Loading... # Hashcat是嘛玩意儿 `Hashcat`是当前最强大的开源密码恢复工具,你可以访问`Hashcat.net`网站来了解这款工具的详细情况。本质上,**Hashcat 3.0**是一款高级密码恢复工具,可以利用**CPU或GPU**资源来攻击**160多种**哈希类型的密码。 HashCat系列软件在硬件上支持使用`CPU`、`NVIDIA GPU`、`ATI GPU`来进行密码破解。在操作系统上支持`Windows`、`Linux`平台,并且需要安装官方指定版本的显卡驱动程序,如果驱动程序版本不对,可能导致程序无法运行。 `HashCat`主要分为三个版本:`Hashcat`、`oclHashcat-plus`、`oclHashcat-lite`。这三个版本的主要区别是:`HashCat`只支持`CPU`破解。`oclHashcat-plus`支持使用`GPU`破解多个`HASH`,并且支持的算法**高达77种**。`oclHashcat-lite`只支持使用`GPU`对单个`HASH`进行破解,支持的`HASH`种类仅有32种,但是对算法进行了优化,可以达到`GPU`破解的最高速度。如果只有单个密文进行破解的话,推荐使用`oclHashCat-lite`。 ## 计算机环境准备 - 本地的环境为`win10` - 需要把`airodump`抓到的 4 次握手文件转换为`hccap`的格式 - `txt`格式的**字典文件** ## Hashcat和aircrack-ng的对比 使用`aricrack-ng`暴力破解8位数密码需要**50**个小时, 但是使用`Hashcat`只要**1个半小时**不到. 即使使用普通的`CPU`或`GPU`,每秒也能够生成`1.35`亿个哈希值, 我这台电脑是`thinkpad`,破解8位数字需要随机组合**68719476736**个数字, 这个是千万级别的数字, 使用`Hashcat`破解只需要1小时40分钟, 平均一秒钟计算`1.4`个亿密码 ## Hashcat的安装 ### windows安装 [官网下载](https://hashcat.net/hashcat/) 下载二进制文件,然后进入目录,就可以直接用了。  ### Linux安装 把`github`上面的源码`down`到本地,然后进入目录,编译安装,如果安装成功, 在命令行输入`hashcat`,即可看到帮助文档 ``` $ git clone https://github.com/hashcat/hashcat.git $ cd hashcat //进入目录 $ sudo make $ sudo make install //安装hashcat ```  ## 使用参数 ### **普通** - -m, —hash-type=NUM 哈希类别,其NUM值参考其帮助信息下面的哈希类别值,其值为数字。如果不指定m值则默认指md5,例如-m 1800是sha512 Linux加密。 - -a, --attack-mode 攻击模式,如: -a 3 - -V, —version 版本信息 - -h, –help 帮助信息。 - –quiet 安静的模式, 抑制输出 - -b, –benchmark 测试计算机破解速度和显示硬件相关信息  ### **破解模式** **在HashCat中`--attack-mode ?`参数可以可以指定破解模式** - 0 Straight(字典破解) - 1 Combination(组合破解) - 3 Brute-force(掩码暴力破解) - 6 Hybrid dict + mask(混合字典+掩码) - 7 Hybrid mask + dict(混合掩码+字典) ### **其他** - –hex-salt salt 值是用十六进制给出的 - –hex-charset 设定字符集是十六进制给出 - –runtime=NUM 运行数秒(NUM值)后的中止会话 - –status 启用状态屏幕的自动更新 - –status-timer=NUM 状态屏幕更新秒值 - –status-automat 以机器可读的格式显示状态视图 - –session 后跟会话名称,主要用于中止任务后的恢复破解。 - --force 忽略警告 - -T 设置线程数 - -r 使用规则文件 - -1 自定义字符集 -1 0123asd ?1={0123asd} - -2 自定义字符集 -2 0123asd ?2={0123asd} - -3 自定义字符集 -3 0123asd ?3={0123asd} - -i 启用增量破解模式 - --increment-min 设置密码最小长度 - --increment-max 设置密码最大长度 ### **哈希类型对应** **在HashCat中`–hash-type ?`参数可以指定要破解的`HASH`类型** ``` 900 | MD4 | Raw Hash 0 | MD5 | Raw Hash 100 | SHA1 | Raw Hash 1300 | SHA2-224 | Raw Hash 1400 | SHA2-256 | Raw Hash 10800 | SHA2-384 | Raw Hash 1700 | SHA2-512 | Raw Hash 17300 | SHA3-224 | Raw Hash 17400 | SHA3-256 | Raw Hash 17500 | SHA3-384 | Raw Hash 17600 | SHA3-512 | Raw Hash 6000 | RIPEMD-160 | Raw Hash 600 | BLAKE2b-512 | Raw Hash 11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash 11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash 6900 | GOST R 34.11-94 | Raw Hash 5100 | Half MD5 | Raw Hash 18700 | Java Object hashCode() | Raw Hash 17700 | Keccak-224 | Raw Hash 17800 | Keccak-256 | Raw Hash 17900 | Keccak-384 | Raw Hash 18000 | Keccak-512 | Raw Hash 21400 | sha256(sha256_bin($pass)) | Raw Hash 6100 | Whirlpool | Raw Hash 10100 | SipHash | Raw Hash 21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Raw Hash 10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated 20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated 3800 | md5($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated 3710 | md5($salt.md5($pass)) | Raw Hash, Salted and/or Iterated 4110 | md5($salt.md5($pass.$salt)) | Raw Hash, Salted and/or Iterated 4010 | md5($salt.md5($salt.$pass)) | Raw Hash, Salted and/or Iterated 21300 | md5($salt.sha1($salt.$pass)) | Raw Hash, Salted and/or Iterated 40 | md5($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated 2600 | md5(md5($pass)) | Raw Hash, Salted and/or Iterated 3910 | md5(md5($pass).md5($salt)) | Raw Hash, Salted and/or Iterated 4400 | md5(sha1($pass)) | Raw Hash, Salted and/or Iterated 20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash, Salted and/or Iterated 21200 | md5(sha1($salt).md5($pass)) | Raw Hash, Salted and/or Iterated 4300 | md5(strtoupper(md5($pass))) | Raw Hash, Salted and/or Iterated 30 | md5(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated 110 | sha1($pass.$salt) | Raw Hash, Salted and/or Iterated 120 | sha1($salt.$pass) | Raw Hash, Salted and/or Iterated 4900 | sha1($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated 4520 | sha1($salt.sha1($pass)) | Raw Hash, Salted and/or Iterated 140 | sha1($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated 19300 | sha1($salt1.$pass.$salt2) | Raw Hash, Salted and/or Iterated 14400 | sha1(CX) | Raw Hash, Salted and/or Iterated 4700 | sha1(md5($pass)) | Raw Hash, Salted and/or Iterated 4710 | sha1(md5($pass).$salt) | Raw Hash, Salted and/or Iterated 21100 | sha1(md5($pass.$salt)) | Raw Hash, Salted and/or Iterated 18500 | sha1(md5(md5($pass))) | Raw Hash, Salted and/or Iterated 4500 | sha1(sha1($pass)) | Raw Hash, Salted and/or Iterated 130 | sha1(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated 1410 | sha256($pass.$salt) | Raw Hash, Salted and/or Iterated 1420 | sha256($salt.$pass) | Raw Hash, Salted and/or Iterated 22300 | sha256($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated 1440 | sha256($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated 20800 | sha256(md5($pass)) | Raw Hash, Salted and/or Iterated 20710 | sha256(sha256($pass).$salt) | Raw Hash, Salted and/or Iterated 1430 | sha256(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated 1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated 1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated 1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated 1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated 19500 | Ruby on Rails Restful-Authentication | Raw Hash, Salted and/or Iterated 50 | HMAC-MD5 (key = $pass) | Raw Hash, Authenticated 60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated 150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated 160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated 1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated 1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated 1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated 1760 | HMAC-SHA512 (key = $salt) | Raw Hash, Authenticated 11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash, Authenticated 11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash, Authenticated 11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash, Authenticated 11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash, Authenticated 11500 | CRC32 | Raw Checksum 14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack 14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack 15400 | ChaCha20 | Raw Cipher, Known-Plaintext attack 14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack 11900 | PBKDF2-HMAC-MD5 | Generic KDF 12000 | PBKDF2-HMAC-SHA1 | Generic KDF 10900 | PBKDF2-HMAC-SHA256 | Generic KDF 12100 | PBKDF2-HMAC-SHA512 | Generic KDF 8900 | scrypt | Generic KDF 400 | phpass | Generic KDF 16900 | Ansible Vault | Generic KDF 12001 | Atlassian (PBKDF2-HMAC-SHA1) | Generic KDF 20200 | Python passlib pbkdf2-sha512 | Generic KDF 20300 | Python passlib pbkdf2-sha256 | Generic KDF 20400 | Python passlib pbkdf2-sha1 | Generic KDF 16100 | TACACS+ | Network Protocols 11400 | SIP digest authentication (MD5) | Network Protocols 5300 | IKE-PSK MD5 | Network Protocols 5400 | IKE-PSK SHA1 | Network Protocols 23200 | XMPP SCRAM PBKDF2-SHA1 | Network Protocols 2500 | WPA-EAPOL-PBKDF2 | Network Protocols 2501 | WPA-EAPOL-PMK | Network Protocols 22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocols 22001 | WPA-PMK-PMKID+EAPOL | Network Protocols 16800 | WPA-PMKID-PBKDF2 | Network Protocols 16801 | WPA-PMKID-PMK | Network Protocols 7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocols 10200 | CRAM-MD5 | Network Protocols 4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols 16500 | JWT (JSON Web Token) | Network Protocols 22600 | Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1) | Network Protocols 22301 | Telegram Mobile App Passcode (SHA256) | Network Protocols 7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocols 13100 | Kerberos 5, etype 23, TGS-REP | Network Protocols 18200 | Kerberos 5, etype 23, AS-REP | Network Protocols 19600 | Kerberos 5, etype 17, TGS-REP | Network Protocols 19700 | Kerberos 5, etype 18, TGS-REP | Network Protocols 19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocols 19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocols 5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols 5600 | NetNTLMv2 | Network Protocols 23 | Skype | Network Protocols 11100 | PostgreSQL CRAM (MD5) | Network Protocols 11200 | MySQL CRAM (SHA1) | Network Protocols 8500 | RACF | Operating System 6300 | AIX {smd5} | Operating System 6700 | AIX {ssha1} | Operating System 6400 | AIX {ssha256} | Operating System 6500 | AIX {ssha512} | Operating System 3000 | LM | Operating System 19000 | QNX /etc/shadow (MD5) | Operating System 19100 | QNX /etc/shadow (SHA256) | Operating System 19200 | QNX /etc/shadow (SHA512) | Operating System 15300 | DPAPI masterkey file v1 | Operating System 15900 | DPAPI masterkey file v2 | Operating System 7200 | GRUB 2 | Operating System 12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System 12400 | BSDi Crypt, Extended DES | Operating System 1000 | NTLM | Operating System 122 | macOS v10.4, macOS v10.5, MacOS v10.6 | Operating System 1722 | macOS v10.7 | Operating System 7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System 9900 | Radmin2 | Operating System 5800 | Samsung Android Password/PIN | Operating System 3200 | bcrypt $2*$, Blowfish (Unix) | Operating System 500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System 1500 | descrypt, DES (Unix), Traditional DES | Operating System 7400 | sha256crypt $5$, SHA256 (Unix) | Operating System 1800 | sha512crypt $6$, SHA512 (Unix) | Operating System 13800 | Windows Phone 8+ PIN/password | Operating System 2410 | Cisco-ASA MD5 | Operating System 9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System 9300 | Cisco-IOS $9$ (scrypt) | Operating System 5700 | Cisco-IOS type 4 (SHA256) | Operating System 2400 | Cisco-PIX MD5 | Operating System 8100 | Citrix NetScaler (SHA1) | Operating System 22200 | Citrix NetScaler (SHA512) | Operating System 1100 | Domain Cached Credentials (DCC), MS Cache | Operating System 2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating System 7000 | FortiGate (FortiOS) | Operating System 125 | ArubaOS | Operating System 501 | Juniper IVE | Operating System 22 | Juniper NetScreen/SSG (ScreenOS) | Operating System 15100 | Juniper/NetBSD sha1crypt | Operating System 131 | MSSQL (2000) | Database Server 132 | MSSQL (2005) | Database Server 1731 | MSSQL (2012, 2014) | Database Server 12 | PostgreSQL | Database Server 3100 | Oracle H: Type (Oracle 7+) | Database Server 112 | Oracle S: Type (Oracle 11+) | Database Server 12300 | Oracle T: Type (Oracle 12+) | Database Server 7401 | MySQL $A$ (sha256crypt) | Database Server 200 | MySQL323 | Database Server 300 | MySQL4.1/MySQL5 | Database Server 8000 | Sybase ASE | Database Server 1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server 8300 | DNSSEC (NSEC3) | FTP, HTTP, SMTP, LDAP Server 16400 | CRAM-MD5 Dovecot | FTP, HTTP, SMTP, LDAP Server 1411 | SSHA-256(Base64), LDAP {SSHA256} | FTP, HTTP, SMTP, LDAP Server 1711 | SSHA-512(Base64), LDAP {SSHA512} | FTP, HTTP, SMTP, LDAP Server 10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256) | FTP, HTTP, SMTP, LDAP Server 15000 | FileZilla Server >= 0.9.55 | FTP, HTTP, SMTP, LDAP Server 12600 | ColdFusion 10+ | FTP, HTTP, SMTP, LDAP Server 1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server 141 | Episerver 6.x < .NET 4 | FTP, HTTP, SMTP, LDAP Server 1441 | Episerver 6.x >= .NET 4 | FTP, HTTP, SMTP, LDAP Server 101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | FTP, HTTP, SMTP, LDAP Server 111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | FTP, HTTP, SMTP, LDAP Server 7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS) 7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS) 7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS) 7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS) 10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS) 133 | PeopleSoft | Enterprise Application Software (EAS) 13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS) 21500 | SolarWinds Orion | Enterprise Application Software (EAS) 8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS) 8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS) 9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS) 20600 | Oracle Transportation Management (SHA256) | Enterprise Application Software (EAS) 4711 | Huawei sha1(md5($pass).$salt) | Enterprise Application Software (EAS) 20711 | AuthMe sha256 | Enterprise Application Software (EAS) 12200 | eCryptfs | Full-Disk Encryption (FDE) 22400 | AES Crypt (SHA256) | Full-Disk Encryption (FDE) 14600 | LUKS | Full-Disk Encryption (FDE) 13711 | VeraCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE) 13712 | VeraCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE) 13713 | VeraCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE) 13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE) 13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE) 13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE) 13751 | VeraCrypt SHA256 + XTS 512 bit | Full-Disk Encryption (FDE) 13752 | VeraCrypt SHA256 + XTS 1024 bit | Full-Disk Encryption (FDE) 13753 | VeraCrypt SHA256 + XTS 1536 bit | Full-Disk Encryption (FDE) 13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE) 13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE) 13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE) 13721 | VeraCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE) 13722 | VeraCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE) 13723 | VeraCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE) 13771 | VeraCrypt Streebog-512 + XTS 512 bit | Full-Disk Encryption (FDE) 13772 | VeraCrypt Streebog-512 + XTS 1024 bit | Full-Disk Encryption (FDE) 13773 | VeraCrypt Streebog-512 + XTS 1536 bit | Full-Disk Encryption (FDE) 13731 | VeraCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE) 13732 | VeraCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE) 13733 | VeraCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE) 16700 | FileVault 2 | Full-Disk Encryption (FDE) 20011 | DiskCryptor SHA512 + XTS 512 bit | Full-Disk Encryption (FDE) 20012 | DiskCryptor SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE) 20013 | DiskCryptor SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE) 22100 | BitLocker | Full-Disk Encryption (FDE) 12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE) 8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE) 18300 | Apple File System (APFS) | Full-Disk Encryption (FDE) 6211 | TrueCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE) 6212 | TrueCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE) 6213 | TrueCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE) 6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE) 6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE) 6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE) 6221 | TrueCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE) 6222 | TrueCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE) 6223 | TrueCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE) 6231 | TrueCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE) 6232 | TrueCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE) 6233 | TrueCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE) 10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents 10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents 10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents 10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents 10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents 10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents 9400 | MS Office 2007 | Documents 9500 | MS Office 2010 | Documents 9600 | MS Office 2013 | Documents 9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Documents 9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Documents 9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Documents 9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Documents 9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Documents 9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Documents 18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Documents 18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Documents 16200 | Apple Secure Notes | Documents 15500 | JKS Java Key Store Private Keys (SHA1) | Password Managers 6600 | 1Password, agilekeychain | Password Managers 8200 | 1Password, cloudkeychain | Password Managers 9000 | Password Safe v2 | Password Managers 5200 | Password Safe v3 | Password Managers 6800 | LastPass + LastPass sniffed | Password Managers 13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers 11300 | Bitcoin/Litecoin wallet.dat | Password Managers 16600 | Electrum Wallet (Salt-Type 1-3) | Password Managers 21700 | Electrum Wallet (Salt-Type 4) | Password Managers 21800 | Electrum Wallet (Salt-Type 5) | Password Managers 12700 | Blockchain, My Wallet | Password Managers 15200 | Blockchain, My Wallet, V2 | Password Managers 18800 | Blockchain, My Wallet, Second Password (SHA256) | Password Managers 23100 | Apple Keychain | Password Managers 16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Password Managers 15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers 15700 | Ethereum Wallet, SCRYPT | Password Managers 22500 | MultiBit Classic .key (MD5) | Password Managers 22700 | MultiBit HD (scrypt) | Password Managers 11600 | 7-Zip | Archives 12500 | RAR3-hp | Archives 13000 | RAR5 | Archives 17200 | PKZIP (Compressed) | Archives 17220 | PKZIP (Compressed Multi-File) | Archives 17225 | PKZIP (Mixed Multi-File) | Archives 17230 | PKZIP (Mixed Multi-File Checksum-Only) | Archives 17210 | PKZIP (Uncompressed) | Archives 20500 | PKZIP Master Key | Archives 20510 | PKZIP Master Key (6 byte optimization) | Archives 14700 | iTunes backup < 10.0 | Archives 14800 | iTunes backup >= 10.0 | Archives 23001 | SecureZIP AES-128 | Archives 23002 | SecureZIP AES-192 | Archives 23003 | SecureZIP AES-256 | Archives 13600 | WinZip | Archives 18900 | Android Backup | Archives 13200 | AxCrypt | Archives 13300 | AxCrypt in-memory SHA1 | Archives 8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce 2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce 2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce 2612 | PHPS | Forums, CMS, E-Commerce 121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce 3711 | MediaWiki B type | Forums, CMS, E-Commerce 4521 | Redmine | Forums, CMS, E-Commerce 11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce 13900 | OpenCart | Forums, CMS, E-Commerce 11000 | PrestaShop | Forums, CMS, E-Commerce 16000 | Tripcode | Forums, CMS, E-Commerce 7900 | Drupal7 | Forums, CMS, E-Commerce 21 | osCommerce, xt:Commerce | Forums, CMS, E-Commerce 4522 | PunBB | Forums, CMS, E-Commerce 2811 | MyBB 1.2+, IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce 18100 | TOTP (HMAC-SHA1) | One-Time Passwords 2000 | STDOUT | Plaintext 99999 | Plaintext | Plaintext 21600 | Web2py pbkdf2-sha512 | Framework 10000 | Django (PBKDF2-SHA256) | Framework 124 | Django (SHA-1) | Framework ``` ### 掩码设置 ``` l | abcdefghijklmnopqrstuvwxyz 纯小写字母 u | ABCDEFGHIJKLMNOPQRSTUVWXYZ 纯大写字母 d | 0123456789 纯数字 h | 0123456789abcdef 常见小写子目录和数字 H | 0123456789ABCDEF 常见大写字母和数字 s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 特殊字符 a | ?l?u?d?s 键盘上所有可见的字符 b | 0x00 - 0xff 可能是用来匹配像空格这种密码的 ``` ### 掩码实例 **?l表示a-z,?u表示A-Z,?d表示0-9,?a表示键盘上所有的特殊字符,?s表示键盘上所有的可见字符,?h表示8bit 0xc0-0xff的十六进制,?D表示8bit的德语字符,?F表示8bit的法语字符,?R表示8bit的俄语字符** ``` 八位数字密码:?d?d?d?d?d?d?d?d 八位未知密码:?a?a?a?a?a?a?a?a 前四位为大写字母,后面四位为数字:?u?u?u?u?d?d?d?d 前四位为数字或者是小写字母,后四位为大写字母或者数字:?h?h?h?h?H?H?H?H 前三个字符未知,中间为admin,后三位未知:?a?a?aadmin?a?a?a 6-8位数字密码:--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l 6-8位数字+小写字母密码:--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h ``` **比如说我要设置自定义字符集1为小写+数字,那么就加上** ``` -- custom-charset1 ?l?d ``` **如果要设置自定义字符集2为abcd1234,那么就加上** ``` --custom-charset2 abcd1234 ``` **如果要破解8位的小写+数字,那么需要设置自定义字符集1为** ``` --custom-charset1 ?l?d ``` **设置掩码为?1?1?1?1?1?1?1?1。 如果已知密码的第一位为数字,长度为8位,后几位为大写+小写,那么需要设置自定义字符集1为** ``` --custom-charset1 ?l?u ``` **设置掩码为?d?1?1?1?1?1?1?1** ## 破解实例 ### 破解WPA/PSK密码 先把`airodump`抓取的`cap`文件转化为`hccap`格式, 可以在线转换, 在线转换的地址:https://hashcat.net/cap2hccap/, 也可以用`aircrack-ng`转换 ``` $ aircrack-ng <out.cap> -J <out.hccap> ``` **参数命令** - 第一个参数: **-m 2500**为破解的模式为**WPA/PSK**方式 - 第二个参数: **hccap**格式的文件是刚刚转化好的文件 - 第三个参数: **dics.txt**为字典文件 : ``` $ hashcat -m 2500 out.hccap.hccap dics.txt ``` ### 纯数字密码 - ?d?d?d?d?d?d?d?d代表8为数字 ``` $ hashcat -m 2500 -a 3 handshake.hccap ?d?d?d?d?d?d?d?d ``` ### 使用字典破解MD5 字典破解由于受到磁盘和内存速度的影响,速度无法达到`GPU`的最大运算速度,基本上一个`5GB`的字典,对于`MD5`破解来说`10`分钟内可以跑完 ``` 说明:oclHashcat-plus64.exe --hash-type 0 --attack-mode 0 {HASH文件} [字典1] [字典2] [字典3]… 比如:oclHashcat-plus64.exe --hash-type 0 --attack-mode 0 d:md5.txt d:dict1.txt d:dict2.txt ``` ### crunch生成字典破解 `crunch`生成字典, 生成`8`位纯数字的字典,使用以下命令, `8 8 `代表最小位数为`8`位, 第二个`8`代表最大位数也为`8`为, `0123456789`为字典中的数字 , `-o dic.txt`说明要把字典生成到`dic.txt`, 生成的纯数字字典有`900M` ``` $ crunch 8 8 0123456789 -o dic.txt ``` ### 加载密码字典,破解单一MD5哈希 ``` hashcat64.exe -m 0 -a 0 5ec822debe54b1935f78d9a6ab900a39 password.dict ``` ### 加载密码字典,破解多个MD5哈希 ``` hashcat64.exe -m 0 -a 0 md5_list.txt password.dict ``` ### 已知明文密码为8位数字,利用掩码“?d?d?d?d?d?d?d?d”表示8个数字 ``` hashcat64.exe -m 0 -a 3 3d9865a2843dcb59e7a6296c894732a4 ?d?d?d?d?d?d?d?d ``` ### 加载多个密码字典,只有“-a 0”模式支持多个密码字典 ``` hashcat64.bin -m 0 -a 0 hash.txt dict1.txt dict2.txt dict3.txt ``` ### 其他常见爆破 **爆破 8 位数字的 MD5(2 秒)** ``` hashcat -a 3 -m 0 --force ed2b1f468c5f915f3f1cf75d7068baae "?d?d?d?d?d?d?d?d" ``` **爆破 1-8 位数字的 MD5** ``` hashcat -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 "?d?d?d?d?d?d?d?d" ``` **爆破 8 位小写字母的 MD5(11分钟)** ``` hashcat -a 3 -m 0 --force 80d41e1777e11df88fa2a02508112a6c "?l?l?l?l?l?l?l?l" ``` **利用字典爆破** ``` hashcat -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt ``` **批量爆破 hash.txt** ``` hashcat -a 0 hash.txt password.txt -o result.txt ``` **字典 + 字典组合** ``` hashcat -a 1 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt ``` **字典 + 掩码组合** ``` hashcat -a 6 9dc9d5ed5031367d42543763423c24ee password.txt "?l?l?l?l?l" ``` **爆破 mysql 密码(6 秒)** ``` select host,user,authentication_string from mysql.user; hashcat -a 0 -m 300 --force 81F5E21E35407D884A6CD4A731AEBFB6AF209E1B ~/pwd ``` **爆破 mssql 密码** ``` hashcat -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb "?l?l?l?l?l?d?d?d" ``` **爆破 Windows 密码** ``` NT-hash: hashcat -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 "?l?l?l?l?l" LM-hash: hashcat -a 3 -m 3000 --force F0D412BD764FFE81AAD3B435B51404EE "?l?l?l?l?l" ``` **爆破 wordpress 密码具体加密脚本在./wp-includes/class-phpass.php的HashPassword函数** ``` hashcat -a 3 -m 400 --force "\$P\$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/" "?d?d?d?d?d?d" ``` **爆破 discuz 密码(md5(md5($pass).$salt))** ``` hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: "?d?d?d?d?d?d" ``` **爆破 rar 密码(注意模式是 rar5 还是 RAR3-hp)** ``` rar2john 1.rar hashcat -a 3 -m 13000 --force "\$rar5\$16\$639e9ce8344c680da12e8bdd4346a6a3\$15\$a2b056a21a9836d8d48c2844d171b73d\$8\$04a52d2224ad082e" "?d?d?d?d?d?d" ``` **爆破 zip 密码** ``` zip2john.exe 1.zip hashcat -a 3 -m 13600 "\$zip2\$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*\$/zip2\$" --force "?d?d?d?d?d?d" ``` **爆破 office 密码** ``` python /usr/share/john/office2john.py 11.docx hashcat -a 3 -m 9600 "\$office\$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9" --force "?d?d?d?d?d?d" ``` **查看已经破解的密码** - hashcat hash --show ## GPU使用 **GPU 驱动程序要求** - Linux 上的 AMD GPU 需要"RadeonOpenCompute (ROCm)"软件平台(3.1 或更晚) - Windows 上的 AMD GPU 需要"AMD Radeon 肾上腺素 2020 版"(20.2.2 或更晚) - 英特尔 CPU 需要"英特尔酷睿和英特尔至强处理器的 OpenCL 运行时"(16.1.1 或更晚) - NVIDIA GPU 需要"NVIDIA 驱动程序"(440.64 或更晚)和"CUDA 工具包"(9.0 或更晚) 输入基准测试,如果已经正确安装了显卡驱动,这里会有你的显卡信息出现,就说明可以用了。 ``` $ hashcat -b $ hashcat -I #查看可用设备 ```  ## 结语:祝您爆破好运! Last modification:December 22nd, 2020 at 09:11 pm © 禁止转载 Support 如果你想请我喝奶茶的话 ×Close Appreciate the author Sweeping payments Pay by AliPay Pay by WeChat
结语:祝您迟早进
狱
经验+15 金币+15