hashcat破解使用
一、常用参数
-m 这个是指定破解的hash的类型,具体的类型可以在--help参数中看到。默认是0也就是MD5
-a 指定破解的模式,默认是字典模式
-o 输出文件,破解成功的密码存放的文件
--remove 移除破解成功的hash,当hash是从文本中读取时有用,避免自己手工移除已经破解的hash
--username 忽略用户名,如果你的hash文件中是username:hash这种格式只需要指定这个参数,就不需要再手工编辑了
-r 指定规则文件,字典根据规则文件做变形,用于破解相似密码
--show 仅仅显示已经破解的密码
--left 仅仅显示未破解的密码
-n, --threads=NUM 线程数
二、hash类型
hash类型有关哈希具体值示例可以参考 https://hashcat.net/wiki/doku.php?id=example_hashes
0 = MD5 10 = md5($pass.$salt) 20 = md5($salt.$pass) 30 = md5(unicode($pass).$salt) 40 = md5($salt.unicode($pass)) 50 = HMAC-MD5 (key = $pass) 60 = HMAC-MD5 (key = $salt) 100 = SHA1 110 = sha1($pass.$salt) 120 = sha1($salt.$pass) 130 = sha1(unicode($pass).$salt) 140 = sha1($salt.unicode($pass)) 150 = HMAC-SHA1 (key = $pass) 160 = HMAC-SHA1 (key = $salt) 200 = MySQL323 300 = MySQL4.1/MySQL5 400 = phpass, MD5(Wordpress), MD5(phpBB3),MD5(Joomla) 500 = md5crypt, MD5(Unix), FreeBSD MD5,Cisco-IOS MD5 900 = MD4 1000 = NTLM 1100 = Domain Cached Credentials (DCC), MSCache 1400 = SHA256 1410 = sha256($pass.$salt) 1420 = sha256($salt.$pass) 1430 = sha256(unicode($pass).$salt) 1431 = base64(sha256(unicode($pass))) 1440 = sha256($salt.unicode($pass)) 1450 = HMAC-SHA256 (key = $pass) 1460 = HMAC-SHA256 (key = $salt) 1600 = md5apr1, MD5(APR), Apache MD5 1700 = SHA512 1710 = sha512($pass.$salt) 1720 = sha512($salt.$pass) 1730 = sha512(unicode($pass).$salt) 1740 = sha512($salt.unicode($pass)) 1750 = HMAC-SHA512 (key = $pass) 1760 = HMAC-SHA512 (key = $salt) 1800 = SHA-512(Unix) 2400 = Cisco-PIX MD5 2410 = Cisco-ASA MD5 2500 = WPA/WPA2 2600 = Double MD5 3200 = bcrypt, Blowfish(OpenBSD) 3300 = MD5(Sun) 3500 = md5(md5(md5($pass))) 3610 = md5(md5($salt).$pass) 3710 = md5($salt.md5($pass)) 3720 = md5($pass.md5($salt)) 3800 = md5($salt.$pass.$salt) 3910 = md5(md5($pass).md5($salt)) 4010 = md5($salt.md5($salt.$pass)) 4110 = md5($salt.md5($pass.$salt)) 4210 = md5($username.0.$pass) 4300 = md5(strtoupper(md5($pass))) 4400 = md5(sha1($pass)) 4500 = Double SHA1 4600 = sha1(sha1(sha1($pass))) 4700 = sha1(md5($pass)) 4800 = MD5(Chap), iSCSI CHAP authentication 4900 = sha1($salt.$pass.$salt) 5000 = SHA-3(Keccak) 5100 = Half MD5 5200 = Password Safe SHA-256 5300 = IKE-PSK MD5 5400 = IKE-PSK SHA1 5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS 5600 = NetNTLMv2 5700 = Cisco-IOS SHA256 5800 = Android PIN 6300 = AIX {smd5} 6400 = AIX {ssha256} 6500 = AIX {ssha512} 6700 = AIX {ssha1} 6900 = GOST, GOST R 34.11-94 7000 = Fortigate (FortiOS) 7100 = OS X v10.8+ 7200 = GRUB 2 7300 = IPMI2 RAKP HMAC-SHA1 7400 = sha256crypt, SHA256(Unix) 7900 = Drupal7 8400 = WBB3, Woltlab Burning Board 3 8900 = scrypt 9200 = Cisco $8$ 9300 = Cisco $9$ 9800 = Radmin2 10000 = Django (PBKDF2-SHA256) 10200 = Cram MD5 10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1 11000 = PrestaShop 11100 = PostgreSQL Challenge-ResponseAuthentication (MD5) 11200 = MySQL Challenge-Response Authentication(SHA1) 11400 = SIP digest authentication (MD5) 99999 = Plaintext
三、特殊hash类型
11 = Joomla < 2.5.18 12 = PostgreSQL 21 = osCommerce, xt:Commerce 23 = Skype 101 = nsldap, SHA-1(Base64), Netscape LDAPSHA 111 = nsldaps, SSHA-1(Base64), Netscape LDAPSSHA 112 = Oracle S: Type (Oracle 11+) 121 = SMF > v1.1 122 = OS X v10.4, v10.5, v10.6 123 = EPi 124 = Django (SHA-1) 131 = MSSQL(2000) 132 = MSSQL(2005) 133 = PeopleSoft 141 = EPiServer 6.x < v4 1421 = hMailServer 1441 = EPiServer 6.x > v4 1711 = SSHA-512(Base64), LDAP {SSHA512} 1722 = OS X v10.7 1731 = MSSQL(2012 & 2014) 2611 = vBulletin < v3.8.5 2612 = PHPS 2711 = vBulletin > v3.8.5 2811 = IPB2+, MyBB1.2+ 3711 = Mediawiki B type 3721 = WebEdition CMS 7600 = Redmine Project Management Web App
四、攻击模式
0 = Straight (字典破解) 1 = Combination (组合破解) 2 = Toggle-Case (大小写转换) 3 = Brute-force(掩码暴力破解) 4 = Permutation(序列破解) 5 = Table-Lookup(查表破解) 6 = Hybrid dict + mask 字典加掩码破解 7 = Hybrid mask + dict 掩码+字典破解 8 = Prince(王子破解)
五、内置字符集
?l = abcdefghijklmnopqrstuvwxyz 代表小写字母 ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ 代表大写字母 ?d = 0123456789 代表数字 ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 代表特殊字符 ?a = ?l?u?d?s 大小写数字及特殊字符的组合 ?b = 0x00 - 0xff
六、调试模式输出文件
1 = save finding rule 2 = save original word 3 = save original word and finding rule 4 = save original word, finding rule andmodified plain
七、输出文件格式
1 = hash[:salt] 2 = plain 明文 3 = hash[:salt]:plain 4 = hex_plain 5 = hash[:salt]:hex_plain 6 = plain:hex_plain 7 = hash[:salt]:plain:hex_plain 8 = crackpos 9 = hash[:salt]:crackpos 10 = plain:crackpos 11 = hash[:salt]:plain:crackpos 12 = hex_plain:crackpos 13 = hash[:salt]:hex_plain:crackpos 14 = plain:hex_plain:crackpos 15 = hash[:salt]:plain:hex_plain:crackpos
八、常用攻击模式
大小写转换攻击:
–toggle-min=NUM 在字典中字母的最小值 –toggle-max=NUM 在字典中字母的最大值
* 使用掩码攻击模式:
–increment 使用增强模式 –increment-min=NUM 增强模式开始值 –increment-max=NUM 增强模式结束值
* 排列攻击模式
–perm-min=NUM 过滤比NUM数小的单词 –perm-max=NUM 过滤比NUM数大的单词
* 查找表攻击模式:
-t, –table-file=FILE 表文件 –table-min=NUM 在字典中的最小字符值 –table-max=NUM 在字典中的最大字符值
* 打印攻击模式:
–pw-min=NUM 如果长度大于NUM,则打印候选字符 –pw-max=NUM 如果长度小于NUM,则打印候选字符 –elem-cnt-min=NUM 每个链的最小元素数 –elem-cnt-max=NUM 每个链的最大元素数 –wl-dist-len 从字典表中计算输出长度分布 –wl-max=NUM 从字典文件中加载NUM个单词,设置0禁止加载。 –case-permute 在字典中对每一个单词进行反转
九、例子
linux sha512crypt $6$, SHA512 (Unix)加密方式
hashcat -m 1800 sha512linux.txt p.txt
linux sha256crypt $5$, SHA256 (Unix)加密方式
hashcat -m 7400 sha256linux.txt p.txt
linux下md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)加密方式
hashcat -m 500 linuxmd5.txt p.txt
linux下bcrypt $2*$, Blowfish加密方式
hashcat -m 3200 linuxmd5.txt p.txt
个人经验:
1、破解的时候可以先用一些在线密文识别网站识别下密文,
2、如果破解时间太长,可以按s键查看破解进度,p键暂停,r键继续破解,q键退出破解。
