hashcat密码破解工具基础使用

前言#

hashcat是一款暴力破解、密码恢复工具，被称为 “世界上最快、最先进的密码恢复实用程序”，Hashcat 可与John the Ripper一较高下。它是破解哈希的首选渗透测试工具，并且 hashcat 支持多种猜测密码的蛮力攻击，包括字典和掩码攻击。

以前在测试的中，遇到的大部分是 MD5 的 hash 值，一般通过在线的 MD5 破解网站进行破解，比较常用的是somd5，chamd5，很少用密码工具去破解 MD5 值，因为自己本身硬件速度跟不上，Hashcat 在现代 GPU 上运行最好，如果利用想 AWS 服务去破解密码，速度其实是非常快的，相对于破解一个密码的成本来说，硬件的支付成本并不会太高。

语法介绍#

常用参数#

-a：指定攻击模式。“-a 0” 字典攻击，“-a 1” 组合攻击；“-a 3” 掩码攻击。
-m：指定 hash 类型，如果不指定类型，则默认是 MD5，例如：-m 1000
-o：指定破解成功后的 hash 及对应的明文密码的存在位置
--force：忽略破解过程中的警告信息
--show：显示已经破解的 hash 及该 hash 所对应的明文
-r：使用自定义破解规则
--increment ：启用增量破解模式，你可以利用此模式让 hashcat 在指定的密码长度范围内执行破解过程
--increment-min 密码最小长度，后面直接等于一个整数即可，配置 increment 模式一起使用
--increment-max 密码最大长度，同上

OpenCL 设备类型#

| Device Type#

===+=============
1 | CPU
2 | GPU
3 | FPGA, DSP, Co-Processor

攻击模式#

Attack Modes

输出格式#

Outfile Formats

Hash ID 对照表

#	名称	类别
900	MD4	Raw Hash
0	MD5	Raw Hash
100	SHA1	Raw Hash
1300	SHA2-224	Raw Hash
1400	SHA2-256	Raw Hash
10800	SHA2-384	Raw Hash
1700	SHA2-512	Raw Hash
17300	SHA3-224	Raw Hash
17400	SHA3-256	Raw Hash
17500	SHA3-384	Raw Hash
17600	SHA3-512	Raw Hash
6000	RIPEMD-160	Raw Hash
600	BLAKE2b-512	Raw Hash
11700	GOST R 34.11-2012 (Streebog) 256-bit, big-endian	Raw Hash
11800	GOST R 34.11-2012 (Streebog) 512-bit, big-endian	Raw Hash
6900	GOST R 34.11-94	Raw Hash
5100	Half MD5	Raw Hash
18700	Java Object hashCode()	Raw Hash
17700	Keccak-224	Raw Hash
17800	Keccak-256	Raw Hash
17900	Keccak-384	Raw Hash
18000	Keccak-512	Raw Hash
21400	sha256(sha256_bin($pass))	Raw Hash
6100	Whirlpool	Raw Hash
10100	SipHash	Raw Hash
21000	BitShares v0.x - sha512(sha512_bin(pass))	Raw Hash
10	md5($pass.$salt)	Raw Hash, Salted and/or Iterated
20	md5($salt.$pass)	Raw Hash, Salted and/or Iterated
3800	md5($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
3710	md5($salt.md5($pass))	Raw Hash, Salted and/or Iterated
4110	md5($salt.md5($pass.$salt))	Raw Hash, Salted and/or Iterated
4010	md5($salt.md5($salt.$pass))	Raw Hash, Salted and/or Iterated
21300	md5($salt.sha1($salt.$pass))	Raw Hash, Salted and/or Iterated
40	md5($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
2600	md5(md5($pass))	Raw Hash, Salted and/or Iterated
3910	md5(md5($pass).md5($salt))	Raw Hash, Salted and/or Iterated
4400	md5(sha1($pass))	Raw Hash, Salted and/or Iterated
20900	md5(sha1($pass).md5($pass).sha1($pass))	Raw Hash, Salted and/or Iterated
21200	md5(sha1($salt).md5($pass))	Raw Hash, Salted and/or Iterated
4300	md5(strtoupper(md5($pass)))	Raw Hash, Salted and/or Iterated
30	md5(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
110	sha1($pass.$salt)	Raw Hash, Salted and/or Iterated
120	sha1($salt.$pass)	Raw Hash, Salted and/or Iterated
4900	sha1($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
4520	sha1($salt.sha1($pass))	Raw Hash, Salted and/or Iterated
140	sha1($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
19300	sha1($salt1.$pass.$salt2)	Raw Hash, Salted and/or Iterated
14400	sha1(CX)	Raw Hash, Salted and/or Iterated
4700	sha1(md5($pass))	Raw Hash, Salted and/or Iterated
4710	sha1(md5($pass).$salt)	Raw Hash, Salted and/or Iterated
21100	sha1(md5($pass.$salt))	Raw Hash, Salted and/or Iterated
18500	sha1(md5(md5($pass)))	Raw Hash, Salted and/or Iterated
4500	sha1(sha1($pass))	Raw Hash, Salted and/or Iterated
130	sha1(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
1410	sha256($pass.$salt)	Raw Hash, Salted and/or Iterated
1420	sha256($salt.$pass)	Raw Hash, Salted and/or Iterated
22300	sha256($salt.$pass.$salt)	Raw Hash, Salted and/or Iterated
1440	sha256($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
20800	sha256(md5($pass))	Raw Hash, Salted and/or Iterated
20710	sha256(sha256($pass).$salt)	Raw Hash, Salted and/or Iterated
1430	sha256(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
1710	sha512($pass.$salt)	Raw Hash, Salted and/or Iterated
1720	sha512($salt.$pass)	Raw Hash, Salted and/or Iterated
1740	sha512($salt.utf16le($pass))	Raw Hash, Salted and/or Iterated
1730	sha512(utf16le($pass).$salt)	Raw Hash, Salted and/or Iterated
19500	Ruby on Rails Restful-Authentication	Raw Hash, Salted and/or Iterated
50	HMAC-MD5 (key = $pass)	Raw Hash, Authenticated
60	HMAC-MD5 (key = $salt)	Raw Hash, Authenticated
150	HMAC-SHA1 (key = $pass)	Raw Hash, Authenticated
160	HMAC-SHA1 (key = $salt)	Raw Hash, Authenticated
1450	HMAC-SHA256 (key = $pass)	Raw Hash, Authenticated
1460	HMAC-SHA256 (key = $salt)	Raw Hash, Authenticated
1750	HMAC-SHA512 (key = $pass)	Raw Hash, Authenticated
1760	HMAC-SHA512 (key = $salt)	Raw Hash, Authenticated
11750	HMAC-Streebog-256 (key = $pass), big-endian	Raw Hash, Authenticated
11760	HMAC-Streebog-256 (key = $salt), big-endian	Raw Hash, Authenticated
11850	HMAC-Streebog-512 (key = $pass), big-endian	Raw Hash, Authenticated
11860	HMAC-Streebog-512 (key = $salt), big-endian	Raw Hash, Authenticated
11500	CRC32	Raw Checksum
14100	3DES (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
14000	DES (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
15400	ChaCha20	Raw Cipher, Known-Plaintext attack
14900	Skip32 (PT = $salt, key = $pass)	Raw Cipher, Known-Plaintext attack
11900	PBKDF2-HMAC-MD5	Generic KDF
12000	PBKDF2-HMAC-SHA1	Generic KDF
10900	PBKDF2-HMAC-SHA256	Generic KDF
12100	PBKDF2-HMAC-SHA512	Generic KDF
8900	scrypt	Generic KDF
400	phpass	Generic KDF
16900	Ansible Vault	Generic KDF
12001	Atlassian (PBKDF2-HMAC-SHA1)	Generic KDF
20200	Python passlib pbkdf2-sha512	Generic KDF
20300	Python passlib pbkdf2-sha256	Generic KDF
20400	Python passlib pbkdf2-sha1	Generic KDF
16100	TACACS+	Network Protocols
11400	SIP digest authentication (MD5)	Network Protocols
5300	IKE-PSK MD5	Network Protocols
5400	IKE-PSK SHA1	Network Protocols
2500	WPA-EAPOL-PBKDF2	Network Protocols
2501	WPA-EAPOL-PMK	Network Protocols
22000	WPA-PBKDF2-PMKID+EAPOL	Network Protocols
22001	WPA-PMK-PMKID+EAPOL	Network Protocols
16800	WPA-PMKID-PBKDF2	Network Protocols
16801	WPA-PMKID-PMK	Network Protocols
7300	IPMI2 RAKP HMAC-SHA1	Network Protocols
10200	CRAM-MD5	Network Protocols
4800	iSCSI CHAP authentication, MD5(CHAP)	Network Protocols
16500	JWT (JSON Web Token)	Network Protocols
22600	Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1)	Network Protocols
22301	Telegram Mobile App Passcode (SHA256)	Network Protocols
7500	Kerberos 5, etype 23, AS-REQ Pre-Auth	Network Protocols
13100	Kerberos 5, etype 23, TGS-REP	Network Protocols
18200	Kerberos 5, etype 23, AS-REP	Network Protocols
19600	Kerberos 5, etype 17, TGS-REP	Network Protocols
19700	Kerberos 5, etype 18, TGS-REP	Network Protocols
19800	Kerberos 5, etype 17, Pre-Auth	Network Protocols
19900	Kerberos 5, etype 18, Pre-Auth	Network Protocols
5500	NetNTLMv1 / NetNTLMv1+ESS	Network Protocols
5600	NetNTLMv2	Network Protocols
23	Skype	Network Protocols
11100	PostgreSQL CRAM (MD5)	Network Protocols
11200	MySQL CRAM (SHA1)	Network Protocols
8500	RACF	Operating System
6300	AIX {smd5}	Operating System
6700	AIX {ssha1}	Operating System
6400	AIX {ssha256}	Operating System
6500	AIX {ssha512}	Operating System
3000	LM	Operating System
19000	QNX /etc/shadow (MD5)	Operating System
19100	QNX /etc/shadow (SHA256)	Operating System
19200	QNX /etc/shadow (SHA512)	Operating System
15300	DPAPI masterkey file v1	Operating System
15900	DPAPI masterkey file v2	Operating System
7200	GRUB 2	Operating System
12800	MS-AzureSync PBKDF2-HMAC-SHA256	Operating System
12400	BSDi Crypt, Extended DES	Operating System
1000	NTLM	Operating System
122	macOS v10.4, macOS v10.5, MacOS v10.6	Operating System
1722	macOS v10.7	Operating System
7100	macOS v10.8+ (PBKDF2-SHA512)	Operating System
9900	Radmin2	Operating System
5800	Samsung Android Password/PIN	Operating System
3200	bcrypt $2*$, Blowfish (Unix)	Operating System
500	md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)	Operating System
1500	descrypt, DES (Unix), Traditional DES	Operating System
7400	sha256crypt $5$, SHA256 (Unix)	Operating System
1800	sha512crypt $6$, SHA512 (Unix)	Operating System
13800	Windows Phone 8+ PIN/password	Operating System
2410	Cisco-ASA MD5	Operating System
9200	Cisco-IOS $8$ (PBKDF2-SHA256)	Operating System
9300	Cisco-IOS $9$ (scrypt)	Operating System
5700	Cisco-IOS type 4 (SHA256)	Operating System
2400	Cisco-PIX MD5	Operating System
8100	Citrix NetScaler (SHA1)	Operating System
22200	Citrix NetScaler (SHA512)	Operating System
1100	Domain Cached Credentials (DCC), MS Cache	Operating System
2100	Domain Cached Credentials 2 (DCC2), MS Cache 2	Operating System
7000	FortiGate (FortiOS)	Operating System
125	ArubaOS	Operating System
501	Juniper IVE	Operating System
22	Juniper NetScreen/SSG (ScreenOS)	Operating System
15100	Juniper/NetBSD sha1crypt	Operating System
131	MSSQL (2000)	Database Server
132	MSSQL (2005)	Database Server
1731	MSSQL (2012, 2014)	Database Server
12	PostgreSQL	Database Server
3100	Oracle H: Type (Oracle 7+)	Database Server
112	Oracle S: Type (Oracle 11+)	Database Server
12300	Oracle T: Type (Oracle 12+)	Database Server
7401	MySQL $A$ (sha256crypt)	Database Server
200	MySQL323	Database Server
300	MySQL4.1/MySQL5	Database Server
8000	Sybase ASE	Database Server**
1421	hMailServer	FTP, HTTP, SMTP, LDAP Server
8300	DNSSEC (NSEC3)	FTP, HTTP, SMTP, LDAP Server
16400	CRAM-MD5 Dovecot	FTP, HTTP, SMTP, LDAP Server
1411	SSHA-256(Base64), LDAP {SSHA256}	FTP, HTTP, SMTP, LDAP Server
1711	SSHA-512(Base64), LDAP {SSHA512}	FTP, HTTP, SMTP, LDAP Server
10901	RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)	FTP, HTTP, SMTP, LDAP Server
15000	FileZilla Server >= 0.9.55	FTP, HTTP, SMTP, LDAP Server
12600	ColdFusion 10+	FTP, HTTP, SMTP, LDAP Server
1600	Apache $apr1$ MD5, md5apr1, MD5 (APR)	FTP, HTTP, SMTP, LDAP Server
141	Episerver 6.x < .NET 4	FTP, HTTP, SMTP, LDAP Server
1441	Episerver 6.x >= .NET 4	FTP, HTTP, SMTP, LDAP Server
101	nsldap, SHA-1(Base64), Netscape LDAP SHA	FTP, HTTP, SMTP, LDAP Server
111	nsldaps, SSHA-1(Base64), Netscape LDAP SSHA	FTP, HTTP, SMTP, LDAP Server
7700	SAP CODVN B (BCODE)	Enterprise Application Software (EAS)
7701	SAP CODVN B (BCODE) from RFC_READ_TABLE	Enterprise Application Software (EAS)
7800	SAP CODVN F/G (PASSCODE)	Enterprise Application Software (EAS)
7801	SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE	Enterprise Application Software (EAS)
10300	SAP CODVN H (PWDSALTEDHASH) iSSHA-1	Enterprise Application Software (EAS)
133	PeopleSoft	Enterprise Application Software (EAS)
13500	PeopleSoft PS_TOKEN	Enterprise Application Software (EAS)
21500	SolarWinds Orion	Enterprise Application Software (EAS)
8600	Lotus Notes/Domino 5	Enterprise Application Software (EAS)
8700	Lotus Notes/Domino 6	Enterprise Application Software (EAS)
9100	Lotus Notes/Domino 8	Enterprise Application Software (EAS)
20600	Oracle Transportation Management (SHA256)	Enterprise Application Software (EAS)
4711	Huawei sha1(md5($pass).$salt)	Enterprise Application Software (EAS)
20711	AuthMe sha256	Enterprise Application Software (EAS)
12200	eCryptfs	Full-Disk Encryption (FDE)
22400	AES Crypt (SHA256)	Full-Disk Encryption (FDE)
14600	LUKS	Full-Disk Encryption (FDE)
13711	VeraCrypt RIPEMD160 + XTS 512 bit	Full-Disk Encryption (FDE)
13712	VeraCrypt RIPEMD160 + XTS 1024 bit	Full-Disk Encryption (FDE)
13713	VeraCrypt RIPEMD160 + XTS 1536 bit	Full-Disk Encryption (FDE)
13741	VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
13742	VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
13743	VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
13751	VeraCrypt SHA256 + XTS 512 bit	Full-Disk Encryption (FDE)
13752	VeraCrypt SHA256 + XTS 1024 bit	Full-Disk Encryption (FDE)
13753	VeraCrypt SHA256 + XTS 1536 bit	Full-Disk Encryption (FDE)
13761	VeraCrypt SHA256 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
13762	VeraCrypt SHA256 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
13763	VeraCrypt SHA256 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
13721	VeraCrypt SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
13722	VeraCrypt SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
13723	VeraCrypt SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
13771	VeraCrypt Streebog-512 + XTS 512 bit	Full-Disk Encryption (FDE)
13772	VeraCrypt Streebog-512 + XTS 1024 bit	Full-Disk Encryption (FDE)
13773	VeraCrypt Streebog-512 + XTS 1536 bit	Full-Disk Encryption (FDE)
13731	VeraCrypt Whirlpool + XTS 512 bit	Full-Disk Encryption (FDE)
13732	VeraCrypt Whirlpool + XTS 1024 bit	Full-Disk Encryption (FDE)
13733	VeraCrypt Whirlpool + XTS 1536 bit	Full-Disk Encryption (FDE)
16700	FileVault 2	Full-Disk Encryption (FDE)
20011	DiskCryptor SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
20012	DiskCryptor SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
20013	DiskCryptor SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
22100	BitLocker	Full-Disk Encryption (FDE)
12900	Android FDE (Samsung DEK)	Full-Disk Encryption (FDE)
8800	Android FDE <= 4.3	Full-Disk Encryption (FDE)
18300	Apple File System (APFS)	Full-Disk Encryption (FDE)
6211	TrueCrypt RIPEMD160 + XTS 512 bit	Full-Disk Encryption (FDE)
6212	TrueCrypt RIPEMD160 + XTS 1024 bit	Full-Disk Encryption (FDE)
6213	TrueCrypt RIPEMD160 + XTS 1536 bit	Full-Disk Encryption (FDE)
6241	TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode	Full-Disk Encryption (FDE)
6242	TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode	Full-Disk Encryption (FDE)
6243	TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode	Full-Disk Encryption (FDE)
6221	TrueCrypt SHA512 + XTS 512 bit	Full-Disk Encryption (FDE)
6222	TrueCrypt SHA512 + XTS 1024 bit	Full-Disk Encryption (FDE)
6223	TrueCrypt SHA512 + XTS 1536 bit	Full-Disk Encryption (FDE)
6231	TrueCrypt Whirlpool + XTS 512 bit	Full-Disk Encryption (FDE)
6232	TrueCrypt Whirlpool + XTS 1024 bit	Full-Disk Encryption (FDE)
6233	TrueCrypt Whirlpool + XTS 1536 bit	Full-Disk Encryption (FDE)
10400	PDF 1.1 - 1.3 (Acrobat 2 - 4)	Documents
10410	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1	Documents
10420	PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2	Documents
10500	PDF 1.4 - 1.6 (Acrobat 5 - 8)	Documents
10600	PDF 1.7 Level 3 (Acrobat 9)	Documents
10700	PDF 1.7 Level 8 (Acrobat 10 - 11)	Documents
9400	MS Office 2007	Documents
9500	MS Office 2010	Documents
9600	MS Office 2013	Documents
9700	MS Office <= 2003 $0/$1, MD5 + RC4	Documents
9710	MS Office <= 2003 $0/$1, MD5 + RC4, collider #1	Documents
9720	MS Office <= 2003 $0/$1, MD5 + RC4, collider #2	Documents
9800	MS Office <= 2003 $3/$4, SHA1 + RC4	Documents
9810	MS Office <= 2003 $3, SHA1 + RC4, collider #1	Documents
9820	MS Office <= 2003 $3, SHA1 + RC4, collider #2	Documents
18400	Open Document Format (ODF) 1.2 (SHA-256, AES)	Documents
18600	Open Document Format (ODF) 1.1 (SHA-1, Blowfish)	Documents
16200	Apple Secure Notes	Documents
15500	JKS Java Key Store Private Keys (SHA1)	Password Managers
6600	1Password, agilekeychain	Password Managers
8200	1Password, cloudkeychain	Password Managers
9000	Password Safe v2	Password Managers
5200	Password Safe v3	Password Managers
6800	LastPass + LastPass sniffed	Password Managers
13400	KeePass 1 (AES/Twofish) and KeePass 2 (AES)	Password Managers
11300	Bitcoin/Litecoin wallet.dat	Password Managers
16600	Electrum Wallet (Salt-Type 1-3)	Password Managers
21700	Electrum Wallet (Salt-Type 4)	Password Managers
21800	Electrum Wallet (Salt-Type 5)	Password Managers
12700	Blockchain, My Wallet	Password Managers
15200	Blockchain, My Wallet, V2	Password Managers
18800	Blockchain, My Wallet, Second Password (SHA256)	Password Managers
16300	Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256	Password Managers
15600	Ethereum Wallet, PBKDF2-HMAC-SHA256	Password Managers
15700	Ethereum Wallet, SCRYPT	Password Managers
22500	MultiBit Classic .key (MD5)	Password Managers
22700	MultiBit HD (scrypt)	Password Managers
11600	7-Zip	Archives
12500	RAR3-hp	Archives
13000	RAR5	Archives
17200	PKZIP (Compressed)	Archives
17220	PKZIP (Compressed Multi-File)	Archives
17225	PKZIP (Mixed Multi-File)	Archives
17230	PKZIP (Mixed Multi-File Checksum-Only)	Archives
17210	PKZIP (Uncompressed)	Archives
20500	PKZIP Master Key	Archives
20510	PKZIP Master Key (6 byte optimization)	Archives
14700	iTunes backup < 10.0	Archives
14800	iTunes backup >= 10.0	Archives
23001	SecureZIP AES-128	Archives
23002	SecureZIP AES-192	Archives
23003	SecureZIP AES-256	Archives
13600	WinZip	Archives
18900	Android Backup	Archives
13200	AxCrypt	Archives
13300	AxCrypt in-memory SHA1	Archives
8400	WBB3 (Woltlab Burning Board)	Forums, CMS, E-Commerce
2611	vBulletin < v3.8.5	Forums, CMS, E-Commerce
2711	vBulletin >= v3.8.5	Forums, CMS, E-Commerce
2612	PHPS	Forums, CMS, E-Commerce
121	SMF (Simple Machines Forum) > v1.1	Forums, CMS, E-Commerce
3711	MediaWiki B type	Forums, CMS, E-Commerce
4521	Redmine	Forums, CMS, E-Commerce
11	Joomla < 2.5.18	Forums, CMS, E-Commerce
13900	OpenCart	Forums, CMS, E-Commerce
11000	PrestaShop	Forums, CMS, E-Commerce
16000	Tripcode	Forums, CMS, E-Commerce
7900	Drupal7	Forums, CMS, E-Commerce
21	osCommerce, xt	Forums, CMS, E-Commerce
4522	PunBB	Forums, CMS, E-Commerce
2811	MyBB 1.2+, IPB2+ (Invision Power Board)	Forums, CMS, E-Commerce
18100	TOTP (HMAC-SHA1)	One-Time Passwords
2000	STDOUT	Plaintext
99999	Plaintext	Plaintext
21600	Web2py pbkdf2-sha512	Framework
10000	Django (PBKDF2-SHA256)	Framework
124	Django (SHA-1)	Framework

hash 示例可查看

掩码设置#

l	abcdefghijklmnopqrstuvwxyz 小写字符
u	ABCDEFGHIJKLMNOPQRSTUVWXYZ 大写字符
d	0123456789 数字
h	0123456789abcdef 常用小写字符 + 数字
H	0123456789ABCDEF 常用大写字符 + 数字
s	`!"#$%&'()*+,-./:;<=>?@[\]^_`{`
a	?l?u?d?s 键盘上所有可见的字符
b	0x00 - 0xff 可能是用来匹配像空格这种密码的

常见掩码设置

八位数字密码：?d?d?d?d?d?d?d?d  
八位未知密码：?a?a?a?a?a?a?a?a  
前四位为大写字母，后面四位为数字：?u?u?u?u?d?d?d?d  
前四位为数字或者是小写字母，后四位为大写字母或者数字：?h?h?h?h?H?H?H?H  
前三个字符未知，中间为admin，后三位未知：?a?a?aadmin?a?a?a  
6-8位数字密码：--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l  
6-8位数字+小写字母密码：--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h

🍃 自定义字符集

如果想破解自定义字符集，假设你知道一个密码有 abcdefg1234!@+$，这是就需要自定义字符集，自己设置需要破解的字符。

--custom-charset1 [chars]等价于 -1  
--custom-charset2 [chars]等价于 -2  
--custom-charset3 [chars]等价于 -3  
--custom-charset4 [chars]等价于 -4  
在掩码中用?1、?2、?3、?4来表示。

示例如下：

--custom-charset1 abcd123456!@-+。然后我们就可以用"?1"去表示这个字符集了  
--custom-charset2 ?l?d，这里和?2就等价于?h  
-1 ?d?l?u，?1就表示数字+小写字母+大写字母  
-3 abcdef -4 123456 那么?3?3?3?3?4?4?4?4就表示为前四位可能是“abcdef”，后四位可能是“123456”

🍃 密码破解规则

（1）利用收集的公开字典进行破解
（2）使用 1-8 位数字进行破解。
（3）使用 1-8 位小写字母进行破解
（4）使用 1-8 位大写字母进行破解
（5）使用 1-8 位混合大小写 + 数字 + 特殊字符进行破解

基本案例#

攻击模式	hash 类型	示例
Wordlist	P	hashcat -a 0 -m 400 example400.hash example.dict
Wordlist + Rules	MD5	hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
Brute-Force	MD5	hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
Combinator	MD5	hashcat -a 1 -m 0 example0.hash example.dict example.dict

实际案例#

1、破解 7 位 MD5 值

$ hashcat -a 3 -m 0 --force 10e935b681dd5d9228d914ed31f86b79 ?d?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled.png

2、破解 7 为小写字母

$ hashcat -a 3 -m 0 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%201.png

3、破解 1-9 为数字

$hashcat -a 3 -m 0 --force a1b36807dc763d423f055b617a835521 --increment --increment-min 1 --increment-max 8 ?d?d?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%202.png

4、破解特定字符集

$hashcat -a 3 -1 123456abcdf!@+- ca6d3ead08fa8e7eca93966b75f1c1b0 ?1?1?1?1?1

5、破解 1-8 为特定字符

$hashcat -a 3 -1 123456abcdf!@+- 9054fa315ce16f7f0955b4af06d1aa1b --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1

6、破解 1-8 位数字 + 大小写字母 + 课件的特殊符号

hashcat64.exe -a 3 -1 ?d?u?l?s d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1  
或者：  
hashcat64.exe -a 3 d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?a?a?a?a?a?a?a?a

7、指定字典破解

-a 0是指定字典破解模式，-o是输出结果到文件中  
hashcat64.exe -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt

8、批量破解

hashcat64.exe -a 0 hash.txt password.txt -o result.txt

9、破解 Windows NT-hash，LM-hash

NT-hash  
$ hashcat -a 3 -m 1000 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l  
  
LM-hash  
$ hashcat -a 3 -m 1000 --force 1b1aee1f5339f686b32d9a255696f080 ?l?l?l?l?l?l?l

10、破解 RAR 压缩包密码

先利用 rar2john 获取 rar 文件的 hash 值：http://openwall.info/wiki/_media/john/johntheripper-v1.8.0.12-jumbo-1-bleeding-e6214ceab-2018-02-07-win-x64.7z

11、破解 ZIP 压缩包密码

通过 zip2john 获取 zip 文件的 hash 值，利用 bindzip 压缩的文件标识符为 pkzip2。

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%203.png

破解 pkzip2 时，-m 指定为 17200。

.\hashcat.exe -a 3 -m 17200 '$pkzip2$1*2*2*0*161b*19ca*26bf01cc*0*6c*8*161b*26bf*9bc1*169c0f03f18f797477...此处省略...c3f52a18d0537dca26b0baeae8a*$/pkzip2$' --force ?d?d?d?d?d?d

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%204.png

12、破解 word 加密文档

wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
hashcat -a 0 -m 9500 --username -o crack.txt hash.txt /usr/share/wordlists/nmap.lst --force

13、破解 linux 下 /etc/shadow 文件的密码

hashcat -a 3 -m 1800 --force '$6$H6LRx0yQ62gqLdg7$88r9sgiYtcMKELXTGvyFBPtZmTV.xw4CRamKwYjYIWxiXi3o9dKOlK.2yC3PM2JHRl/xfhXS2kleJmP63nSTJ/' ?l?l?l?l

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%205.png

利用 openssl 生产 sha512 的密码。

$ openssl passwd -6 -salt xyz kalia  
$6$xyz$xWzXcL6LjBo1RJjRewXJs9MT7cTutuSUuNX.mVI8jOuBxdeBh4lw170Gx1HpKphRIrQJ82qX/CzJe0F7Soc/l.

利用 hashcat 尝试破解，采用增量破解，密码为 kalia，无畏小写字符，大概花了 40 分钟，速度还是慢。

hashcat -a 3 -m 1800 --force '$6$xyz$xWzXcL6LjBo1RJjRewXJs9MT7cTutuSUuNX.mVI8jOuBxdeBh4lw170Gx1HpKphRIrQJ82qX/CzJe0F7Soc/l.' --increment --increment-min 4 --increment-max 6 ?l?l?l?l?l

14、字典 + 掩码暴力破解

在字典前后再加上暴力的字符序列，比如在字典后面加上 3 为数字。

a -6 (Hybrid dict + mask)

15、掩码 + 字典暴力破解

a -7 （Hybridmask + dict）

查看破解结果#

直接利用 hashcat 命令查看

hashcat hash --show

查看 profile 文件。

/home/kali/.hashcat/hashcat.potfile

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%206.png

hashcat 图形化#

项目地址：https://github.com/ctxis/crackerjack

🍃 启动 python 的虚拟环境，报错。

root@kali:~/crackerjack# python3 -m venv venv  
The virtual environment was not created successfully because ensurepip is not  
available.  On Debian/Ubuntu systems, you need to install the python3-venv  
package using the following command.  
  
    apt-get install python3-venv  
  
You may need to use sudo with that command.  After installing the python3-venv  
package, recreate your virtual environment.  
  
Failing command: ['/root/crackerjack/venv/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']

🍃 安装环境即可。

apt-get install python3-venv

🍃 建立环境。

root@kali:~/crackerjack# python3 -m venv venv  
root@kali:~/crackerjack# . venv/bin/activate

🍃 安装依赖包。

pip --no-cache-dir install -r requirements.txt  
# 如果上述命令安装失败，可利用下面的命令一个个安装  
pip install -i https://pypi.doubanio.com/simple/ --trusted-host http://pypi.doubanio.com/ Flask-crontab

flask db init  
flask db migrate  
flask db upgrade  
#######################  
export FLASK_ENV=development  
export FLASK_APP=app  
flask run

🍃 第二次启动

root@kali:~/crackerjack# . venv/bin/activate  
flask run

访问安装界面

http://127.0.0.1:5000/install/

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%207.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%208.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%209.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2010.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2011.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2012.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2013.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2014.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2015.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2016.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2017.png

hashcat%E6%96%87%E7%AB%A0%20870ae67c89824363af4d1d43bcfd3aef/Untitled%2019.png

参考：

https://tools.kali.org/password-attacks/hashcat

https://xz.aliyun.com/t/4008

https://www.freebuf.com/sectool/164507.html