated |
110 | sha1($pass.$salt) |
Raw Hash, Salted and/or Iterated |
120 | sha1($salt.$pass) |
Raw Hash, Salted and/or Iterated |
130 | sha1(utf16le($pass).$salt) |
Raw Hash, Salted and/or Iterated |
140 | sha1($salt.utf16le($pass)) |
Raw Hash, Salted and/or Iterated |
4500 | sha1(sha1($pass)) |
Raw Hash, Salted and/or Iterated |
4520 | sha1($salt.sha1($pass)) |
Raw Hash, Salted and/or Iterated |
4700 | sha1(md5($pass)) |
Raw Hash, Salted and/or Iterated |
4900 | sha1($salt.$pass.$salt) |
Raw Hash, Salted and/or Iterated |
14400 | sha1(CX) |
Raw Hash, Salted and/or Iterated |
1410 | sha256($pass.$salt) |
Raw Hash, Salted and/or Iterated |
1420 | sha256($salt.$pass) |
Raw Hash, Salted and/or Iterated |
1430 | sha256(utf16le($pass).$salt) |
Raw Hash, Salted and/or Iterated |
1440 | sha256($salt.utf16le($pass)) |
Raw Hash, Salted and/or Iterated |
1710 | sha512($pass.$salt) |
Raw Hash, Salted and/or Iterated |
1720 | sha512($salt.$pass) |
Raw Hash, Salted and/or Iterated |
1730 | sha512(utf16le($pass).$salt) |
Raw Hash, Salted and/or Iterated |
1740 | sha512($salt.utf16le($pass)) |
Raw Hash, Salted and/or Iterated |
50 | HMAC-MD5 (key = $pass) |
Raw Hash, Authenticated |
60 | HMAC-MD5 (key = $salt) |
Raw Hash, Authenticated |
150 | HMAC-SHA1 (key = $pass) |
Raw Hash, Authenticated |
160 | HMAC-SHA1 (key = $salt) |
Raw Hash, Authenticated |
1450 | HMAC-SHA256 (key = $pass) |
Raw Hash, Authenticated |
1460 | HMAC-SHA256 (key = $salt) |
Raw Hash, Authenticated |
1750 | HMAC-SHA512 (key = $pass) |
Raw Hash, Authenticated |
1760 | HMAC-SHA512 (key = $salt) |
Raw Hash, Authenticated |
11750 | HMAC-Streebog-256 (key = $pass), big-endian |
Raw Hash, Authenticated |
11760 | HMAC-Streebog-256 (key = $salt), big-endian |
Raw Hash, Authenticated |
11850 | HMAC-Streebog-512 (key = $pass), big-endian |
Raw Hash, Authenticated |
11860 | HMAC-Streebog-512 (key = $salt), big-endian |
Raw Hash, Authenticated |
14000 | DES (PT = $salt, key = $pass) |
Raw Cipher, Known-Plaintext attack |
14100 | 3DES (PT = $salt, key = $pass) |
Raw Cipher, Known-Plaintext attack |
14900 | Skip32 (PT = $salt, key = $pass) |
Raw Cipher, Known-Plaintext attack |
15400 | ChaCha20 |
Raw Cipher, Known-Plaintext attack |
400 | phpass |
Generic KDF |
8900 | scrypt |
Generic KDF |
11900 | PBKDF2-HMAC-MD5 |
Generic KDF |
12000 | PBKDF2-HMAC-SHA1 |
Generic KDF |
10900 | PBKDF2-HMAC-SHA256 |
Generic KDF |
12100 | PBKDF2-HMAC-SHA512 |
Generic KDF |
23 | Skype |
Network Protocols |
2500 | WPA-EAPOL-PBKDF2 |
Network Protocols |
2501 | WPA-EAPOL-PMK |
Network Protocols |
16800 | WPA-PMKID-PBKDF2 |
Network Protocols |
16801 | WPA-PMKID-PMK |
Network Protocols |
4800 | iSCSI CHAP authentication, MD5(CHAP) |
Network Protocols |
5300 | IKE-PSK MD5 |
Network Protocols |
5400 | IKE-PSK SHA1 |
Network Protocols |
5500 | NetNTLMv1 |
Network Protocols |
5500 | NetNTLMv1+ESS |
Network Protocols |
5600 | NetNTLMv2 |
Network Protocols |
7300 | IPMI2 RAKP HMAC-SHA1 |
Network Protocols |
7500 | Kerberos 5 AS-REQ Pre-Auth etype 23 |
Network Protocols |
8300 | DNSSEC (NSEC3) |
Network Protocols |
10200 | CRAM-MD5 |
Network Protocols |
11100 | PostgreSQL CRAM (MD5) |
Network Protocols |
11200 | MySQL CRAM (SHA1) |
Network Protocols |
11400 | SIP digest authentication (MD5) |
Network Protocols |
13100 | Kerberos 5 TGS-REP etype 23 |
Network Protocols |
16100 | TACACS+ |
Network Protocols |
16500 | JWT (JSON Web Token) |
Network Protocols |
18200 | Kerberos 5 AS-REP etype 23 |
Network Protocols |
121 | SMF (Simple Machines Forum) > v1.1 |
Forums, CMS, E-Commerce, Frameworks |
400 | phpBB3 (MD5) |
Forums, CMS, E-Commerce, Frameworks |
2611 | vBulletin < v3.8.5 |
Forums, CMS, E-Commerce, Frameworks |
2711 | vBulletin >= v3.8.5 |
Forums, CMS, E-Commerce, Frameworks |
2811 | MyBB 1.2+ |
Forums, CMS, E-Commerce, Frameworks |
2811 | IPB2+ (Invision Power Board) |
Forums, CMS, E-Commerce, Frameworks |
8400 | WBB3 (Woltlab Burning Board) |
Forums, CMS, E-Commerce, Frameworks |
11 | Joomla < 2.5.18 |
Forums, CMS, E-Commerce, Frameworks |
400 | Joomla >= 2.5.18 (MD5) |
Forums, CMS, E-Commerce, Frameworks |
400 | WordPress (MD5) |
Forums, CMS, E-Commerce, Frameworks |
2612 | PHPS |
Forums, CMS, E-Commerce, Frameworks |
7900 | Drupal7 |
Forums, CMS, E-Commerce, Frameworks |
21 | osCommerce |
Forums, CMS, E-Commerce, Frameworks |
21 | xt:Commerce |
Forums, CMS, E-Commerce, Frameworks |
11000 | PrestaShop |
Forums, CMS, E-Commerce, Frameworks |
124 | Django (SHA-1) |
Forums, CMS, E-Commerce, Frameworks |
10000 | Django (PBKDF2-SHA256) |
Forums, CMS, E-Commerce, Frameworks |
16000 | Tripcode |
Forums, CMS, E-Commerce, Frameworks |
3711 | MediaWiki B type |
Forums, CMS, E-Commerce, Frameworks |
13900 | OpenCart |
Forums, CMS, E-Commerce, Frameworks |
4521 | Redmine |
Forums, CMS, E-Commerce, Frameworks |
4522 | PunBB |
Forums, CMS, E-Commerce, Frameworks |
12001 | Atlassian (PBKDF2-HMAC-SHA1) |
Forums, CMS, E-Commerce, Frameworks |
12 | PostgreSQL |
Database Server |
131 | MSSQL (2000) |
Database Server |
132 | MSSQL (2005) |
Database Server |
1731 | MSSQL (2012, 2014) |
Database Server |
200 | MySQL323 |
Database Server |
300 | MySQL4.1/MySQL5 |
Database Server |
3100 | Oracle H: Type (Oracle 7+) |
Database Server |
112 | Oracle S: Type (Oracle 11+) |
Database Server |
12300 | Oracle T: Type (Oracle 12+) |
Database Server |
8000 | Sybase ASE |
Database Server |
141 | Episerver 6.x < .NET 4 |
HTTP, SMTP, LDAP Server |
1441 | Episerver 6.x >= .NET 4 |
HTTP, SMTP, LDAP Server |
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) |
HTTP, SMTP, LDAP Server |
12600 | ColdFusion 10+ |
HTTP, SMTP, LDAP Server |
1421 | hMailServer |
HTTP, SMTP, LDAP Server |
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA |
HTTP, SMTP, LDAP Server |
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA |
HTTP, SMTP, LDAP Server |
1411 | SSHA-256(Base64), LDAP {SSHA256} |
HTTP, SMTP, LDAP Server |
1711 | SSHA-512(Base64), LDAP {SSHA512} |
HTTP, SMTP, LDAP Server |
16400 | CRAM-MD5 Dovecot |
HTTP, SMTP, LDAP Server |
15000 | FileZilla Server >= 0.9.55 |
FTP Server |
11500 | CRC32 |
Checksums |
3000 | LM |
Operating Systems |
1000 | NTLM |
Operating Systems |
1100 | Domain Cached Credentials (DCC), MS Cache |
Operating Systems |
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 |
Operating Systems |
15300 | DPAPI masterkey file v1 |
Operating Systems |
15900 | DPAPI masterkey file v2 |
Operating Systems |
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 |
Operating Systems |
1500 | descrypt, DES (Unix), Traditional DES |
Operating Systems |
12400 | BSDi Crypt, Extended DES |
Operating Systems |
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) |
Operating Systems |
3200 | bcrypt $2*$, Blowfish (Unix) |
Operating Systems |
7400 | sha256crypt $5$, SHA256 (Unix) |
Operating Systems |
1800 | sha512crypt $6$, SHA512 (Unix) |
Operating Systems |
122 | macOS v10.4, MacOS v10.5, MacOS v10.6 |
Operating Systems |
1722 | macOS v10.7 |
Operating Systems |
7100 | macOS v10.8+ (PBKDF2-SHA512) |
Operating Systems |
6300 | AIX {smd5} |
Operating Systems |
6700 | AIX {ssha1} |
Operating Systems |
6400 | AIX {ssha256} |
Operating Systems |
6500 | AIX {ssha512} |
Operating Systems |
2400 | Cisco-PIX MD5 |
Operating Systems |
2410 | Cisco-ASA MD5 |
Operating Systems |
500 | Cisco-IOS $1$ (MD5) |
Operating Systems |
5700 | Cisco-IOS type 4 (SHA256) |
Operating Systems |
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) |
Operating Systems |
9300 | Cisco-IOS $9$ (scrypt) |
Operating Systems |
22 | Juniper NetScreen/SSG (ScreenOS) |
Operating Systems |
501 | Juniper IVE |
Operating Systems |
15100 | Juniper/NetBSD sha1crypt |
Operating Systems |
7000 | FortiGate (FortiOS) |
Operating Systems |
5800 | Samsung Android Password/PIN |
Operating Systems |
13800 | Windows Phone 8+ PIN/password |
Operating Systems |
8100 | Citrix NetScaler |
Operating Systems |
8500 | RACF |
Operating Systems |
7200 | GRUB 2 |
Operating Systems |
9900 | Radmin2 |
Operating Systems |
125 | ArubaOS |
Operating Systems |
7700 | SAP CODVN B (BCODE) |
Enterprise Application Software (EAS) |
7701 | SAP CODVN B (BCODE) via RFC_READ_TABLE |
Enterprise Application Software (EAS) |
7800 | SAP CODVN F/G (PASSCODE) |
Enterprise Application Software (EAS) |
7801 | SAP CODVN F/G (PASSCODE) via RFC_READ_TABLE |
Enterprise Application Software (EAS) |
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 |
Enterprise Application Software (EAS) |
8600 | Lotus Notes/Domino 5 |
Enterprise Application Software (EAS) |
8700 | Lotus Notes/Domino 6 |
Enterprise Application Software (EAS) |
9100 | Lotus Notes/Domino 8 |
Enterprise Application Software (EAS) |
133 | PeopleSoft |
Enterprise Application Software (EAS) |
13500 | PeopleSoft PS_TOKEN |
Enterprise Application Software (EAS) |
11600 | 7-Zip |
Archives |
12500 | RAR3-hp |
Archives |
13000 | RAR5 |
Archives |
13200 | AxCrypt |
Archives |
13300 | AxCrypt in-memory SHA1 |
Archives |
13600 | WinZip |
Archives |
14700 | iTunes backup < 10.0 |
Backup |
14800 | iTunes backup >= 10.0 |
Backup |
62XY | TrueCrypt |
Full-Disk Encryption (FDE) |
X | 1 = PBKDF2-HMAC-RIPEMD160 |
Full-Disk Encryption (FDE) |
X | 2 = PBKDF2-HMAC-SHA512 |
Full-Disk Encryption (FDE) |
X | 3 = PBKDF2-HMAC-Whirlpool |
Full-Disk Encryption (FDE) |
X | 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure AES |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Serpent |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure AES |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Serpent |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded AES-Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Serpent-AES |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent |
Full-Disk Encryption (FDE) |
Y | 3 = XTS 1536 bit all |
Full-Disk Encryption (FDE) |
8800 | Android FDE <= 4.3 |
Full-Disk Encryption (FDE) |
12900 | Android FDE (Samsung DEK) |
Full-Disk Encryption (FDE) |
12200 | eCryptfs |
Full-Disk Encryption (FDE) |
137XY | VeraCrypt |
Full-Disk Encryption (FDE) |
X | 1 = PBKDF2-HMAC-RIPEMD160 |
Full-Disk Encryption (FDE) |
X | 2 = PBKDF2-HMAC-SHA512 |
Full-Disk Encryption (FDE) |
X | 3 = PBKDF2-HMAC-Whirlpool |
Full-Disk Encryption (FDE) |
X | 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode |
Full-Disk Encryption (FDE) |
X | 5 = PBKDF2-HMAC-SHA256 |
Full-Disk Encryption (FDE) |
X | 6 = PBKDF2-HMAC-SHA256 + boot-mode |
Full-Disk Encryption (FDE) |
X | 7 = PBKDF2-HMAC-Streebog-512 |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure AES |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Serpent |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Twofish |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Camellia |
Full-Disk Encryption (FDE) |
Y | 1 = XTS 512 bit pure Kuznyechik |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure AES |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Serpent |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Camellia |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit pure Kuznyechik |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded AES-Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Camellia-Kuznyechik |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Camellia-Serpent |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Kuznyechik-AES |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Kuznyechik-Twofish |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Serpent-AES |
Full-Disk Encryption (FDE) |
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent |
Full-Disk Encryption (FDE) |
Y | 3 = XTS 1536 bit all |
Full-Disk Encryption (FDE) |
14600 | LUKS |
Full-Disk Encryption (FDE) |
16700 | FileVault 2 |
Full-Disk Encryption (FDE) |
18300 | Apple File System (APFS) |
Full-Disk Encryption (FDE) |
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 |
Documents |
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 |
Documents |
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 |
Documents |
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 |
Documents |
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 |
Documents |
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 |
Documents |
9400 | MS Office 2007 |
Documents |
9500 | MS Office 2010 |
Documents |
9600 | MS Office 2013 |
Documents |
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) |
Documents |
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 |
Documents |
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 |
Documents |
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) |
Documents |
10600 | PDF 1.7 Level 3 (Acrobat 9) |
Documents |
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) |
Documents |
16200 | Apple Secure Notes |
Documents |
9000 | Password Safe v2 |
Password Managers |
5200 | Password Safe v3 |
Password Managers |
6800 | LastPass + LastPass sniffed |
Password Managers |
6600 | 1Password, agilekeychain |
Password Managers |
8200 | 1Password, cloudkeychain |
Password Managers |
11300 | Bitcoin/Litecoin wallet.dat |
Password Managers |
12700 | Blockchain, My Wallet |
Password Managers |
15200 | Blockchain, My Wallet, V2 |
Password Managers |
16600 | Electrum Wallet (Salt-Type 1-3) |
Password Managers |
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) |
Password Managers |
15500 | JKS Java Key Store Private Keys (SHA1) |
Password Managers |
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 |
Password Managers |
15700 | Ethereum Wallet, SCRYPT |
Password Managers |
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 |
Password Managers |
16900 | Ansible Vault |
Password Managers |
18100 | TOTP (HMAC-SHA1) |
One-Time Passwords |
99999 | Plaintext |
Plaintext |
实例演示
使用字典进行爆破
1 | hashcat -a 0 0192023a7bbd73250516f069df18b500 password.txt --force |
使用指定字符集爆破
1 | hashcat -a 3 63a9f0ea7bb98050796b649e85481845 ?l?l?l?l --force |
使用字典+掩码进行爆破
1 | hashcat -a 6 1844156d4166d94387f1a4ad031ca5fa password.txt ?d?d?d --force |
使用掩码+字典进行破解
1 | hashcat -a 7 f8def8bcecb2e7925a2b42d60d202deb ?d?d password.txt --force |
注意 hashcat 优先选择的规则不一样
Mysql4.1/5的 PASSWORD
函数
1 | hashcat -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?d |
sha512crypt \(6\), SHA512 (Unix)破解
可以通过 cat /etc/shadow
获取
1 | hashcat -a 3 -m 1800 --force $6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. ?l?l?l?l |
不需要整理用户名,可以使用 --username
参数
1 | hashcat -a 3 -m 1800 --force qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 ?l?l?l?l?l --username |
Windows NT-hash,LM-hash破解
可以用 saminside 获取 NT-hash 或 LM-hash 的值
NT-hash
1
hashcat64.exe -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?l
LM-hash
1
hashcat64.exe -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?l
mssql 破解
1 | hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?d |
LUKS 破解
hashcat 只需要加密文件系统的前 2 MB 即可推断密码是否已被破解,所以一般建议切割以加速爆破。
1 | dd if=file of=file-cut bs=512 count=4097 |
随后跑命令
1 | hashcat -m 14600 -a 3 file-cut ?d?d?d?d?d?d |
wordpress 密码 hash 破解
具体加密脚本在./wp-includes/class-phpass.php
的HashPassword
函数
1 | hashcat -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?d |
discuz 用户密码 hash 破解
其密码加密方式 md5(md5($pass).$salt)
1 | hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?d |
RAR 压缩包密码破解
先用 rar2john 获取 RAR 文件 hash 值
1 | > rar2john 1.rar |
然后再使用 hashcat 爆破
1 | hashcat -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d |
注意到
-m 参数 | 类型 | 示例 hash |
---|---|---|
12500 | RAR3-hp | $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317 |
13000 | RAR5 | $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe |
ZIP 压缩包密码破解
先用 zip2john 获取 RAR 文件 hash 值
1 | > zip2john.exe 1.zip |
然后再使用 hashcat 爆破
1 | hashcat -a 3 -m 13600 $zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d |
office 密码破解
先用 zip2john 获取 RAR 文件 hash 值
1 | > python office2john.py 11.docx |
然后再使用 hashcat 爆破
1 | hashcat -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d |
Keepass 爆破
先用 zip2john 获取 RAR 文件 hash 值
1 | > keepass2john.exe .\clients.kdbx |
然后再使用 hashcat 爆破
1 | hashcat -a 3 -m 13400 $keepass$*2*9090908*0*f7d1170d7371a17281aa3f2a26c7388ca5725c21fcbc29d2ace56292eff8eb79*da67f7ac407dca58cbdf4470f411f0f816b93e09e691cc4fbe0d9ce4acaa28c0*706a344c94d1eb4d7e356d67c6b3189b*ef40e4466434309c67248c2ad1e6bb0d4319447268f862c53a196e4ca12e29a0*7ff7758edbc9b8cde051228494e36af1edd750edc398e84422268956dc942876 --force ?d?d?d?d |
NetNTLMv2 密码破解
NTLMSSP 包分为三部分,Negotiate、Challenge 和 Authenticate。
首先进行抓包,得到 NTLMSSP 包(主要关注 Challenge 和 Authenticate),其中寻找到相应信息组成哈希,格式为
1 | username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response |
可以直接获取 NTLMSSP 的 base64 值,然后使用脚本组装
1 | import base64 |
例如
1 | jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000 |
使用 john 或 hashcat 爆破即可,hashcat 哈希代码为 5600,即
1 | hashcat -m 5600 hash.txt table.txt |
CRC32 爆破
例如 CRC 值是 eb32038d
,原值是四个可见字符,那么
1 | hashcat -m 11500 -a 3 eb32038d:00000000 '?a?a?a?a-' |
也可以自定义字符集,例如
1 | hashcat -m 11500 -a 3 -1 '0123456789' 0972d361:00000000 '?1?1?1?1?1?1' |
WIFI 密码破解
首先先把握手包转化为 hccapx 格式
现在最新版的 hashcat 只支持 hccapx 格式了,以前的 hccap 格式已经不支持了
可以使用 https://hashcat.net/cap2hccapx/ 进行转换
1 | hashcat -a 3 -m 2500 1.hccapx 1391040?d?d?d?d |
网络包嗅探
使用指令
1 | ettercap -Tqr ospf.pcapng |
可以一键嗅探出流量包中的哈希值。
使用建议
对于破解过的hash值,用
hashcat64.exe hash --show
查看结果所有的hash破解结果都在hashcat.potfile文件中
如果破解的时间太长,可以按s键可以查看破解的状态,p键暂停,r键继续破解,q键退出破解。
在使用GPU模式进行破解时,可以使用-O参数自动进行优化
在实际破解中的建议,如果我们盲目的去破解,会占用我们大量的时间和资源
- 首先走一遍常用的弱口令字典
- 组合密码,如:zhang1999,用姓氏和出生年组合,当然也可以用其它的组合,这里举个例子而已
- 把常用的掩码组合整理起来放在masks中的.hcmask文件中,然后让它自动加载破解
- 如果实在不行,你可以尝试低位数的所有组合去跑,不过不建议太高位数的组合去破解,因为如果对方设置的密码很复杂的话,到头来你密码没有破解到,却浪费了大量的时间和资源,得不偿失
Hashcat 参数优化
Workload tuning 负载调优
该参数支持的值有1,8,40,80,160,可以让GPU发挥最大性能
1
--gpu-accel 160
Gpu loops 负载微调
该参数支持的值的范围是8-1024(有些算法只支持到1000),可以让GPU发挥最大性能。
1
--gpu-loops 1024
Segment size 字典缓存大小
该参数是设置内存缓存的大小,作用是将字典放入内存缓存以加快字典破解速度,默认为32MB,可以根据自身内存情况进行设置,当然是越大越块了。
1
--segment-size 512
如果遇到不熟悉的哈希值,可以使用
hash-identifier hash
进行识别。同时如果遇到不熟悉的哈希格式,可以使用
hashcat -m 0 --hash-info
获取某种攻击方式的具体哈希格式,例如上面这个命令是获取 md5 格式的哈希攻击方式。