Hashcat密码破解

Author：爆胎
发布时间：October 21, 2020
1433views
2 comments
22153 words
Categories：学习

# Hashcat是嘛玩意儿

`Hashcat`是当前最强大的开源密码恢复工具，你可以访问`Hashcat.net`网站来了解这款工具的详细情况。本质上，**Hashcat 3.0**是一款高级密码恢复工具，可以利用**CPU或GPU**资源来攻击**160多种**哈希类型的密码。

HashCat系列软件在硬件上支持使用`CPU`、`NVIDIA GPU`、`ATI GPU`来进行密码破解。在操作系统上支持`Windows`、`Linux`平台，并且需要安装官方指定版本的显卡驱动程序，如果驱动程序版本不对，可能导致程序无法运行。

`HashCat`主要分为三个版本：`Hashcat`、`oclHashcat-plus`、`oclHashcat-lite`。这三个版本的主要区别是：`HashCat`只支持`CPU`破解。`oclHashcat-plus`支持使用`GPU`破解多个`HASH`，并且支持的算法**高达77种**。`oclHashcat-lite`只支持使用`GPU`对单个`HASH`进行破解，支持的`HASH`种类仅有32种，但是对算法进行了优化，可以达到`GPU`破解的最高速度。如果只有单个密文进行破解的话，推荐使用`oclHashCat-lite`。

&nbsp;

## 计算机环境准备

- 本地的环境为`win10`

- 需要把`airodump`抓到的 4 次握手文件转换为`hccap`的格式

- `txt`格式的**字典文件**

&nbsp;

## Hashcat和aircrack-ng的对比

使用`aricrack-ng`暴力破解8位数密码需要**50**个小时， 但是使用`Hashcat`只要**1个半小时**不到.

即使使用普通的`CPU`或`GPU`，每秒也能够生成`1.35`亿个哈希值， 我这台电脑是`thinkpad`，破解8位数字需要随机组合**68719476736**个数字， 这个是千万级别的数字， 使用`Hashcat`破解只需要1小时40分钟， 平均一秒钟计算`1.4`个亿密码

&nbsp;

## Hashcat的安装

### windows安装

[官网下载](https://hashcat.net/hashcat/)   下载二进制文件，然后进入目录，就可以直接用了。

![](https://img-1259793745.itggg.cn/20201222211123.png)

&nbsp;

### Linux安装

把`github`上面的源码`down`到本地，然后进入目录，编译安装，如果安装成功， 在命令行输入`hashcat`，即可看到帮助文档

```
$ git clone https://github.com/hashcat/hashcat.git
$ cd hashcat //进入目录
$ sudo make 
$ sudo make install //安装hashcat
```

![](https://img-1259793745.itggg.cn/20201222211124.png)

&nbsp;

## 使用参数

### **普通**

- -m, —hash-type=NUM 哈希类别，其NUM值参考其帮助信息下面的哈希类别值，其值为数字。如果不指定m值则默认指md5，例如-m 1800是sha512 Linux加密。
- -a, --attack-mode      攻击模式，如: -a 3
- -V, —version 版本信息
- -h, –help 帮助信息。
- –quiet   安静的模式, 抑制输出
- -b, –benchmark     测试计算机破解速度和显示硬件相关信息

![](https://img-1259793745.itggg.cn/20201222211125.png)

&nbsp;

### **破解模式**

**在HashCat中`--attack-mode ?`参数可以可以指定破解模式**

- 0 Straight（字典破解）
- 1 Combination（组合破解）
- 3 Brute-force（掩码暴力破解）
- 6 Hybrid dict + mask（混合字典+掩码）
- 7 Hybrid mask + dict（混合掩码+字典）

&nbsp;

### **其他**

- –hex-salt salt    值是用十六进制给出的
- –hex-charset       设定字符集是十六进制给出
- –runtime=NUM     运行数秒（NUM值）后的中止会话
- –status      启用状态屏幕的自动更新
- –status-timer=NUM     状态屏幕更新秒值
- –status-automat    以机器可读的格式显示状态视图
- –session    后跟会话名称，主要用于中止任务后的恢复破解。
- --force    忽略警告
- -T               设置线程数
- -r               使用规则文件
- -1               自定义字符集 -1 0123asd   ?1={0123asd}
- -2               自定义字符集 -2 0123asd   ?2={0123asd}
- -3               自定义字符集 -3 0123asd   ?3={0123asd}
- -i                启用增量破解模式
- --increment-min    设置密码最小长度
- --increment-max    设置密码最大长度

&nbsp;

### **哈希类型对应**

**在HashCat中`–hash-type ?`参数可以指定要破解的`HASH`类型**

```
    900 | MD4                                              | Raw Hash
      0 | MD5                                              | Raw Hash
    100 | SHA1                                             | Raw Hash
   1300 | SHA2-224                                         | Raw Hash
   1400 | SHA2-256                                         | Raw Hash
  10800 | SHA2-384                                         | Raw Hash
   1700 | SHA2-512                                         | Raw Hash
  17300 | SHA3-224                                         | Raw Hash
  17400 | SHA3-256                                         | Raw Hash
  17500 | SHA3-384                                         | Raw Hash
  17600 | SHA3-512                                         | Raw Hash
   6000 | RIPEMD-160                                       | Raw Hash
    600 | BLAKE2b-512                                      | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
   6900 | GOST R 34.11-94                                  | Raw Hash
   5100 | Half MD5                                         | Raw Hash
  18700 | Java Object hashCode()                           | Raw Hash
  17700 | Keccak-224                                       | Raw Hash
  17800 | Keccak-256                                       | Raw Hash
  17900 | Keccak-384                                       | Raw Hash
  18000 | Keccak-512                                       | Raw Hash
  21400 | sha256(sha256_bin($pass))                        | Raw Hash
   6100 | Whirlpool                                        | Raw Hash
  10100 | SipHash                                          | Raw Hash
  21000 | BitShares v0.x - sha512(sha512_bin(pass))        | Raw Hash
     10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                      | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                      | Raw Hash, Salted and/or Iterated
  21300 | md5($salt.sha1($salt.$pass))                     | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                  | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                       | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                 | Raw Hash, Salted and/or Iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))          | Raw Hash, Salted and/or Iterated
  21200 | md5(sha1($salt).md5($pass))                      | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
    110 | sha1($pass.$salt)                                | Raw Hash, Salted and/or Iterated
    120 | sha1($salt.$pass)                                | Raw Hash, Salted and/or Iterated
   4900 | sha1($salt.$pass.$salt)                          | Raw Hash, Salted and/or Iterated
   4520 | sha1($salt.sha1($pass))                          | Raw Hash, Salted and/or Iterated
    140 | sha1($salt.utf16le($pass))                       | Raw Hash, Salted and/or Iterated
  19300 | sha1($salt1.$pass.$salt2)                        | Raw Hash, Salted and/or Iterated
  14400 | sha1(CX)                                         | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                 | Raw Hash, Salted and/or Iterated
   4710 | sha1(md5($pass).$salt)                           | Raw Hash, Salted and/or Iterated
  21100 | sha1(md5($pass.$salt))                           | Raw Hash, Salted and/or Iterated
  18500 | sha1(md5(md5($pass)))                            | Raw Hash, Salted and/or Iterated
   4500 | sha1(sha1($pass))                                | Raw Hash, Salted and/or Iterated
    130 | sha1(utf16le($pass).$salt)                       | Raw Hash, Salted and/or Iterated
   1410 | sha256($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1420 | sha256($salt.$pass)                              | Raw Hash, Salted and/or Iterated
  22300 | sha256($salt.$pass.$salt)                        | Raw Hash, Salted and/or Iterated
   1440 | sha256($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
  20800 | sha256(md5($pass))                               | Raw Hash, Salted and/or Iterated
  20710 | sha256(sha256($pass).$salt)                      | Raw Hash, Salted and/or Iterated
   1430 | sha256(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
   1710 | sha512($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                              | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
  19500 | Ruby on Rails Restful-Authentication             | Raw Hash, Salted and/or Iterated
     50 | HMAC-MD5 (key = $pass)                           | Raw Hash, Authenticated
     60 | HMAC-MD5 (key = $salt)                           | Raw Hash, Authenticated
    150 | HMAC-SHA1 (key = $pass)                          | Raw Hash, Authenticated
    160 | HMAC-SHA1 (key = $salt)                          | Raw Hash, Authenticated
   1450 | HMAC-SHA256 (key = $pass)                        | Raw Hash, Authenticated
   1460 | HMAC-SHA256 (key = $salt)                        | Raw Hash, Authenticated
   1750 | HMAC-SHA512 (key = $pass)                        | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                        | Raw Hash, Authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian      | Raw Hash, Authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian      | Raw Hash, Authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian      | Raw Hash, Authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian      | Raw Hash, Authenticated
  11500 | CRC32                                            | Raw Checksum
  14100 | 3DES (PT = $salt, key = $pass)                   | Raw Cipher, Known-Plaintext attack
  14000 | DES (PT = $salt, key = $pass)                    | Raw Cipher, Known-Plaintext attack
  15400 | ChaCha20                                         | Raw Cipher, Known-Plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                 | Raw Cipher, Known-Plaintext attack
  11900 | PBKDF2-HMAC-MD5                                  | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                 | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                               | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                               | Generic KDF
   8900 | scrypt                                           | Generic KDF
    400 | phpass                                           | Generic KDF
  16900 | Ansible Vault                                    | Generic KDF
  12001 | Atlassian (PBKDF2-HMAC-SHA1)                     | Generic KDF
  20200 | Python passlib pbkdf2-sha512                     | Generic KDF
  20300 | Python passlib pbkdf2-sha256                     | Generic KDF
  20400 | Python passlib pbkdf2-sha1                       | Generic KDF
  16100 | TACACS+                                          | Network Protocols
  11400 | SIP digest authentication (MD5)                  | Network Protocols
   5300 | IKE-PSK MD5                                      | Network Protocols
   5400 | IKE-PSK SHA1                                     | Network Protocols
  23200 | XMPP SCRAM PBKDF2-SHA1                           | Network Protocols
   2500 | WPA-EAPOL-PBKDF2                                 | Network Protocols
   2501 | WPA-EAPOL-PMK                                    | Network Protocols
  22000 | WPA-PBKDF2-PMKID+EAPOL                           | Network Protocols
  22001 | WPA-PMK-PMKID+EAPOL                              | Network Protocols
  16800 | WPA-PMKID-PBKDF2                                 | Network Protocols
  16801 | WPA-PMKID-PMK                                    | Network Protocols
   7300 | IPMI2 RAKP HMAC-SHA1                             | Network Protocols
  10200 | CRAM-MD5                                         | Network Protocols
   4800 | iSCSI CHAP authentication, MD5(CHAP)             | Network Protocols
  16500 | JWT (JSON Web Token)                             | Network Protocols
  22600 | Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1) | Network Protocols
  22301 | Telegram Mobile App Passcode (SHA256)            | Network Protocols
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth            | Network Protocols
  13100 | Kerberos 5, etype 23, TGS-REP                    | Network Protocols
  18200 | Kerberos 5, etype 23, AS-REP                     | Network Protocols
  19600 | Kerberos 5, etype 17, TGS-REP                    | Network Protocols
  19700 | Kerberos 5, etype 18, TGS-REP                    | Network Protocols
  19800 | Kerberos 5, etype 17, Pre-Auth                   | Network Protocols
  19900 | Kerberos 5, etype 18, Pre-Auth                   | Network Protocols
   5500 | NetNTLMv1 / NetNTLMv1+ESS                        | Network Protocols
   5600 | NetNTLMv2                                        | Network Protocols
     23 | Skype                                            | Network Protocols
  11100 | PostgreSQL CRAM (MD5)                            | Network Protocols
  11200 | MySQL CRAM (SHA1)                                | Network Protocols
   8500 | RACF                                             | Operating System
   6300 | AIX {smd5}                                       | Operating System
   6700 | AIX {ssha1}                                      | Operating System
   6400 | AIX {ssha256}                                    | Operating System
   6500 | AIX {ssha512}                                    | Operating System
   3000 | LM                                               | Operating System
  19000 | QNX /etc/shadow (MD5)                            | Operating System
  19100 | QNX /etc/shadow (SHA256)                         | Operating System
  19200 | QNX /etc/shadow (SHA512)                         | Operating System
  15300 | DPAPI masterkey file v1                          | Operating System
  15900 | DPAPI masterkey file v2                          | Operating System
   7200 | GRUB 2                                           | Operating System
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                  | Operating System
  12400 | BSDi Crypt, Extended DES                         | Operating System
   1000 | NTLM                                             | Operating System
    122 | macOS v10.4, macOS v10.5, MacOS v10.6            | Operating System
   1722 | macOS v10.7                                      | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating System
   9900 | Radmin2                                          | Operating System
   5800 | Samsung Android Password/PIN                     | Operating System
   3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating System
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating System
   1500 | descrypt, DES (Unix), Traditional DES            | Operating System
   7400 | sha256crypt $5$, SHA256 (Unix)                   | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating System
  13800 | Windows Phone 8+ PIN/password                    | Operating System
   2410 | Cisco-ASA MD5                                    | Operating System
   9200 | Cisco-IOS $8$ (PBKDF2-SHA256)                    | Operating System
   9300 | Cisco-IOS $9$ (scrypt)                           | Operating System
   5700 | Cisco-IOS type 4 (SHA256)                        | Operating System
   2400 | Cisco-PIX MD5                                    | Operating System
   8100 | Citrix NetScaler (SHA1)                          | Operating System
  22200 | Citrix NetScaler (SHA512)                        | Operating System
   1100 | Domain Cached Credentials (DCC), MS Cache        | Operating System
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2   | Operating System
   7000 | FortiGate (FortiOS)                              | Operating System
    125 | ArubaOS                                          | Operating System
    501 | Juniper IVE                                      | Operating System
     22 | Juniper NetScreen/SSG (ScreenOS)                 | Operating System
  15100 | Juniper/NetBSD sha1crypt                         | Operating System
    131 | MSSQL (2000)                                     | Database Server
    132 | MSSQL (2005)                                     | Database Server
   1731 | MSSQL (2012, 2014)                               | Database Server
     12 | PostgreSQL                                       | Database Server
   3100 | Oracle H: Type (Oracle 7+)                       | Database Server
    112 | Oracle S: Type (Oracle 11+)                      | Database Server
  12300 | Oracle T: Type (Oracle 12+)                      | Database Server
   7401 | MySQL $A$ (sha256crypt)                          | Database Server
    200 | MySQL323                                         | Database Server
    300 | MySQL4.1/MySQL5                                  | Database Server
   8000 | Sybase ASE                                       | Database Server
   1421 | hMailServer                                      | FTP, HTTP, SMTP, LDAP Server
   8300 | DNSSEC (NSEC3)                                   | FTP, HTTP, SMTP, LDAP Server
  16400 | CRAM-MD5 Dovecot                                 | FTP, HTTP, SMTP, LDAP Server
   1411 | SSHA-256(Base64), LDAP {SSHA256}                 | FTP, HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                 | FTP, HTTP, SMTP, LDAP Server
  10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)          | FTP, HTTP, SMTP, LDAP Server
  15000 | FileZilla Server >= 0.9.55                       | FTP, HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                   | FTP, HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)            | FTP, HTTP, SMTP, LDAP Server
    141 | Episerver 6.x < .NET 4                           | FTP, HTTP, SMTP, LDAP Server
   1441 | Episerver 6.x >= .NET 4                          | FTP, HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA         | FTP, HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA      | FTP, HTTP, SMTP, LDAP Server
   7700 | SAP CODVN B (BCODE)                              | Enterprise Application Software (EAS)
   7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE          | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                         | Enterprise Application Software (EAS)
   7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE     | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1              | Enterprise Application Software (EAS)
    133 | PeopleSoft                                       | Enterprise Application Software (EAS)
  13500 | PeopleSoft PS_TOKEN                              | Enterprise Application Software (EAS)
  21500 | SolarWinds Orion                                 | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                             | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                             | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                             | Enterprise Application Software (EAS)
  20600 | Oracle Transportation Management (SHA256)        | Enterprise Application Software (EAS)
   4711 | Huawei sha1(md5($pass).$salt)                    | Enterprise Application Software (EAS)
  20711 | AuthMe sha256                                    | Enterprise Application Software (EAS)
  12200 | eCryptfs                                         | Full-Disk Encryption (FDE)
  22400 | AES Crypt (SHA256)                               | Full-Disk Encryption (FDE)
  14600 | LUKS                                             | Full-Disk Encryption (FDE)
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit                | Full-Disk Encryption (FDE)
  13712 | VeraCrypt RIPEMD160 + XTS 1024 bit               | Full-Disk Encryption (FDE)
  13713 | VeraCrypt RIPEMD160 + XTS 1536 bit               | Full-Disk Encryption (FDE)
  13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode    | Full-Disk Encryption (FDE)
  13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode   | Full-Disk Encryption (FDE)
  13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode   | Full-Disk Encryption (FDE)
  13751 | VeraCrypt SHA256 + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13752 | VeraCrypt SHA256 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13753 | VeraCrypt SHA256 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
  13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
  13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
  13721 | VeraCrypt SHA512 + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13722 | VeraCrypt SHA512 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13723 | VeraCrypt SHA512 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  13771 | VeraCrypt Streebog-512 + XTS 512 bit             | Full-Disk Encryption (FDE)
  13772 | VeraCrypt Streebog-512 + XTS 1024 bit            | Full-Disk Encryption (FDE)
  13773 | VeraCrypt Streebog-512 + XTS 1536 bit            | Full-Disk Encryption (FDE)
  13731 | VeraCrypt Whirlpool + XTS 512 bit                | Full-Disk Encryption (FDE)
  13732 | VeraCrypt Whirlpool + XTS 1024 bit               | Full-Disk Encryption (FDE)
  13733 | VeraCrypt Whirlpool + XTS 1536 bit               | Full-Disk Encryption (FDE)
  16700 | FileVault 2                                      | Full-Disk Encryption (FDE)
  20011 | DiskCryptor SHA512 + XTS 512 bit                 | Full-Disk Encryption (FDE)
  20012 | DiskCryptor SHA512 + XTS 1024 bit                | Full-Disk Encryption (FDE)
  20013 | DiskCryptor SHA512 + XTS 1536 bit                | Full-Disk Encryption (FDE)
  22100 | BitLocker                                        | Full-Disk Encryption (FDE)
  12900 | Android FDE (Samsung DEK)                        | Full-Disk Encryption (FDE)
   8800 | Android FDE <= 4.3                               | Full-Disk Encryption (FDE)
  18300 | Apple File System (APFS)                         | Full-Disk Encryption (FDE)
   6211 | TrueCrypt RIPEMD160 + XTS 512 bit                | Full-Disk Encryption (FDE)
   6212 | TrueCrypt RIPEMD160 + XTS 1024 bit               | Full-Disk Encryption (FDE)
   6213 | TrueCrypt RIPEMD160 + XTS 1536 bit               | Full-Disk Encryption (FDE)
   6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode    | Full-Disk Encryption (FDE)
   6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode   | Full-Disk Encryption (FDE)
   6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode   | Full-Disk Encryption (FDE)
   6221 | TrueCrypt SHA512 + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6222 | TrueCrypt SHA512 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6223 | TrueCrypt SHA512 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
   6231 | TrueCrypt Whirlpool + XTS 512 bit                | Full-Disk Encryption (FDE)
   6232 | TrueCrypt Whirlpool + XTS 1024 bit               | Full-Disk Encryption (FDE)
   6233 | TrueCrypt Whirlpool + XTS 1536 bit               | Full-Disk Encryption (FDE)
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                    | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1       | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2       | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                    | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                      | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                | Documents
   9400 | MS Office 2007                                   | Documents
   9500 | MS Office 2010                                   | Documents
   9600 | MS Office 2013                                   | Documents
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4               | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1  | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2  | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4              | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1    | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2    | Documents
  18400 | Open Document Format (ODF) 1.2 (SHA-256, AES)    | Documents
  18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Documents
  16200 | Apple Secure Notes                               | Documents
  15500 | JKS Java Key Store Private Keys (SHA1)           | Password Managers
   6600 | 1Password, agilekeychain                         | Password Managers
   8200 | 1Password, cloudkeychain                         | Password Managers
   9000 | Password Safe v2                                 | Password Managers
   5200 | Password Safe v3                                 | Password Managers
   6800 | LastPass + LastPass sniffed                      | Password Managers
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)      | Password Managers
  11300 | Bitcoin/Litecoin wallet.dat                      | Password Managers
  16600 | Electrum Wallet (Salt-Type 1-3)                  | Password Managers
  21700 | Electrum Wallet (Salt-Type 4)                    | Password Managers
  21800 | Electrum Wallet (Salt-Type 5)                    | Password Managers
  12700 | Blockchain, My Wallet                            | Password Managers
  15200 | Blockchain, My Wallet, V2                        | Password Managers
  18800 | Blockchain, My Wallet, Second Password (SHA256)  | Password Managers
  23100 | Apple Keychain                                   | Password Managers
  16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256     | Password Managers
  15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256              | Password Managers
  15700 | Ethereum Wallet, SCRYPT                          | Password Managers
  22500 | MultiBit Classic .key (MD5)                      | Password Managers
  22700 | MultiBit HD (scrypt)                             | Password Managers
  11600 | 7-Zip                                            | Archives
  12500 | RAR3-hp                                          | Archives
  13000 | RAR5                                             | Archives
  17200 | PKZIP (Compressed)                               | Archives
  17220 | PKZIP (Compressed Multi-File)                    | Archives
  17225 | PKZIP (Mixed Multi-File)                         | Archives
  17230 | PKZIP (Mixed Multi-File Checksum-Only)           | Archives
  17210 | PKZIP (Uncompressed)                             | Archives
  20500 | PKZIP Master Key                                 | Archives
  20510 | PKZIP Master Key (6 byte optimization)           | Archives
  14700 | iTunes backup < 10.0                             | Archives
  14800 | iTunes backup >= 10.0                            | Archives
  23001 | SecureZIP AES-128                                | Archives
  23002 | SecureZIP AES-192                                | Archives
  23003 | SecureZIP AES-256                                | Archives
  13600 | WinZip                                           | Archives
  18900 | Android Backup                                   | Archives
  13200 | AxCrypt                                          | Archives
  13300 | AxCrypt in-memory SHA1                           | Archives
   8400 | WBB3 (Woltlab Burning Board)                     | Forums, CMS, E-Commerce
   2611 | vBulletin < v3.8.5                               | Forums, CMS, E-Commerce
   2711 | vBulletin >= v3.8.5                              | Forums, CMS, E-Commerce
   2612 | PHPS                                             | Forums, CMS, E-Commerce
    121 | SMF (Simple Machines Forum) > v1.1               | Forums, CMS, E-Commerce
   3711 | MediaWiki B type                                 | Forums, CMS, E-Commerce
   4521 | Redmine                                          | Forums, CMS, E-Commerce
     11 | Joomla < 2.5.18                                  | Forums, CMS, E-Commerce
  13900 | OpenCart                                         | Forums, CMS, E-Commerce
  11000 | PrestaShop                                       | Forums, CMS, E-Commerce
  16000 | Tripcode                                         | Forums, CMS, E-Commerce
   7900 | Drupal7                                          | Forums, CMS, E-Commerce
     21 | osCommerce, xt:Commerce                          | Forums, CMS, E-Commerce
   4522 | PunBB                                            | Forums, CMS, E-Commerce
   2811 | MyBB 1.2+, IPB2+ (Invision Power Board)          | Forums, CMS, E-Commerce
  18100 | TOTP (HMAC-SHA1)                                 | One-Time Passwords
   2000 | STDOUT                                           | Plaintext
  99999 | Plaintext                                        | Plaintext
  21600 | Web2py pbkdf2-sha512                             | Framework
  10000 | Django (PBKDF2-SHA256)                           | Framework
    124 | Django (SHA-1)                                   | Framework
```

&nbsp;

### 掩码设置

```
l | abcdefghijklmnopqrstuvwxyz          纯小写字母
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ          纯大写字母
d | 0123456789                          纯数字
h | 0123456789abcdef                    常见小写子目录和数字
H | 0123456789ABCDEF                    常见大写字母和数字
s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~   特殊字符
a | ?l?u?d?s                            键盘上所有可见的字符
b | 0x00 - 0xff                         可能是用来匹配像空格这种密码的
```

&nbsp;

### 掩码实例

**?l表示a-z，?u表示A-Z，?d表示0-9，?a表示键盘上所有的特殊字符，?s表示键盘上所有的可见字符，?h表示8bit 0xc0-0xff的十六进制，?D表示8bit的德语字符，?F表示8bit的法语字符，?R表示8bit的俄语字符**

```
八位数字密码：?d?d?d?d?d?d?d?d
八位未知密码：?a?a?a?a?a?a?a?a
前四位为大写字母，后面四位为数字：?u?u?u?u?d?d?d?d
前四位为数字或者是小写字母，后四位为大写字母或者数字：?h?h?h?h?H?H?H?H
前三个字符未知，中间为admin，后三位未知：?a?a?aadmin?a?a?a
6-8位数字密码：--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l
6-8位数字+小写字母密码：--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h
```

**比如说我要设置自定义字符集1为小写+数字，那么就加上**

```
-- custom-charset1 ?l?d
```

**如果要设置自定义字符集2为abcd1234，那么就加上**

```
--custom-charset2 abcd1234
```

**如果要破解8位的小写+数字，那么需要设置自定义字符集1为**

```
--custom-charset1 ?l?d
```

**设置掩码为?1?1?1?1?1?1?1?1。 如果已知密码的第一位为数字，长度为8位，后几位为大写+小写，那么需要设置自定义字符集1为**

```
--custom-charset1 ?l?u
```

**设置掩码为?d?1?1?1?1?1?1?1**

&nbsp;

## 破解实例

### 破解WPA/PSK密码

先把`airodump`抓取的`cap`文件转化为`hccap`格式， 可以在线转换， 在线转换的地址：https://hashcat.net/cap2hccap/， 也可以用`aircrack-ng`转换

```
$ aircrack-ng <out.cap> -J <out.hccap>
```

**参数命令**

- 第一个参数： **-m 2500**为破解的模式为**WPA/PSK**方式 
- 第二个参数： **hccap**格式的文件是刚刚转化好的文件
- 第三个参数： **dics.txt**为字典文件 :

```
$ hashcat -m 2500 out.hccap.hccap  dics.txt
```

&nbsp;

### 纯数字密码

- ?d?d?d?d?d?d?d?d代表8为数字

```&nbsp;
$ hashcat -m 2500 -a 3 handshake.hccap ?d?d?d?d?d?d?d?d
```

&nbsp;

### 使用字典破解MD5

字典破解由于受到磁盘和内存速度的影响，速度无法达到`GPU`的最大运算速度，基本上一个`5GB`的字典，对于`MD5`破解来说`10`分钟内可以跑完

```
说明：oclHashcat-plus64.exe --hash-type 0 --attack-mode 0 {HASH文件} [字典1] [字典2] [字典3]…
比如：oclHashcat-plus64.exe --hash-type 0 --attack-mode 0 d:md5.txt d:dict1.txt d:dict2.txt
```

&nbsp;

### crunch生成字典破解

`crunch`生成字典， 生成`8`位纯数字的字典，使用以下命令， `8 8 `代表最小位数为`8`位， 第二个`8`代表最大位数也为`8`为， `0123456789`为字典中的数字 , `-o dic.txt`说明要把字典生成到`dic.txt`， 生成的纯数字字典有`900M`

```
$ crunch 8 8  0123456789 -o dic.txt
```

&nbsp;

### 加载密码字典，破解单一MD5哈希

```
hashcat64.exe -m 0 -a 0 5ec822debe54b1935f78d9a6ab900a39 password.dict
```

&nbsp;

###  加载密码字典，破解多个MD5哈希

```
hashcat64.exe -m 0 -a 0 md5_list.txt password.dict
```

&nbsp;

### 已知明文密码为8位数字，利用掩码“?d?d?d?d?d?d?d?d”表示8个数字

```
hashcat64.exe -m 0 -a 3 3d9865a2843dcb59e7a6296c894732a4 ?d?d?d?d?d?d?d?d
```

&nbsp;

### 加载多个密码字典，只有“-a 0”模式支持多个密码字典

```
hashcat64.bin -m 0 -a 0 hash.txt dict1.txt dict2.txt dict3.txt
```

&nbsp;

### 其他常见爆破

**爆破 8 位数字的 MD5（2 秒）**

```
hashcat -a 3 -m 0 --force ed2b1f468c5f915f3f1cf75d7068baae "?d?d?d?d?d?d?d?d"
```

&nbsp;

**爆破 1-8 位数字的 MD5**

```
hashcat -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 "?d?d?d?d?d?d?d?d"
```

&nbsp;

**爆破 8 位小写字母的 MD5（11分钟）**

```
hashcat -a 3 -m 0 --force 80d41e1777e11df88fa2a02508112a6c "?l?l?l?l?l?l?l?l"
```

&nbsp;

**利用字典爆破**

```
hashcat -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt
```

&nbsp;

**批量爆破 hash.txt**

```
hashcat -a 0 hash.txt password.txt -o result.txt
```

&nbsp;

**字典 + 字典组合**

```
hashcat -a 1 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt
```

&nbsp;

**字典 + 掩码组合**

```
hashcat -a 6 9dc9d5ed5031367d42543763423c24ee password.txt "?l?l?l?l?l"
```

&nbsp;

**爆破 mysql 密码(6 秒)**

```
select host,user,authentication_string from mysql.user;
hashcat -a 0 -m 300 --force 81F5E21E35407D884A6CD4A731AEBFB6AF209E1B ~/pwd
```

&nbsp;

**爆破 mssql 密码**

```
hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb "?l?l?l?l?l?d?d?d"
```

&nbsp;

**爆破 Windows 密码**

```
NT-hash:
hashcat -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 "?l?l?l?l?l"
LM-hash:
hashcat -a 3 -m 3000 --force F0D412BD764FFE81AAD3B435B51404EE "?l?l?l?l?l"
```

&nbsp;

**爆破 wordpress 密码具体加密脚本在./wp-includes/class-phpass.php的HashPassword函数**

```
hashcat -a 3 -m 400 --force "\$P\$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/" "?d?d?d?d?d?d"
```

&nbsp;

**爆破 discuz 密码（md5(md5($pass).$salt)）**

```
hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: "?d?d?d?d?d?d"
```

&nbsp;

**爆破 rar 密码(注意模式是 rar5 还是 RAR3-hp)**

```
rar2john 1.rar
hashcat -a 3 -m 13000 --force "\$rar5\$16\$639e9ce8344c680da12e8bdd4346a6a3\$15\$a2b056a21a9836d8d48c2844d171b73d\$8\$04a52d2224ad082e" "?d?d?d?d?d?d"
```

&nbsp;

**爆破 zip 密码**

```
zip2john.exe 1.zip
hashcat -a 3 -m 13600 "\$zip2\$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*\$/zip2\$" --force "?d?d?d?d?d?d"
```

&nbsp;

**爆破 office 密码**

```
python /usr/share/john/office2john.py 11.docx
hashcat -a 3 -m 9600 "\$office\$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9" --force "?d?d?d?d?d?d"
```

&nbsp;

**查看已经破解的密码**

- hashcat hash --show

&nbsp;

## GPU使用

**GPU 驱动程序要求**

- Linux 上的 AMD GPU 需要"RadeonOpenCompute （ROCm）"软件平台（3.1 或更晚）
- Windows 上的 AMD GPU 需要"AMD Radeon 肾上腺素 2020 版"（20.2.2 或更晚）
- 英特尔 CPU 需要"英特尔酷睿和英特尔至强处理器的 OpenCL 运行时"（16.1.1 或更晚）
- NVIDIA GPU 需要"NVIDIA 驱动程序"（440.64 或更晚）和"CUDA 工具包"（9.0 或更晚）

输入基准测试，如果已经正确安装了显卡驱动，这里会有你的显卡信息出现，就说明可以用了。

```
$ hashcat -b
$ hashcat -I #查看可用设备
```

![](https://img-1259793745.itggg.cn/20201222211126.png)

&nbsp;

## 结语：祝您爆破好运！

Last modification：December 22nd, 2020 at 09:11 pm

如果你想请我喝奶茶的话

2 comments

龙某
6 Mouths Ago

结语：祝您迟早进狱

Reply
1. 爆胎
  5 Mouths Ago
  
  @龙某
  
  经验+15 金币+15
  
  Reply

Hashcat密码破解

爆胎 • 2020 年 10 月 21 日

# Hashcat是嘛玩意儿

&nbsp;

## 计算机环境准备

- 本地的环境为`win10`

- 需要把`airodump`抓到的 4 次握手文件转换为`hccap`的格式

- `txt`格式的**字典文件**

&nbsp;

## Hashcat和aircrack-ng的对比

使用`aricrack-ng`暴力破解8位数密码需要**50**个小时， 但是使用`Hashcat`只要**1个半小时**不到.

&nbsp;

## Hashcat的安装

### windows安装

[官网下载](https://hashcat.net/hashcat/)   下载二进制文件，然后进入目录，就可以直接用了。

![](https://img-1259793745.itggg.cn/20201222211123.png)

&nbsp;

### Linux安装

把`github`上面的源码`down`到本地，然后进入目录，编译安装，如果安装成功， 在命令行输入`hashcat`，即可看到帮助文档

```
$ git clone https://github.com/hashcat/hashcat.git
$ cd hashcat //进入目录
$ sudo make 
$ sudo make install //安装hashcat
```

![](https://img-1259793745.itggg.cn/20201222211124.png)

&nbsp;

## 使用参数

### **普通**

![](https://img-1259793745.itggg.cn/20201222211125.png)

&nbsp;

### **破解模式**

**在HashCat中`--attack-mode ?`参数可以可以指定破解模式**

- 0 Straight（字典破解）
- 1 Combination（组合破解）
- 3 Brute-force（掩码暴力破解）
- 6 Hybrid dict + mask（混合字典+掩码）
- 7 Hybrid mask + dict（混合掩码+字典）

&nbsp;

### **其他**

&nbsp;

### **哈希类型对应**

**在HashCat中`–hash-type ?`参数可以指定要破解的`HASH`类型**

&nbsp;

### 掩码设置

&nbsp;

### 掩码实例

**比如说我要设置自定义字符集1为小写+数字，那么就加上**

```
-- custom-charset1 ?l?d
```

**如果要设置自定义字符集2为abcd1234，那么就加上**

```
--custom-charset2 abcd1234
```

**如果要破解8位的小写+数字，那么需要设置自定义字符集1为**

```
--custom-charset1 ?l?d
```

**设置掩码为?1?1?1?1?1?1?1?1。 如果已知密码的第一位为数字，长度为8位，后几位为大写+小写，那么需要设置自定义字符集1为**

```
--custom-charset1 ?l?u
```

**设置掩码为?d?1?1?1?1?1?1?1**

&nbsp;

## 破解实例

### 破解WPA/PSK密码

先把`airodump`抓取的`cap`文件转化为`hccap`格式， 可以在线转换， 在线转换的地址：https://hashcat.net/cap2hccap/， 也可以用`aircrack-ng`转换

```
$ aircrack-ng <out.cap> -J <out.hccap>
```

**参数命令**

- 第一个参数： **-m 2500**为破解的模式为**WPA/PSK**方式 
- 第二个参数： **hccap**格式的文件是刚刚转化好的文件
- 第三个参数： **dics.txt**为字典文件 :

```
$ hashcat -m 2500 out.hccap.hccap  dics.txt
```

&nbsp;

### 纯数字密码

- ?d?d?d?d?d?d?d?d代表8为数字

```&nbsp;
$ hashcat -m 2500 -a 3 handshake.hccap ?d?d?d?d?d?d?d?d
```

&nbsp;

### 使用字典破解MD5

字典破解由于受到磁盘和内存速度的影响，速度无法达到`GPU`的最大运算速度，基本上一个`5GB`的字典，对于`MD5`破解来说`10`分钟内可以跑完

&nbsp;

### crunch生成字典破解

```
$ crunch 8 8  0123456789 -o dic.txt
```

&nbsp;

### 加载密码字典，破解单一MD5哈希

```
hashcat64.exe -m 0 -a 0 5ec822debe54b1935f78d9a6ab900a39 password.dict
```

&nbsp;

###  加载密码字典，破解多个MD5哈希

```
hashcat64.exe -m 0 -a 0 md5_list.txt password.dict
```

&nbsp;

### 已知明文密码为8位数字，利用掩码“?d?d?d?d?d?d?d?d”表示8个数字

```
hashcat64.exe -m 0 -a 3 3d9865a2843dcb59e7a6296c894732a4 ?d?d?d?d?d?d?d?d
```

&nbsp;

### 加载多个密码字典，只有“-a 0”模式支持多个密码字典

```
hashcat64.bin -m 0 -a 0 hash.txt dict1.txt dict2.txt dict3.txt
```

&nbsp;

### 其他常见爆破

**爆破 8 位数字的 MD5（2 秒）**

```
hashcat -a 3 -m 0 --force ed2b1f468c5f915f3f1cf75d7068baae "?d?d?d?d?d?d?d?d"
```

&nbsp;

**爆破 1-8 位数字的 MD5**

```
hashcat -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 "?d?d?d?d?d?d?d?d"
```

&nbsp;

**爆破 8 位小写字母的 MD5（11分钟）**

```
hashcat -a 3 -m 0 --force 80d41e1777e11df88fa2a02508112a6c "?l?l?l?l?l?l?l?l"
```

&nbsp;

**利用字典爆破**

```
hashcat -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt
```

&nbsp;

**批量爆破 hash.txt**

```
hashcat -a 0 hash.txt password.txt -o result.txt
```

&nbsp;

**字典 + 字典组合**

```
hashcat -a 1 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt
```

&nbsp;

**字典 + 掩码组合**

```
hashcat -a 6 9dc9d5ed5031367d42543763423c24ee password.txt "?l?l?l?l?l"
```

&nbsp;

**爆破 mysql 密码(6 秒)**

```
select host,user,authentication_string from mysql.user;
hashcat -a 0 -m 300 --force 81F5E21E35407D884A6CD4A731AEBFB6AF209E1B ~/pwd
```

&nbsp;

**爆破 mssql 密码**

```
hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb "?l?l?l?l?l?d?d?d"
```

&nbsp;

**爆破 Windows 密码**

```
NT-hash:
hashcat -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 "?l?l?l?l?l"
LM-hash:
hashcat -a 3 -m 3000 --force F0D412BD764FFE81AAD3B435B51404EE "?l?l?l?l?l"
```

&nbsp;

**爆破 wordpress 密码具体加密脚本在./wp-includes/class-phpass.php的HashPassword函数**

```
hashcat -a 3 -m 400 --force "\$P\$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/" "?d?d?d?d?d?d"
```

&nbsp;

**爆破 discuz 密码（md5(md5($pass).$salt)）**

```
hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: "?d?d?d?d?d?d"
```

&nbsp;

**爆破 rar 密码(注意模式是 rar5 还是 RAR3-hp)**

```
rar2john 1.rar
hashcat -a 3 -m 13000 --force "\$rar5\$16\$639e9ce8344c680da12e8bdd4346a6a3\$15\$a2b056a21a9836d8d48c2844d171b73d\$8\$04a52d2224ad082e" "?d?d?d?d?d?d"
```

&nbsp;

**爆破 zip 密码**

```
zip2john.exe 1.zip
hashcat -a 3 -m 13600 "\$zip2\$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*\$/zip2\$" --force "?d?d?d?d?d?d"
```

&nbsp;

**爆破 office 密码**

&nbsp;

**查看已经破解的密码**

- hashcat hash --show

&nbsp;

## GPU使用

**GPU 驱动程序要求**

输入基准测试，如果已经正确安装了显卡驱动，这里会有你的显卡信息出现，就说明可以用了。

```
$ hashcat -b
$ hashcat -I #查看可用设备
```

![](https://img-1259793745.itggg.cn/20201222211126.png)

&nbsp;

## 结语：祝您爆破好运！

Hashcat密码破解

Leave a Comment Cancel reply

2 comments

为你的博客添加一个萌萌哒的看板娘吧

氛围音乐

在回忆里，我们永远是恋人

记一次站点被DDOS攻击

OneManager搭建网盘详细过程

水冰月九连拍

Ettercap 0.8.3 GUI 使用指南

Windows最强终端 Terminal安装和美化

多元世界-1

Hashcat密码破解

Hashcat密码破解