hashcat密碼破解工具基礎使用

前言#

hashcat是一款暴力破解、密碼恢復工具，被稱為 “世界上最快、最先進的密碼恢復實用程序”，Hashcat 可與John the Ripper一較高下。它是破解哈希的首選滲透測試工具，並且 hashcat 支持多種猜測密碼的蠻力攻擊，包括字典和掩碼攻擊。

以前在測試的中，遇到的大部分是 MD5 的 hash 值，一般通過線上的 MD5 破解網站進行破解，比較常用的是somd5，chamd5，很少用密碼工具去破解 MD5 值，因為自己本身硬體速度跟不上，Hashcat 在現代 GPU 上運行最好，如果利用想 AWS 服務去破解密碼，速度其實是非常快的，相對於破解一個密碼的成本來說，硬體的支付成本並不會太高。

語法介紹#

常用參數#

-a：指定攻擊模式。“-a 0” 字典攻擊，“-a 1” 組合攻擊；“-a 3” 掩碼攻擊。
-m：指定 hash 類型，如果不指定類型，則默認是 MD5，例如：-m 1000
-o：指定破解成功後的 hash 及對應的明文密碼的存在位置
--force：忽略破解過程中的警告信息
--show：顯示已經破解的 hash 及該 hash 所對應的明文
-r：使用自定義破解規則
--increment ：啟用增量破解模式，你可以利用此模式讓 hashcat 在指定的密碼長度範圍內執行破解過程
--increment-min 密碼最小長度，後面直接等於一個整數即可，配置 increment 模式一起使用
--increment-max 密碼最大長度，同上

OpenCL 設備類型#

| Device Type#

===+=============
1 | CPU
2 | GPU
3 | FPGA, DSP, Co-Processor

攻擊模式#

Attack Modes

輸出格式#

Outfile Formats

Hash ID 對照表

#	名稱	類別
900	MD4	Raw Hash
0	MD5	Raw Hash
100	SHA1	Raw Hash
1300	SHA2-224	Raw Hash
1400	SHA2-256	Raw Hash
10800	SHA2-384	Raw Hash
1700	SHA2-512	Raw Hash
17300	SHA3-224	Raw Hash
17400	SHA3-256	Raw Hash
17500	SHA3-384	Raw Hash
17600	SHA3-512	Raw Hash
6000	RIPEMD-160	Raw Hash
600	BLAKE2b-512	Raw Hash
11700	GOST R 34.11-2012 (Streebog) 256-bit, big-endian	Raw Hash
11800	GOST R 34.11-2012 (Streebog) 512-bit, big-endian	Raw Hash
6900	GOST R 34.11-94	Raw Hash
5100	Half MD5	Raw Hash
18700	Java Object hashCode()	Raw Hash
17700	Keccak-224	Raw Hash
17800	Keccak-256	Raw Hash
17900	Keccak-384	Raw Hash
18000	Keccak-512	Raw Hash
21400	sha256(sha256_bin($pass))	Raw Hash
6100	Whirlpool	Raw Hash
10100	SipHash	Raw Hash
21000	BitShares v0.x - sha512(sha512_bin(pass))	Raw Hash
10	md5($pass.$salt)	Raw Hash, Salted and/or Iterated
20	md5($salt.$pass)	Raw Hash, Salted and/or Iterated
3800	md5($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
3710	md5($salt.md5($pass))	Raw Hash, Salted and/or Iterated
4110	md5($salt.md5($pass.$salt))	Raw Hash, Salted and/or Iterated
4010	md5($salt.md5($salt.$pass))	Raw Hash, Salted and/or Iterated
21300	md5($salt.sha1($salt.$pass))	Raw Hash, Salted and/or Iterated
40	md5($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
2600	md5(md5($pass))	Raw Hash, Salted and/or Iterated
3910	md5(md5($pass).md5($salt))	Raw Hash, Salted and/or Iterated
4400	md5(sha1($pass))	Raw Hash, Salted and/or Iterated
20900	md5(sha1($pass).md5($pass).sha1($pass))	Raw Hash, Salted and/or Iterated
21200	md5(sha1($salt).md5($pass))	Raw Hash, Salted and/or Iterated
4300	md5(strtoupper(md5($pass)))	Raw Hash, Salted and/or Iterated
30	md5(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
110	sha1($pass.$salt)	Raw Hash, Salted and/or Iterated
120	sha1($salt.$pass)	Raw Hash, Salted and/or Iterated
4900	sha1($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
4520	sha1($salt.sha1($pass))	Raw Hash, Salted and/or Iterated
140	sha1($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
19300	sha1($salt1.$pass.$salt2)	Raw Hash, Salted and/or Iterated
14400	sha1(CX)	Raw Hash, Salted and/or Iterated
4700	sha1(md5($pass))	Raw Hash, Salted and/or Iterated
4710	sha1(md5($pass).$salt)	Raw Hash, Salted and/or Iterated
21100	sha1(md5($pass.$salt))	Raw Hash, Salted and/or Iterated
18500	sha1(md5(md5($pass)))	Raw Hash, Salted and/or Iterated
4500	sha1(sha1($pass))	Raw Hash, Salted and/or Iterated
130	sha1(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
1410	sha256($pass.$salt)	Raw Hash, Salted and/or Iterated
1420	sha256($salt.$pass)	Raw Hash, Salted and/or Iterated
22300	sha256($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
1440	sha256($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
20800	sha256(md5($pass))	Raw Hash, Salted and/or Iterated
20710	sha256(sha256($pass).$salt)	Raw Hash, Salted and/or Iterated
1430	sha256(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
1710	sha512($pass.$salt)	Raw Hash, Salted and/or Iterated
1720	sha512($salt.$pass)	Raw Hash, Salted and/or Iterated
1740	sha512($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
1730	sha512(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
19500	Ruby on Rails Restful-Authentication	Raw Hash, Salted and/or Iterated
50	HMAC-MD5 (key = $pass)	Raw Hash, Authenticated
60	HMAC-MD5 (key = $salt)	Raw Hash, Authenticated
150	HMAC-SHA1 (key = $pass)	Raw Hash, Authenticated
160	HMAC-SHA1 (key = $salt)	Raw Hash, Authenticated
1450	HMAC-SHA256 (key = $pass)	Raw Hash, Authenticated
1460	HMAC-SHA256 (key = $salt)	Raw Hash, Authenticated
1750	HMAC-SHA512 (key = $pass)	Raw Hash, Authenticated
1760	HMAC-SHA512 (key = $salt)	Raw Hash, Authenticated
11750	HMAC-Streebog-256 (key = $pass), big-endian	Raw Hash, Authenticated
11760	HMAC-Streebog-256 (key = $salt), big-endian	Raw Hash, Authenticated
11850	HMAC-Streebog-512 (key = $pass), big-endian	Raw Hash, Authenticated
11860	HMAC-Streebog-512 (key = $salt), big-endian	Raw Hash, Authenticated
11500	CRC32	Raw Checksum
14100	3DES (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
14000	DES (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
15400	ChaCha20	Raw Cipher, Known-Plaintext attack
14900	Skip32 (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
11900	PBKDF2-HMAC-MD5	Generic KDF
12000	PBKDF2-HMAC-SHA1	Generic KDF
10900	PBKDF2-HMAC-SHA256	Generic KDF
12100	PBKDF2-HMAC-SHA512	Generic KDF
8900	scrypt	Generic KDF
400	phpass	Generic KDF
16900	Ansible Vault	Generic KDF
12001	Atlassian (PBKDF2-HMAC-SHA1)	Generic KDF
20200	Python passlib pbkdf2-sha512	Generic KDF
20300	Python passlib pbkdf2-sha256	Generic KDF
20400	Python passlib pbkdf2-sha1	Generic KDF
16100	TACACS+	Network Protocols
11400	SIP digest authentication (MD5)	Network Protocols
5300	IKE-PSK MD5	Network Protocols
5400	IKE-PSK SHA1	Network Protocols
2500	WPA-EAPOL-PBKDF2	Network Protocols
2501	WPA-EAPOL-PMK	Network Protocols
22000	WPA-PBKDF2-PMKID+EAPOL	Network Protocols
22001	WPA-PMK-PMKID+EAPOL	Network Protocols
16800	WPA-PMKID-PBKDF2	Network Protocols
16801	WPA-PMKID-PMK	Network Protocols
7300	IPMI2 RAKP HMAC-SHA1	Network Protocols
10200	CRAM-MD5	Network Protocols
4800	iSCSI CHAP authentication, MD5(CHAP)	Network Protocols
16500	JWT (JSON Web Token)	Network Protocols
22600	Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1)	Network Protocols
22301	Telegram Mobile App Passcode (SHA256)	Network Protocols
7500	Kerberos 5, etype 23, AS-REQ Pre-Auth	Network Protocols
13100	Kerberos 5, etype 23, TGS-REP	Network Protocols
18200	Kerberos 5, etype 23, AS-REP	Network Protocols
19600	Kerberos 5, etype 17, TGS-REP	Network Protocols
19700	Kerberos 5, etype 18, TGS-REP	Network Protocols
19800	Kerberos 5, etype 17, Pre-Auth	Network Protocols
19900	Kerberos 5, etype 18, Pre-Auth	Network Protocols
5500	NetNTLMv1 / NetNTLMv1+ESS	Network Protocols
5600	NetNTLMv2	Network Protocols
23	Skype	Network Protocols
11100	PostgreSQL CRAM (MD5)	Network Protocols
11200	MySQL CRAM (SHA1)	Network Protocols
8500	RACF	Operating System
6300	AIX {smd5}	Operating System
6700	AIX {ssha1}	Operating System
6400	AIX {ssha256}	Operating System
6500	AIX {ssha512}	Operating System
3000	LM	Operating System
19000	QNX /etc/shadow (MD5)	Operating System
19100	QNX /etc/shadow (SHA256)	Operating System
19200	QNX /etc/shadow (SHA512)	Operating System
15300	DPAPI masterkey file v1	Operating System
15900	DPAPI masterkey file v2	Operating System
7200	GRUB 2	Operating System
12800	MS-AzureSync PBKDF2-HMAC-SHA256	Operating System
12400	BSDi Crypt, Extended DES	Operating System
1000	NTLM	Operating System
122	macOS v10.4, macOS v10.5, MacOS v10.6	Operating System
1722	macOS v10.7	Operating System
7100	macOS v10.8+ (PBKDF2-SHA512)	Operating System
9900	Radmin2	Operating System
5800	Samsung Android Password/PIN	Operating System
3200	bcrypt $2*$, Blowfish (Unix)	Operating System
500	md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)	Operating System
1500	descrypt, DES (Unix), Traditional DES	Operating System
7400	sha256crypt $5$, SHA256 (Unix)	Operating System
1800	sha512crypt $6$, SHA512 (Unix)	Operating System
13800	Windows Phone 8+ PIN/password	Operating System
2410	Cisco-ASA MD5	Operating System
9200	Cisco-IOS $8$ (PBKDF2-SHA256)	Operating System
9300	Cisco-IOS $9$ (scrypt)	Operating System
5700	Cisco-IOS type 4 (SHA256)	Operating System
2400	Cisco-PIX MD5	Operating System
8100	Citrix NetScaler (SHA1)	Operating System
22200	Citrix NetScaler (SHA512)	Operating System
1100	Domain Cached Credentials (DCC), MS Cache	Operating System
2100	Domain Cached Credentials 2 (DCC2), MS Cache 2	Operating System
7000	FortiGate (FortiOS)	Operating System
125	ArubaOS	Operating System
501	Juniper IVE	Operating System
22	Juniper NetScreen/SSG (ScreenOS)	Operating System
15100	Juniper/NetBSD sha1crypt	Operating System
131	MSSQL (2000)	Database Server
132	MSSQL (2005)	Database Server
1731	MSSQL (2012, 2014)	Database Server
12	PostgreSQL	Database Server
3100	Oracle H: Type (Oracle 7+)	Database Server
112	Oracle S: Type (Oracle 11+)	Database Server
12300	Oracle T: Type (Oracle 12+)	Database Server
7401	MySQL $A$ (sha256crypt)	Database Server
200	MySQL323	Database Server
300	MySQL4.1/MySQL5	Database Server
8000	Sybase ASE	Database Server**
1421	hMailServer	FTP, HTTP, SMTP, LDAP Server
8300	DNSSEC (NSEC3)	FTP, HTTP, SMTP, LDAP Server
16400	CRAM-MD5 Dovecot	FTP, HTTP, SMTP, LDAP Server
1411	SSHA-256(Base64), LDAP {SSHA256}	FTP, HTTP, SMTP, LDAP Server
1711	SSHA-512(Base64), LDAP {SSHA512}	FTP, HTTP, SMTP, LDAP Server
10901	RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)	FTP, HTTP, SMTP, LDAP Server
15000	FileZilla Server >= 0.9.55	FTP, HTTP, SMTP, LDAP Server
12600	ColdFusion 10+	FTP, HTTP, SMTP, LDAP Server
1600	Apache $apr1$ MD5, md5apr1, MD5 (APR)	FTP, HTTP, SMTP, LDAP Server
141	Episerver 6.x < .NET 4	FTP, HTTP, SMTP, LDAP Server
1441	Episerver 6.x >= .NET 4	FTP, HTTP, SMTP, LDAP Server
101	nsldap, SHA-1(Base64), Netscape LDAP SHA	FTP, HTTP, SMTP, LDAP Server
111	nsldaps, SSHA-1(Base64), Netscape LDAP SSHA	FTP, HTTP, SMTP, LDAP Server
7700	SAP CODVN B (BCODE)	Enterprise Application Software (EAS)
7701	SAP CODVN B (BCODE) from RFC_READ_TABLE	Enterprise Application Software (EAS)
7800	SAP CODVN F/G (PASSCODE)	Enterprise Application Software (EAS)
7801	SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE	Enterprise Application Software (EAS)
10300	SAP CODVN H (PWDSALTEDHASH) iSSHA-1	Enterprise Application Software (EAS)
133	PeopleSoft	Enterprise Application Software (EAS)
13500	PeopleSoft PS_TOKEN	Enterprise Application Software (EAS)
21500	SolarWinds Orion	Enterprise Application Software (EAS)
8600	Lotus Notes/Domino 5	Enterprise Application Software (EAS)
8700	Lotus Notes/Domino 6	Enterprise Application Software (EAS)
9100	Lotus Notes/Domino 8	Enterprise Application Software (EAS)
20600	Oracle Transportation Management (SHA256)	Enterprise Application Software (EAS)
4711	Huawei sha1(md5($pass).$salt)	Enterprise Application Software (EAS)
20711	AuthMe sha256	Enterprise Application Software (EAS)
12200	eCryptfs	Full-Disk Encryption (FDE)
22400	AES Crypt (SHA256)	Full-Disk Encryption (FDE)
14600	LUKS	Full-Disk Encryption (FDE)
13711	VeraCrypt RIPEMD160 + XTS 512 bit	Full-Disk Encryption (FDE)
13712	VeraCrypt RIPEMD160 + XTS 1024 bit	Full-Disk Encryption (FDE)
13713	VeraCrypt RIPEMD160 + XTS 1536 bit	Full-Disk Encryption (FDE)
13741	VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
13742	VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
13743	VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
13751	VeraCrypt SHA256 + XTS 512 bit	Full-Disk Encryption (FDE)
13752	VeraCrypt SHA256 + XTS 1024 bit	Full-Disk Encryption (FDE)
13753	VeraCrypt SHA256 + XTS 1536 bit	Full-Disk Encryption (FDE)
13761	VeraCrypt SHA256 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
13762	VeraCrypt SHA256 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
13763	VeraCrypt SHA256 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
13721	VeraCrypt SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
13722	VeraCrypt SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
13723	VeraCrypt SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
13771	VeraCrypt Streebog-512 + XTS 512 bit	Full-Disk Encryption (FDE)
13772	VeraCrypt Streebog-512 + XTS 1024 bit	Full-Disk Encryption (FDE)
13773	VeraCrypt Streebog-512 + XTS 1536 bit	Full-Disk Encryption (FDE)
13731	VeraCrypt Whirlpool + XTS 512 bit	Full-Disk Encryption (FDE)
13732	VeraCrypt Whirlpool + XTS 1024 bit	Full-Disk Encryption (FDE)
13733	VeraCrypt Whirlpool + XTS 1536 bit	Full-Disk Encryption (FDE)
16700	FileVault 2	Full-Disk Encryption (FDE)
20011	DiskCryptor SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
20012	DiskCryptor SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
20013	DiskCryptor SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
22100	BitLocker	Full-Disk Encryption (FDE)
12900	Android FDE (Samsung DEK)	Full-Disk Encryption (FDE)
8800	Android FDE <= 4.3	Full-Disk Encryption (FDE)
18300	Apple File System (APFS)	Full-Disk Encryption (FDE)
6211	TrueCrypt RIPEMD160 + XTS 512 bit	Full-Disk Encryption (FDE)
6212	TrueCrypt RIPEMD160 + XTS 1024 bit	Full-Disk Encryption (FDE)
6213	TrueCrypt RIPEMD160 + XTS 1536 bit	Full-Disk Encryption (FDE)
6241	TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
6242	TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
6243	TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
6221	TrueCrypt SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
6222	TrueCrypt SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
6223	TrueCrypt SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
6231	TrueCrypt Whirlpool + XTS 512 bit	Full-Disk Encryption (FDE)
6232	TrueCrypt Whirlpool + XTS 1024 bit	Full-Disk Encryption (FDE)
6233	TrueCrypt Whirlpool + XTS 1536 bit	Full-Disk Encryption (FDE)
10400	PDF 1.1 - 1.3 (Acrobat 2 - 4)	Documents
10410	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1	Documents
10420	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2	Documents
10500	PDF 1.4 - 1.6 (Acrobat 5 - 8)	Documents
10600	PDF 1.7 Level 3 (Acrobat 9)	Documents
10700	PDF 1.7 Level 8 (Acrobat 10 - 11)	Documents
9400	MS Office 2007	Documents
9500	MS Office 2010	Documents
9600	MS Office 2013	Documents
9700	MS Office <= 2003 $0/$1, MD5 + RC4	Documents
9710	MS Office <= 2003 $0/$1, MD5 + RC4, collider #1	Documents
9720	MS Office <= 2003 $0/$1, MD5 + RC4, collider #2	Documents
9800	MS Office <= 2003 $3/$4, SHA1 + RC4	Documents
9810	MS Office <= 2003 $3, SHA1 + RC4, collider #1	Documents
9820	MS Office <= 2003 $3, SHA1 + RC4, collider #2	Documents
18400	Open Document Format (ODF) 1.2 (SHA-256, AES)	Documents
18600	Open Document Format (ODF) 1.1 (SHA-1, Blowfish)	Documents
16200	Apple Secure Notes	Documents
15500	JKS Java Key Store Private Keys (SHA1)	Password Managers
6600	1Password, agilekeychain	Password Managers
8200	1Password, cloudkeychain	Password Managers
9000	Password Safe v2	Password Managers
5200	Password Safe v3	Password Managers
6800	LastPass + LastPass sniffed	Password Managers
13400	KeePass 1 (AES/Twofish) and KeePass 2 (AES)	Password Managers
11300	Bitcoin/Litecoin wallet.dat	Password Managers
16600	Electrum Wallet (Salt-Type 1-3)	Password Managers
21700	Electrum Wallet (Salt-Type 4)	Password Managers
21800	Electrum Wallet (Salt-Type 5)	Password Managers
12700	Blockchain, My Wallet	Password Managers
15200	Blockchain, My Wallet, V2	Password Managers
18800	Blockchain, My Wallet, Second Password (SHA256)	Password Managers
16300	Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256	Password Managers
15600	Ethereum Wallet, PBKDF2-HMAC-SHA256	Password Managers
15700	Ethereum Wallet, SCRYPT	Password Managers
22500	MultiBit Classic .key (MD5)	Password Managers
22700	MultiBit HD (scrypt)	Password Managers
11600	7-Zip	Archives
12500	RAR3-hp	Archives
13000	RAR5	Archives
17200	PKZIP (Compressed)	Archives
17220	PKZIP (Compressed Multi-File)	Archives
17225	PKZIP (Mixed Multi-File)	Archives
17230	PKZIP (Mixed Multi-File Checksum-Only)	Archives
17210	PKZIP (Uncompressed)	Archives
20500	PKZIP Master Key	Archives
20510	PKZIP Master Key (6 byte optimization)	Archives
14700	iTunes backup < 10.0	Archives
14800	iTunes backup >= 10.0	Archives
23001	SecureZIP AES-128	Archives
23002	SecureZIP AES-192	Archives
23003	SecureZIP AES-256	Archives
13600	WinZip	Archives
18900	Android Backup	Archives
13200	AxCrypt	Archives
13300	AxCrypt in-memory SHA1	Archives
8400	WBB3 (Woltlab Burning Board)	Forums, CMS, E-Commerce
2611	vBulletin < v3.8.5	Forums, CMS, E-Commerce
2711	vBulletin >= v3.8.5	Forums, CMS, E-Commerce
2612	PHPS	Forums, CMS, E-Commerce
121	SMF (Simple Machines Forum) > v1.1	Forums, CMS, E-Commerce
3711	MediaWiki B type	Forums, CMS, E-Commerce
4521	Redmine	Forums, CMS, E-Commerce
11	Joomla < 2.5.18	Forums, CMS, E-Commerce
13900	OpenCart	Forums, CMS, E-Commerce
11000	PrestaShop	Forums, CMS, E-Commerce
16000	Tripcode	Forums, CMS, E-Commerce
7900	Drupal7	Forums, CMS, E-Commerce
21	osCommerce, xt	Forums, CMS, E-Commerce
4522	PunBB	Forums, CMS, E-Commerce
2811	MyBB 1.2+, IPB2+ (Invision Power Board)	Forums, CMS, E-Commerce
18100	TOTP (HMAC-SHA1)	One-Time Passwords
2000	STDOUT	Plaintext
99999	Plaintext	Plaintext
21600	Web2py pbkdf2-sha512	Framework
10000	Django (PBKDF2-SHA256)	Framework
124	Django (SHA-1)	Framework

hash 示例可查看

掩碼設置#

l	abcdefghijklmnopqrstuvwxyz 小寫字符
u	ABCDEFGHIJKLMNOPQRSTUVWXYZ 大寫字符
d	0123456789 數字
h	0123456789abcdef 常用小寫字符 + 數字
H	0123456789ABCDEF 常用大寫字符 + 數字
s	`!"#$%&'()*+,-./:;<=>?@[\]^_`{`
a	?l?u?d?s 鍵盤上所有可見的字符
b	0x00 - 0xff 可能是用來匹配像空格這種密碼的

常見掩碼設置

八位數字密碼：?d?d?d?d?d?d?d?d  
八位未知密碼：?a?a?a?a?a?a?a?a  
前四位為大寫字母，後面四位為數字：?u?u?u?u?d?d?d?d  
前四位為數字或者是小寫字母，後四位為大寫字母或者數字：?h?h?h?h?H?H?H?H  
前三個字符未知，中間為admin，后三位未知：?a?a?aadmin?a?a?a  
6-8位數字密碼：--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l  
6-8位數字+小寫字母密碼：--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h

🍃 自定義字符集

如果想破解自定義字符集，假設你知道一個密碼有 abcdefg1234!@+$，這是就需要自定義字符集，自己設置需要破解的字符。

--custom-charset1 [chars]等價於 -1  
--custom-charset2 [chars]等價於 -2  
--custom-charset3 [chars]等價於 -3  
--custom-charset4 [chars]等價於 -4  
在掩碼中用?1、?2、?3、?4來表示。

示例如下：

--custom-charset1 abcd123456!@-+。然後我們就可以用"?1"去表示這個字符集了  
--custom-charset2 ?l?d，這裡和?2就等價於?h  
-1 ?d?l?u，?1就表示數字+小寫字母+大寫字母  
-3 abcdef -4 123456 那麼?3?3?3?3?4?4?4?4就表示為前四位可能是“abcdef”，後四位可能是“123456”

🍃 密碼破解規則

（1）利用收集的公開字典進行破解
（2）使用 1-8 位數字進行破解。
（3）使用 1-8 位小寫字母進行破解
（4）使用 1-8 位大寫字母進行破解
（5）使用 1-8 位混合大小寫 + 數字 + 特殊字符進行破解

基本案例#

攻擊模式	hash 類型	示例
Wordlist	P	hashcat -a 0 -m 400 example400.hash example.dict
Wordlist + Rules	MD5	hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
Brute-Force	MD5	hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
Combinator	MD5	hashcat -a 1 -m 0 example0.hash example.dict example.dict

實際案例#

1、破解 7 位 MD5 值

$ hashcat -a 3 -m 0 --force 10e935b681dd5d9228d914ed31f86b79 ?d?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled.png

2、破解 7 為小寫字母

$ hashcat -a 3 -m 0 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%201.png

3、破解 1-9 為數字

$hashcat -a 3 -m 0 --force a1b36807dc763d423f055b617a835521 --increment --increment-min 1 --increment-max 8 ?d?d?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%202.png

4、破解特定字符集

$hashcat -a 3 -1 123456abcdf!@+- ca6d3ead08fa8e7eca93966b75f1c1b0 ?1?1?1?1?1

5、破解 1-8 為特定字符

$hashcat -a 3 -1 123456abcdf!@+- 9054fa315ce16f7f0955b4af06d1aa1b --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1

6、破解 1-8 位數字 + 大小寫字母 + 課件的特殊符號

hashcat64.exe -a 3 -1 ?d?u?l?s d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1  
或者：  
hashcat64.exe -a 3 d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?a?a?a?a?a?a?a?a

7、指定字典破解

-a 0是指定字典破解模式，-o是輸出結果到文件中  
hashcat64.exe -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt

8、批量破解

hashcat64.exe -a 0 hash.txt password.txt -o result.txt

9、破解 Windows NT-hash，LM-hash

NT-hash  
$ hashcat -a 3 -m 1000 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l  
  
LM-hash  
$ hashcat -a 3 -m 1000 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l

10、破解 RAR 壓縮包密碼

先利用 rar2john 獲取 rar 文件的 hash 值：http://openwall.info/wiki/_media/john/johntheripper-v1.8.0.12-jumbo-1-bleeding-e6214ceab-2018-02-07-win-x64.7z

11、破解 ZIP 壓縮包密碼

通過 zip2john 獲取 zip 文件的 hash 值，利用 bindzip 壓縮的文件標識符為 pkzip2。

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%203.png

破解 pkzip2 時，-m 指定為 17200。

.\hashcat.exe -a 3 -m 17200 '$pkzip2$1*2*2*0*161b*19ca*26bf01cc*0*6c*8*161b*26bf*9bc1*169c0f03f18f797477...此處省略...c3f52a18d0537dca26b0baeae8a*$/pkzip2$' --force ?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%204.png

12、破解 word 加密文檔

wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
hashcat -a 0 -m 9500 --username -o crack.txt hash.txt /usr/share/wordlists/nmap.lst --force

13、破解 linux 下 /etc/shadow 文件的密碼

hashcat -a 3 -m 1800 --force '$6$H6LRx0yQ62gqLdg7$88r9sgiYtcMKELXTGvyFBPtZmTV.xw4CRamKwYjYIWxiXi3o9dKOlK.2yC3PM2JHRl/xfhXS2kleJmP63nSTJ/' ?l?l?l?l

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%205.png

利用 openssl 生產 sha512 的密碼。

$ openssl passwd -6 -salt xyz kalia  
$6$xyz$xWzXcL6LjBo1RJjRewXJs9MT7cTutuSUuNX.mVI8jOuBxdeBh4lw170Gx1HpKphRIrQJ82qX/CzJe0F7Soc/l.

利用 hashcat 嘗試破解，採用增量破解，密碼為 kalia，無畏小寫字符，大概花了 40 分鐘，速度還是慢。

hashcat -a 3 -m 1800 --force '$6$xyz$xWzXcL6LjBo1RJjRewXJs9MT7cTutuSUuNX.mVI8jOuBxdeBh4lw170Gx1HpKphRIrQJ82qX/CzJe0F7Soc/l.' --increment --increment-min 4 --increment-max 6 ?l?l?l?l?l

14、字典 + 掩碼暴力破解

在字典前後再加上暴力的字符序列，比如在字典後面加上 3 為數字。

a -6 (Hybrid dict + mask)

15、掩碼 + 字典暴力破解

a -7 （Hybridmask + dict）

查看破解結果#

直接利用 hashcat 命令查看

hashcat hash --show

查看 profile 文件。

/home/kali/.hashcat/hashcat.potfile

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%206.png

hashcat 圖形化#

項目地址：https://github.com/ctxis/crackerjack

🍃 啟動 python 的虛擬環境，報錯。

root@kali:~/crackerjack# python3 -m venv venv  
The virtual environment was not created successfully because ensurepip is not  
available.  On Debian/Ubuntu systems, you need to install the python3-venv  
package using the following command.  
  
    apt-get install python3-venv  
  
You may need to use sudo with that command.  After installing the python3-venv  
package, recreate your virtual environment.  
  
Failing command: ['/root/crackerjack/venv/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']

🍃 安裝環境即可。

apt-get install python3-venv

🍃 建立環境。

root@kali:~/crackerjack# python3 -m venv venv  
root@kali:~/crackerjack# . venv/bin/activate

🍃 安裝依賴包。

pip --no-cache-dir install -r requirements.txt  
# 如果上述命令安裝失敗，可利用下面的命令一個個安裝  
pip install -i https://pypi.doubanio.com/simple/ --trusted-host http://pypi.doubanio.com/ Flask-crontab

flask db init  
flask db migrate  
flask db upgrade  
#######################  
export FLASK_ENV=development  
export FLASK_APP=app  
flask run

🍃 第二次啟動

root@kali:~/crackerjack# . venv/bin/activate  
flask run

訪問安裝界面

http://127.0.0.1:5000/install/

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%207.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%208.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%209.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2010.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2011.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2012.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2013.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2014.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2015.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2016.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2017.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2019.png

參考：

https://tools.kali.org/password-attacks/hashcat

https://xz.aliyun.com/t/4008

https://www.freebuf.com/sectool/164507.html