Hashcat的使用手册
参考文档:
简介
Hashcat是自称世界上最快的密码恢复工具。它在2015年之前拥有专有代码库,但现在作为免费软件发布。适用于Linux,OS X和Windows的版本可以使用基于CPU或基于GPU的变体。支持hashcat的散列算法有Microsoft LM哈希,MD4,MD5,SHA系列,Unix加密格式,MySQL和Cisco PIX等。
hashcat支持多种计算核心:
- [ OpenCL Device Types ] -
# | Device Type
===+=============
1 | CPU
2 | GPU
3 | FPGA, DSP, Co-Processor
GPU的驱动要求
AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (1.6.180 or later)
AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
NVIDIA GPUs require "NVIDIA Driver" (367.x or later)
GitHub地址:https://github.com/hashcat/hashcat
使用的hashcat 版本
在nvidia-docker中编译hashcat。
GPU信息:
nvidia-smi
Tue Dec 26 14:07:33 2023
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 470.94 Driver Version: 470.94 CUDA Version: 11.4 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|===============================+======================+======================|
| 0 NVIDIA GeForce ... Off | 00000000:01:00.0 Off | N/A |
| 0% 34C P8 14W / 180W | 0MiB / 8119MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
| 1 NVIDIA GeForce ... Off | 00000000:08:00.0 Off | N/A |
| 0% 33C P8 8W / 180W | 0MiB / 8119MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
| 2 NVIDIA GeForce ... Off | 00000000:87:00.0 Off | N/A |
| 0% 32C P8 7W / 180W | 0MiB / 8119MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
| 3 NVIDIA GeForce ... Off | 00000000:88:00.0 Off | N/A |
| 0% 30C P8 8W / 180W | 0MiB / 8119MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
启动容器:
docker run -ti --name wl_zoro_gpub --gpus all \
--net host \
nvidia/cuda:11.4.0-devel-ubuntu20.04 \
/bin/bash
下载hashcat:
wget https://github.com/hashcat/hashcat/archive/refs/tags/v6.2.6.tar.gz
解压后编译:
cd hashcat-6.2.6
make
查看hashcat信息:
./hashcat -I
hashcat (v6.2.6) starting in backend information mode
* Device #5: Outdated POCL OpenCL driver detected!
CUDA Info:
==========
CUDA.Version.: 11.4
Backend Device ID #1
Name...........: NVIDIA GeForce GTX 1080
Processor(s)...: 20
Clock..........: 1771
Memory.Total...: 8119 MB
Memory.Free....: 8014 MB
Local.Memory...: 48 KB
PCI.Addr.BDFe..: 0000:01:00.0
Backend Device ID #2
Name...........: NVIDIA GeForce GTX 1080
Processor(s)...: 20
Clock..........: 1771
Memory.Total...: 8119 MB
Memory.Free....: 8014 MB
Local.Memory...: 48 KB
PCI.Addr.BDFe..: 0000:08:00.0
Backend Device ID #3
Name...........: NVIDIA GeForce GTX 1080
Processor(s)...: 20
Clock..........: 1771
Memory.Total...: 8119 MB
Memory.Free....: 8014 MB
Local.Memory...: 48 KB
PCI.Addr.BDFe..: 0000:87:00.0
Backend Device ID #4
Name...........: NVIDIA GeForce GTX 1080
Processor(s)...: 20
Clock..........: 1771
Memory.Total...: 8119 MB
Memory.Free....: 8014 MB
Local.Memory...: 48 KB
PCI.Addr.BDFe..: 0000:88:00.0
OpenCL Info:
============
OpenCL Platform ID #1
Vendor..: The pocl project
Name....: Portable Computing Language
Version.: OpenCL 1.2 pocl 1.4, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG
Backend Device ID #5
Type...........: CPU
Vendor.ID......: 128
Vendor.........: GenuineIntel
Name...........: pthread-Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz
Version........: OpenCL 1.2 pocl HSTR: pthread-x86_64-pc-linux-gnu-broadwell
Processor(s)...: 56
Clock..........: 3300
Memory.Total...: 29956 MB (limited to 4096 MB allocatable in one block)
Memory.Free....: 14946 MB
Local.Memory...: 32768 KB
OpenCL.Version.: OpenCL C 1.2 pocl
Driver.Version.: 1.4
参数
下面使常见的参数,想了解更多的参数可以hashcat –help查看
-a 指定要使用的破解模式,其值参考后面对参数。“-a 0”字典攻击,“-a 1” 组合攻击;“-a 3”掩码攻击。
-m 指定要破解的hash类型,如果不指定类型,则默认是MD5
-o 指定破解成功后的hash及所对应的明文密码的存放位置,可以用它把破解成功的hash写到指定的文件中
--force 忽略破解过程中的警告信息,跑单条hash可能需要加上此选项
--show 显示已经破解的hash及该hash所对应的明文
--increment 启用增量破解模式,你可以利用此模式让hashcat在指定的密码长度范围内执行破解过程
--increment-min 密码最小长度,后面直接等于一个整数即可,配置increment模式一起使用
--increment-max 密码最大长度,同上
--outfile-format 指定破解结果的输出格式id,默认是3
--username 忽略hash文件中的指定的用户名,在破解linux系统用户密码hash可能会用到
--remove 删除已被破解成功的hash
-r 使用自定义破解规则
攻击模式
# | Mode
===+======
0 | Straight(字段破解)
1 | Combination(组合破解)
3 | Brute-force(掩码暴力破解)
6 | Hybrid Wordlist + Mask(字典+掩码破解)
7 | Hybrid Mask + Wordlist(掩码+字典破解)
9 | Association
输出格式
- [ Outfile Formats ] -
# | Format
===+========
1 | hash[:salt]
2 | plain
3 | hex_plain
4 | crack_pos
5 | timestamp absolute
6 | timestamp relative
Hash id对照表
直接hashcat –help查看hash对照表:
- [ Hash modes ] -
# | Name | Category
======+============================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
6000 | RIPEMD-160 | Raw Hash
600 | BLAKE2b-512 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
17010 | GPG (AES-128/AES-256 (SHA-1($pass))) | Raw Hash
5100 | Half MD5 | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
6100 | Whirlpool | Raw Hash
10100 | SipHash | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
170 | sha1(utf16le($pass)) | Raw Hash
1470 | sha256(utf16le($pass)) | Raw Hash
10870 | sha384(utf16le($pass)) | Raw Hash
1770 | sha512(utf16le($pass)) | Raw Hash
610 | BLAKE2b-512($pass.$salt) | Raw Hash salted and/or iterated
620 | BLAKE2b-512($salt.$pass) | Raw Hash salted and/or iterated
10 | md5($pass.$salt) | Raw Hash salted and/or iterated
20 | md5($salt.$pass) | Raw Hash salted and/or iterated
3800 | md5($salt.$pass.$salt) | Raw Hash salted and/or iterated
3710 | md5($salt.md5($pass)) | Raw Hash salted and/or iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash salted and/or iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash salted and/or iterated
21300 | md5($salt.sha1($salt.$pass)) | Raw Hash salted and/or iterated
40 | md5($salt.utf16le($pass)) | Raw Hash salted and/or iterated
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
4410 | md5(sha1($pass).$salt) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
21200 | md5(sha1($salt).md5($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
30 | md5(utf16le($pass).$salt) | Raw Hash salted and/or iterated
110 | sha1($pass.$salt) | Raw Hash salted and/or iterated
120 | sha1($salt.$pass) | Raw Hash salted and/or iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash salted and/or iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash salted and/or iterated
24300 | sha1($salt.sha1($pass.$salt)) | Raw Hash salted and/or iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash salted and/or iterated
19300 | sha1($salt1.$pass.$salt2) | Raw Hash salted and/or iterated
14400 | sha1(CX) | Raw Hash salted and/or iterated
4700 | sha1(md5($pass)) | Raw Hash salted and/or iterated
4710 | sha1(md5($pass).$salt) | Raw Hash salted and/or iterated
21100 | sha1(md5($pass.$salt)) | Raw Hash salted and/or iterated
18500 | sha1(md5(md5($pass))) | Raw Hash salted and/or iterated
4500 | sha1(sha1($pass)) | Raw Hash salted and/or iterated
4510 | sha1(sha1($pass).$salt) | Raw Hash salted and/or iterated
5000 | sha1(sha1($salt.$pass.$salt)) | Raw Hash salted and/or iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash salted and/or iterated
1410 | sha256($pass.$salt) | Raw Hash salted and/or iterated
1420 | sha256($salt.$pass) | Raw Hash salted and/or iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash salted and/or iterated
20720 | sha256($salt.sha256($pass)) | Raw Hash salted and/or iterated
21420 | sha256($salt.sha256_bin($pass)) | Raw Hash salted and/or iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash salted and/or iterated
20800 | sha256(md5($pass)) | Raw Hash salted and/or iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash salted and/or iterated
21400 | sha256(sha256_bin($pass)) | Raw Hash salted and/or iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash salted and/or iterated
10810 | sha384($pass.$salt) | Raw Hash salted and/or iterated
10820 | sha384($salt.$pass) | Raw Hash salted and/or iterated
10840 | sha384($salt.utf16le($pass)) | Raw Hash salted and/or iterated
10830 | sha384(utf16le($pass).$salt) | Raw Hash salted and/or iterated
1710 | sha512($pass.$salt) | Raw Hash salted and/or iterated
1720 | sha512($salt.$pass) | Raw Hash salted and/or iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash salted and/or iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash salted and/or iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash authenticated
11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash authenticated
11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash authenticated
28700 | Amazon AWS4-HMAC-SHA256 | Raw Hash authenticated
11500 | CRC32 | Raw Checksum
27900 | CRC32C | Raw Checksum
28000 | CRC64Jones | Raw Checksum
18700 | Java Object hashCode() | Raw Checksum
25700 | MurmurHash | Raw Checksum
27800 | MurmurHash3 | Raw Checksum
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-plaintext attack
14500 | Linux Kernel Crypto API (2.4) | Raw Cipher, Known-plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
8900 | scrypt | Generic KDF
400 | phpass | Generic KDF
16100 | TACACS+ | Network Protocol
11400 | SIP digest authentication (MD5) | Network Protocol
5300 | IKE-PSK MD5 | Network Protocol
5400 | IKE-PSK SHA1 | Network Protocol
25100 | SNMPv3 HMAC-MD5-96 | Network Protocol
25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96 | Network Protocol
25200 | SNMPv3 HMAC-SHA1-96 | Network Protocol
26700 | SNMPv3 HMAC-SHA224-128 | Network Protocol
26800 | SNMPv3 HMAC-SHA256-192 | Network Protocol
26900 | SNMPv3 HMAC-SHA384-256 | Network Protocol
27300 | SNMPv3 HMAC-SHA512-384 | Network Protocol
2500 | WPA-EAPOL-PBKDF2 | Network Protocol
2501 | WPA-EAPOL-PMK | Network Protocol
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL | Network Protocol
16800 | WPA-PMKID-PBKDF2 | Network Protocol
16801 | WPA-PMKID-PMK | Network Protocol
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocol
10200 | CRAM-MD5 | Network Protocol
16500 | JWT (JSON Web Token) | Network Protocol
29200 | Radmin3 | Network Protocol
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
28800 | Kerberos 5, etype 17, DB | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
28900 | Kerberos 5, etype 18, DB | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocol
27000 | NetNTLMv1 / NetNTLMv1+ESS (NT) | Network Protocol
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol
29100 | Flask Session Cookie ($salt.$salt.$pass) | Network Protocol
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocol
8500 | RACF | Operating System
6300 | AIX {smd5} | Operating System
6700 | AIX {ssha1} | Operating System
6400 | AIX {ssha256} | Operating System
6500 | AIX {ssha512} | Operating System
3000 | LM | Operating System
19000 | QNX /etc/shadow (MD5) | Operating System
19100 | QNX /etc/shadow (SHA256) | Operating System
19200 | QNX /etc/shadow (SHA512) | Operating System
15300 | DPAPI masterkey file v1 (context 1 and 2) | Operating System
15310 | DPAPI masterkey file v1 (context 3) | Operating System
15900 | DPAPI masterkey file v2 (context 1 and 2) | Operating System
15910 | DPAPI masterkey file v2 (context 3) | Operating System
7200 | GRUB 2 | Operating System
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System
12400 | BSDi Crypt, Extended DES | Operating System
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
5800 | Samsung Android Password/PIN | Operating System
28100 | Windows Hello PIN/Password | Operating System
13800 | Windows Phone 8+ PIN/password | Operating System
2410 | Cisco-ASA MD5 | Operating System
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System
9300 | Cisco-IOS $9$ (scrypt) | Operating System
5700 | Cisco-IOS type 4 (SHA256) | Operating System
2400 | Cisco-PIX MD5 | Operating System
8100 | Citrix NetScaler (SHA1) | Operating System
22200 | Citrix NetScaler (SHA512) | Operating System
1100 | Domain Cached Credentials (DCC), MS Cache | Operating System
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating System
7000 | FortiGate (FortiOS) | Operating System
26300 | FortiGate256 (FortiOS256) | Operating System
125 | ArubaOS | Operating System
501 | Juniper IVE | Operating System
22 | Juniper NetScreen/SSG (ScreenOS) | Operating System
15100 | Juniper/NetBSD sha1crypt | Operating System
26500 | iPhone passcode (UID key + System Keybag) | Operating System
122 | macOS v10.4, macOS v10.5, macOS v10.6 | Operating System
1722 | macOS v10.7 | Operating System
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System
1500 | descrypt, DES (Unix), Traditional DES | Operating System
29000 | sha1($salt.sha1(utf16le($username).':'.utf16le($pass))) | Operating System
7400 | sha256crypt $5$, SHA256 (Unix) | Operating System
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
24600 | SQLCipher | Database Server
131 | MSSQL (2000) | Database Server
132 | MSSQL (2005) | Database Server
1731 | MSSQL (2012, 2014) | Database Server
24100 | MongoDB ServerKey SCRAM-SHA-1 | Database Server
24200 | MongoDB ServerKey SCRAM-SHA-256 | Database Server
12 | PostgreSQL | Database Server
11100 | PostgreSQL CRAM (MD5) | Database Server
28600 | PostgreSQL SCRAM-SHA-256 | Database Server
3100 | Oracle H: Type (Oracle 7+) | Database Server
112 | Oracle S: Type (Oracle 11+) | Database Server
12300 | Oracle T: Type (Oracle 12+) | Database Server
7401 | MySQL $A$ (sha256crypt) | Database Server
11200 | MySQL CRAM (SHA1) | Database Server
200 | MySQL323 | Database Server
300 | MySQL4.1/MySQL5 | Database Server
8000 | Sybase ASE | Database Server
8300 | DNSSEC (NSEC3) | FTP, HTTP, SMTP, LDAP Server
25900 | KNX IP Secure - Device Authentication Code | FTP, HTTP, SMTP, LDAP Server
16400 | CRAM-MD5 Dovecot | FTP, HTTP, SMTP, LDAP Server
1411 | SSHA-256(Base64), LDAP {SSHA256} | FTP, HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | FTP, HTTP, SMTP, LDAP Server
24900 | Dahua Authentication MD5 | FTP, HTTP, SMTP, LDAP Server
10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256) | FTP, HTTP, SMTP, LDAP Server
15000 | FileZilla Server >= 0.9.55 | FTP, HTTP, SMTP, LDAP Server
12600 | ColdFusion 10+ | FTP, HTTP, SMTP, LDAP Server
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
141 | Episerver 6.x < .NET 4 | FTP, HTTP, SMTP, LDAP Server
1441 | Episerver 6.x >= .NET 4 | FTP, HTTP, SMTP, LDAP Server
1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | FTP, HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | FTP, HTTP, SMTP, LDAP Server
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS)
21500 | SolarWinds Orion | Enterprise Application Software (EAS)
21501 | SolarWinds Orion v2 | Enterprise Application Software (EAS)
24 | SolarWinds Serv-U | Enterprise Application Software (EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
26200 | OpenEdge Progress Encode | Enterprise Application Software (EAS)
20600 | Oracle Transportation Management (SHA256) | Enterprise Application Software (EAS)
4711 | Huawei sha1(md5($pass).$salt) | Enterprise Application Software (EAS)
20711 | AuthMe sha256 | Enterprise Application Software (EAS)
22400 | AES Crypt (SHA256) | Full-Disk Encryption (FDE)
27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC) | Full-Disk Encryption (FDE)
14600 | LUKS v1 (legacy) | Full-Disk Encryption (FDE)
29541 | LUKS v1 RIPEMD-160 + AES | Full-Disk Encryption (FDE)
29542 | LUKS v1 RIPEMD-160 + Serpent | Full-Disk Encryption (FDE)
29543 | LUKS v1 RIPEMD-160 + Twofish | Full-Disk Encryption (FDE)
29511 | LUKS v1 SHA-1 + AES | Full-Disk Encryption (FDE)
29512 | LUKS v1 SHA-1 + Serpent | Full-Disk Encryption (FDE)
29513 | LUKS v1 SHA-1 + Twofish | Full-Disk Encryption (FDE)
29521 | LUKS v1 SHA-256 + AES | Full-Disk Encryption (FDE)
29522 | LUKS v1 SHA-256 + Serpent | Full-Disk Encryption (FDE)
29523 | LUKS v1 SHA-256 + Twofish | Full-Disk Encryption (FDE)
29531 | LUKS v1 SHA-512 + AES | Full-Disk Encryption (FDE)
29532 | LUKS v1 SHA-512 + Serpent | Full-Disk Encryption (FDE)
29533 | LUKS v1 SHA-512 + Twofish | Full-Disk Encryption (FDE)
13711 | VeraCrypt RIPEMD160 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13712 | VeraCrypt RIPEMD160 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13713 | VeraCrypt RIPEMD160 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29411 | VeraCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
29412 | VeraCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
29413 | VeraCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
29441 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29442 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29443 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13751 | VeraCrypt SHA256 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13752 | VeraCrypt SHA256 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13753 | VeraCrypt SHA256 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29451 | VeraCrypt SHA256 + XTS 512 bit | Full-Disk Encryption (FDE)
29452 | VeraCrypt SHA256 + XTS 1024 bit | Full-Disk Encryption (FDE)
29453 | VeraCrypt SHA256 + XTS 1536 bit | Full-Disk Encryption (FDE)
29461 | VeraCrypt SHA256 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29462 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29463 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13721 | VeraCrypt SHA512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13722 | VeraCrypt SHA512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13723 | VeraCrypt SHA512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29421 | VeraCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
29422 | VeraCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29423 | VeraCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13771 | VeraCrypt Streebog-512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13772 | VeraCrypt Streebog-512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13773 | VeraCrypt Streebog-512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29471 | VeraCrypt Streebog-512 + XTS 512 bit | Full-Disk Encryption (FDE)
29472 | VeraCrypt Streebog-512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29473 | VeraCrypt Streebog-512 + XTS 1536 bit | Full-Disk Encryption (FDE)
29481 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29482 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29483 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13731 | VeraCrypt Whirlpool + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13732 | VeraCrypt Whirlpool + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13733 | VeraCrypt Whirlpool + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29431 | VeraCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
29432 | VeraCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
29433 | VeraCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
23900 | BestCrypt v3 Volume Encryption | Full-Disk Encryption (FDE)
16700 | FileVault 2 | Full-Disk Encryption (FDE)
27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS) | Full-Disk Encryption (FDE)
27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS) | Full-Disk Encryption (FDE)
20011 | DiskCryptor SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
20012 | DiskCryptor SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
20013 | DiskCryptor SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
22100 | BitLocker | Full-Disk Encryption (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE)
8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE)
18300 | Apple File System (APFS) | Full-Disk Encryption (FDE)
6211 | TrueCrypt RIPEMD160 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6212 | TrueCrypt RIPEMD160 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6213 | TrueCrypt RIPEMD160 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29311 | TrueCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
29312 | TrueCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
29313 | TrueCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
29341 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29342 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29343 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
6221 | TrueCrypt SHA512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6222 | TrueCrypt SHA512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6223 | TrueCrypt SHA512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29321 | TrueCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
29322 | TrueCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29323 | TrueCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
6231 | TrueCrypt Whirlpool + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6232 | TrueCrypt Whirlpool + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6233 | TrueCrypt Whirlpool + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29331 | TrueCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
29332 | TrueCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
29333 | TrueCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
12200 | eCryptfs | Full-Disk Encryption (FDE)
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Document
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Document
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Document
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Document
25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - user and owner pass | Document
10600 | PDF 1.7 Level 3 (Acrobat 9) | Document
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Document
9400 | MS Office 2007 | Document
9500 | MS Office 2010 | Document
9600 | MS Office 2013 | Document
25300 | MS Office 2016 - SheetProtection | Document
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Document
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Document
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Document
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Document
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Document
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Document
18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Document
18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Document
16200 | Apple Secure Notes | Document
23300 | Apple iWork | Document
6600 | 1Password, agilekeychain | Password Manager
8200 | 1Password, cloudkeychain | Password Manager
9000 | Password Safe v2 | Password Manager
5200 | Password Safe v3 | Password Manager
6800 | LastPass + LastPass sniffed | Password Manager
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager
29700 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) - keyfile only mode | Password Manager
23400 | Bitwarden | Password Manager
16900 | Ansible Vault | Password Manager
26000 | Mozilla key3.db | Password Manager
26100 | Mozilla key4.db | Password Manager
23100 | Apple Keychain | Password Manager
11600 | 7-Zip | Archive
12500 | RAR3-hp | Archive
23800 | RAR3-p (Compressed) | Archive
23700 | RAR3-p (Uncompressed) | Archive
13000 | RAR5 | Archive
17220 | PKZIP (Compressed Multi-File) | Archive
17200 | PKZIP (Compressed) | Archive
17225 | PKZIP (Mixed Multi-File) | Archive
17230 | PKZIP (Mixed Multi-File Checksum-Only) | Archive
17210 | PKZIP (Uncompressed) | Archive
20500 | PKZIP Master Key | Archive
20510 | PKZIP Master Key (6 byte optimization) | Archive
23001 | SecureZIP AES-128 | Archive
23002 | SecureZIP AES-192 | Archive
23003 | SecureZIP AES-256 | Archive
13600 | WinZip | Archive
18900 | Android Backup | Archive
24700 | Stuffit5 | Archive
13200 | AxCrypt 1 | Archive
13300 | AxCrypt 1 in-memory SHA1 | Archive
23500 | AxCrypt 2 AES-128 | Archive
23600 | AxCrypt 2 AES-256 | Archive
14700 | iTunes backup < 10.0 | Archive
14800 | iTunes backup >= 10.0 | Archive
8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce
2612 | PHPS | Forums, CMS, E-Commerce
121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce
3711 | MediaWiki B type | Forums, CMS, E-Commerce
4521 | Redmine | Forums, CMS, E-Commerce
24800 | Umbraco HMAC-SHA1 | Forums, CMS, E-Commerce
11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce
13900 | OpenCart | Forums, CMS, E-Commerce
11000 | PrestaShop | Forums, CMS, E-Commerce
16000 | Tripcode | Forums, CMS, E-Commerce
7900 | Drupal7 | Forums, CMS, E-Commerce
4522 | PunBB | Forums, CMS, E-Commerce
2811 | MyBB 1.2+, IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce
2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce
2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
21 | osCommerce, xt:Commerce | Forums, CMS, E-Commerce
18100 | TOTP (HMAC-SHA1) | One-Time Password
2000 | STDOUT | Plaintext
99999 | Plaintext | Plaintext
21600 | Web2py pbkdf2-sha512 | Framework
10000 | Django (PBKDF2-SHA256) | Framework
124 | Django (SHA-1) | Framework
12001 | Atlassian (PBKDF2-HMAC-SHA1) | Framework
19500 | Ruby on Rails Restful-Authentication | Framework
27200 | Ruby on Rails Restful Auth (one round, no sitekey) | Framework
30000 | Python Werkzeug MD5 (HMAC-MD5 (key = $salt)) | Framework
30120 | Python Werkzeug SHA256 (HMAC-SHA256 (key = $salt)) | Framework
20200 | Python passlib pbkdf2-sha512 | Framework
20300 | Python passlib pbkdf2-sha256 | Framework
20400 | Python passlib pbkdf2-sha1 | Framework
24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES) | Private Key
24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES) | Private Key
15500 | JKS Java Key Store Private Keys (SHA1) | Private Key
22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$) | Private Key
22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$) | Private Key
22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$) | Private Key
22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$) | Private Key
22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$) | Private Key
23200 | XMPP SCRAM PBKDF2-SHA1 | Instant Messaging Service
28300 | Teamspeak 3 (channel hash) | Instant Messaging Service
22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1) | Instant Messaging Service
24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512) | Instant Messaging Service
22301 | Telegram Mobile App Passcode (SHA256) | Instant Messaging Service
23 | Skype | Instant Messaging Service
29600 | Terra Station Wallet (AES256-CBC(PBKDF2($pass))) | Cryptocurrency Wallet
26600 | MetaMask Wallet | Cryptocurrency Wallet
21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Cryptocurrency Wallet
28501 | Bitcoin WIF private key (P2PKH), compressed | Cryptocurrency Wallet
28502 | Bitcoin WIF private key (P2PKH), uncompressed | Cryptocurrency Wallet
28503 | Bitcoin WIF private key (P2WPKH, Bech32), compressed | Cryptocurrency Wallet
28504 | Bitcoin WIF private key (P2WPKH, Bech32), uncompressed | Cryptocurrency Wallet
28505 | Bitcoin WIF private key (P2SH(P2WPKH)), compressed | Cryptocurrency Wallet
28506 | Bitcoin WIF private key (P2SH(P2WPKH)), uncompressed | Cryptocurrency Wallet
11300 | Bitcoin/Litecoin wallet.dat | Cryptocurrency Wallet
16600 | Electrum Wallet (Salt-Type 1-3) | Cryptocurrency Wallet
21700 | Electrum Wallet (Salt-Type 4) | Cryptocurrency Wallet
21800 | Electrum Wallet (Salt-Type 5) | Cryptocurrency Wallet
12700 | Blockchain, My Wallet | Cryptocurrency Wallet
15200 | Blockchain, My Wallet, V2 | Cryptocurrency Wallet
18800 | Blockchain, My Wallet, Second Password (SHA256) | Cryptocurrency Wallet
25500 | Stargazer Stellar Wallet XLM | Cryptocurrency Wallet
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15700 | Ethereum Wallet, SCRYPT | Cryptocurrency Wallet
22500 | MultiBit Classic .key (MD5) | Cryptocurrency Wallet
27700 | MultiBit Classic .wallet (scrypt) | Cryptocurrency Wallet
22700 | MultiBit HD (scrypt) | Cryptocurrency Wallet
28200 | Exodus Desktop Wallet (scrypt) | Cryptocurrency Wallet
掩码设置
- [ Built-in Charsets ] -
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz [a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
d | 0123456789 [0-9]
h | 0123456789abcdef [0-9a-f]
H | 0123456789ABCDEF [0-9A-F]
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
这里列一下常见的掩码字符集
l | abcdefghijklmnopqrstuvwxyz 纯小写字母
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ 纯大写字母
d | 0123456789 纯数字
h | 0123456789abcdef 常见小写子目录和数字
H | 0123456789ABCDEF 常见大写字母和数字
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 特殊字符
a | ?l?u?d?s 键盘上所有可见的字符
b | 0x00 - 0xff 可能是用来匹配像空格这种密码的
下面举几个简单的例子来了解一下掩码的设置
八位数字密码:?d?d?d?d?d?d?d?d
八位未知密码:?a?a?a?a?a?a?a?a
前四位为大写字母,后面四位为数字:?u?u?u?u?d?d?d?d
前四位为数字或者是小写字母,后四位为大写字母或者数字:?h?h?h?h?H?H?H?H
前三个字符未知,中间为admin,后三位未知:?a?a?aadmin?a?a?a
6-8位数字密码:--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l
6-8位数字+小写字母密码:--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h
如果我们想设置字符集为:abcd123456!@-+,那该怎么做呢。这就需要用到自定义字符集这个参数了,hashcat支持用户最多定义4组字符集
--custom-charset1 [chars]等价于 -1
--custom-charset2 [chars]等价于 -2
--custom-charset3 [chars]等价于 -3
--custom-charset4 [chars]等价于 -4
在掩码中用?1、?2、?3、?4来表示。
再来举几个例子:
--custom-charset1 abcd123456!@-+。然后我们就可以用"?1"去表示这个字符集了
--custom-charset2 ?l?d,这里和?2就等价于?h
-1 ?d?l?u,?1就表示数字+小写字母+大写字母
-3 abcdef -4 123456 那么?3?3?3?3?4?4?4?4就表示为前四位可能是“abcdef”,后四位可能是“123456”
例子
7位数字破解
25c3e88f81b4853f2a8faacad4c871b6为字符串的md5:
echo -n '5612325'|md5sum |cut -d ' ' -f1
命令:
./hashcat -a 3 -m 0 --force 25c3e88f81b4853f2a8faacad4c871b6 ?d?d?d?d?d?d?d
输出:
25c3e88f81b4853f2a8faacad4c871b6:5612325
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 25c3e88f81b4853f2a8faacad4c871b6
Time.Started.....: Tue Dec 26 14:21:37 2023, (0 secs)
Time.Estimated...: Tue Dec 26 14:21:37 2023, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.15ms) @ Accel:256 Loops:125 Thr:128 Vec:1
Speed.#2.........: 1095.2 MH/s (0.16ms) @ Accel:256 Loops:125 Thr:128 Vec:1
Speed.#3.........: 129.9 MH/s (0.16ms) @ Accel:256 Loops:125 Thr:128 Vec:1
Speed.#4.........: 550.1 MH/s (0.16ms) @ Accel:256 Loops:125 Thr:128 Vec:1
Speed.#5.........: 0 H/s (0.00ms) @ Accel:1024 Loops:15 Thr:1 Vec:8
Speed.#*.........: 1775.2 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5520000/10000000 (55.20%)
Rejected.........: 0/5520000 (0.00%)
Restore.Point....: 0/10000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-125 Iteration:0-125
Restore.Sub.#2...: Salt:0 Amplifier:875-1000 Iteration:0-125
Restore.Sub.#3...: Salt:0 Amplifier:125-250 Iteration:0-125
Restore.Sub.#4...: Salt:0 Amplifier:875-1000 Iteration:0-125
Restore.Sub.#5...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidate.Engine.: Device Generator
Candidates.#1....: 1234567 -> 9127721
Candidates.#2....: 4684432 -> 6887125
Candidates.#3....: 4414208 -> 6217638
Candidates.#4....: 4684758 -> 6887494
Candidates.#5....: [Generating]
Hardware.Mon.#1..: Temp: 37c Fan: 0% Util: 95% Core:1822MHz Mem:4513MHz Bus:8
Hardware.Mon.#2..: Temp: 36c Fan: 0% Util: 95% Core:1847MHz Mem:4513MHz Bus:8
Hardware.Mon.#3..: Temp: 36c Fan: 0% Util: 94% Core:1847MHz Mem:4513MHz Bus:16
Hardware.Mon.#4..: Temp: 34c Fan: 0% Util: 95% Core:1835MHz Mem:4513MHz Bus:16
Hardware.Mon.#5..: Temp: 41c Util: 1%
Started: Tue Dec 26 14:20:53 2023
Stopped: Tue Dec 26 14:21:39 2023
7位小写字母破解
./hashcat -a 3 -m 0 --force 7a47c6db227df60a6d67245d7d8063f3 ?l?l?l?l?l?l?l
输出:
7a47c6db227df60a6d67245d7d8063f3:qiyoupq
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 7a47c6db227df60a6d67245d7d8063f3
Time.Started.....: Tue Dec 26 14:34:03 2023, (1 sec)
Time.Estimated...: Tue Dec 26 14:34:04 2023, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?l?l?l?l?l?l?l [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1822.0 MH/s (0.15ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Speed.#2.........: 1828.7 MH/s (0.16ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Speed.#3.........: 1837.5 MH/s (0.15ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Speed.#4.........: 1856.2 MH/s (0.15ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Speed.#5.........: 4533.1 kH/s (0.37ms) @ Accel:1024 Loops:16 Thr:1 Vec:8
Speed.#*.........: 7348.9 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7949951904/8031810176 (98.98%)
Rejected.........: 0/7949951904 (0.00%)
Restore.Point....: 0/456976 (0.00%)
1-8位数字破解
./hashcat -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 \
--increment --increment-min 1 --increment-max 8 ?d?d?d?d?d?d?d?d
输出:
4488cec2aea535179e085367d8a17d75:192085
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 4488cec2aea535179e085367d8a17d75
Time.Started.....: Tue Dec 26 14:36:41 2023, (0 secs)
Time.Estimated...: Tue Dec 26 14:36:41 2023, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d [6]
Guess.Queue......: 6/8 (75.00%)
Speed.#1.........: 0 H/s (0.12ms) @ Accel:1024 Loops:100 Thr:32 Vec:1
Speed.#2.........: 135.5 MH/s (0.12ms) @ Accel:1024 Loops:100 Thr:32 Vec:1
Speed.#3.........: 189.2 MH/s (0.12ms) @ Accel:1024 Loops:100 Thr:32 Vec:1
Speed.#4.........: 131.6 MH/s (0.12ms) @ Accel:1024 Loops:100 Thr:32 Vec:1
Speed.#5.........: 0 H/s (0.26ms) @ Accel:1024 Loops:25 Thr:1 Vec:8
Speed.#*.........: 456.3 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 384000/1000000 (38.40%)
Rejected.........: 0/384000 (0.00%)
Restore.Point....: 0/10000 (0.00%)
1-8位小写字母+数字破解
./hashcat -a 3 -m 0 --force ab65d749cba1656ca11dfa1cc2383102 \
--increment --increment-min 1 --increment-max 8 ?h?h?h?h?h?h?h?h
输出:
ab65d749cba1656ca11dfa1cc2383102:abc126
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: ab65d749cba1656ca11dfa1cc2383102
Time.Started.....: Tue Dec 26 14:39:38 2023, (0 secs)
Time.Estimated...: Tue Dec 26 14:39:38 2023, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?h?h?h?h?h?h [6]
Guess.Queue......: 6/8 (75.00%)
Speed.#1.........: 59757.5 kH/s (0.16ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Speed.#2.........: 385.4 MH/s (0.17ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Speed.#3.........: 419.6 MH/s (0.16ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Speed.#4.........: 453.4 MH/s (0.16ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Speed.#5.........: 524.4 kH/s (0.29ms) @ Accel:1024 Loops:16 Thr:1 Vec:8
Speed.#*.........: 1318.7 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7211648/16777216 (42.98%)
Rejected.........: 0/7211648 (0.00%)
Restore.Point....: 0/65536 (0.00%)
特定字符集:123456abcdf!@+-
./hashcat -a 3 -m 0 -1 '123456abcdf!@+-' 8b78ba5089b11326290bc15cf0b9a07d ?1?1?1?1?1
输出:
8b78ba5089b11326290bc15cf0b9a07d:!@1a2
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 8b78ba5089b11326290bc15cf0b9a07d
Time.Started.....: Tue Dec 26 14:41:57 2023 (0 secs)
Time.Estimated...: Tue Dec 26 14:41:57 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1 [5]
Guess.Charset....: -1 123456abcdf!@+-, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 358.4 MH/s (0.03ms) @ Accel:512 Loops:15 Thr:256 Vec:1
Speed.#2.........: 21914.2 kH/s (0.03ms) @ Accel:512 Loops:15 Thr:256 Vec:1
Speed.#3.........: 17909.9 kH/s (0.03ms) @ Accel:512 Loops:15 Thr:256 Vec:1
Speed.#4.........: 36480.1 kH/s (0.03ms) @ Accel:512 Loops:15 Thr:256 Vec:1
Speed.#*.........: 434.7 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 759375/759375 (100.00%)
Rejected.........: 0/759375 (0.00%)
Restore.Point....: 0/50625 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-15 Iteration:0-15
Restore.Sub.#2...: Salt:0 Amplifier:0-15 Iteration:0-15
Restore.Sub.#3...: Salt:0 Amplifier:0-15 Iteration:0-15
Restore.Sub.#4...: Salt:0 Amplifier:0-15 Iteration:0-15
Candidate.Engine.: Device Generator
Candidates.#1....: 1a+5+ -> ++!-!
Candidates.#2....: 13--b -> +b344
Candidates.#3....: 1f433 -> ++a35
Candidates.#4....: 1aa35 -> +411a
Hardware.Mon.#1..: Temp: 36c Fan: 0% Util: 95% Core:1923MHz Mem:4513MHz Bus:8
Hardware.Mon.#2..: Temp: 35c Fan: 0% Util: 96% Core:1923MHz Mem:4513MHz Bus:8
Hardware.Mon.#3..: Temp: 35c Fan: 0% Util: 95% Core:1923MHz Mem:4513MHz Bus:16
Hardware.Mon.#4..: Temp: 33c Fan: 0% Util: 98% Core:1936MHz Mem:4513MHz Bus:16
Started: Tue Dec 26 14:41:49 2023
Stopped: Tue Dec 26 14:41:59 2023
1-8为位符集:123456abcdf!@+-
./hashcat -a 3 -m 0 -1 '123456abcdf!@+-' 9054fa315ce16f7f0955b4af06d1aa1b \
--increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1
输出:
9054fa315ce16f7f0955b4af06d1aa1b:1ab@!2
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 9054fa315ce16f7f0955b4af06d1aa1b
Time.Started.....: Tue Dec 26 14:44:30 2023 (0 secs)
Time.Estimated...: Tue Dec 26 14:44:30 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1 [6]
Guess.Charset....: -1 123456abcdf!@+-, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 6/8 (75.00%)
Speed.#1.........: 217.0 MH/s (0.11ms) @ Accel:512 Loops:112 Thr:64 Vec:1
Speed.#2.........: 472.0 MH/s (0.10ms) @ Accel:512 Loops:112 Thr:64 Vec:1
Speed.#3.........: 472.3 MH/s (0.10ms) @ Accel:512 Loops:112 Thr:64 Vec:1
Speed.#4.........: 0 H/s (0.14ms) @ Accel:512 Loops:112 Thr:64 Vec:1
Speed.#*.........: 1161.4 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2878720/11390625 (25.27%)
Rejected.........: 0/2878720 (0.00%)
Restore.Point....: 0/50625 (0.00%)
1-8位数字+大小写字母+可见特殊符号
./hashcat -a 3 -m 0 -1 ?d?u?l?s d37fc9ee39dd45a7717e3e3e9415f65d \
--increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1
或者:
./hashcat -a 3 -m 0 d37fc9ee39dd45a7717e3e3e9415f65d \
--increment --increment-min 1 --increment-max 8 ?a?a?a?a?a?a?a?a
输出:
d37fc9ee39dd45a7717e3e3e9415f65d:1ab@!A
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: d37fc9ee39dd45a7717e3e3e9415f65d
Time.Started.....: Tue Dec 26 14:46:42 2023 (12 secs)
Time.Estimated...: Tue Dec 26 14:46:54 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1 [6]
Guess.Charset....: -1 ?d?u?l?s, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 6/8 (75.00%)
Speed.#1.........: 8800.4 MH/s (8.32ms) @ Accel:256 Loops:128 Thr:128 Vec:1
Speed.#2.........: 8971.3 MH/s (8.32ms) @ Accel:256 Loops:128 Thr:128 Vec:1
Speed.#3.........: 9064.4 MH/s (8.23ms) @ Accel:256 Loops:128 Thr:128 Vec:1
Speed.#4.........: 8985.2 MH/s (8.31ms) @ Accel:256 Loops:128 Thr:128 Vec:1
Speed.#*.........: 35821.3 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 404752302080/735091890625 (55.06%)
Rejected.........: 0/404752302080 (0.00%)
Restore.Point....: 41943040/81450625 (51.50%)
字典破解
-a 0是指定字典破解模式,-o是输出结果到文件中
./hashcat -a 0 -m 0 fb0e22c79ac75679e9881e6ba183b354 password.txt -o result.txt
输出:
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1405 MB
Dictionary cache built:
* Filename..: password.txt
* Passwords.: 3
* Bytes.....: 19
* Keyspace..: 3
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: fb0e22c79ac75679e9881e6ba183b354
Time.Started.....: Tue Dec 26 14:53:23 2023 (0 secs)
Time.Estimated...: Tue Dec 26 14:53:23 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (password.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 17689 H/s (0.02ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Speed.#2.........: 0 H/s (0.00ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Speed.#3.........: 0 H/s (0.00ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Speed.#4.........: 0 H/s (0.00ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Speed.#*.........: 17689 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#4...: Salt:0 Amplifier:0-0 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: admin -> xxxxx
result.txt内容:
result.txt
fb0e22c79ac75679e9881e6ba183b354:xxxxx
批量破解
./hashcat -a 0 -m 0 hash.txt password.txt -o result.txt
字典组合破解
./hashcat -a 1 -m 0 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt
字典+掩码破解
./hashcat -a 6 -m 0 9dc9d5ed5031367d42543763423c24ee password.txt ?l?l?l?l?l
Mysql4.1/5的PASSWORD函数
mysql> select authentication_string from mysql.user;
6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
命令:
./hashcat -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?d
sha512crypt $6$, SHA512 (Unix)破解
可以cat /etc/shadow获取
./hashcat -a 3 -m 1800 --force \
$6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. \
?l?l?l?l
不用整理用户名,使用--username
./hashcat -a 3 -m 1800 --force \
qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 \
?l?l?l?l?l --username
Windows NT-hash,LM-hash破解
可以用saminside获取NT-hash,LM-hash的值
NT-hash:
./hashcat -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?l
LM-hash:
./hashcat -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?l
mssql
./hashcat -a 3 -m 132 --force \
0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?d
wordpress密码hash破解
具体加密脚本在./wp-includes/class-phpass.php的HashPassword函数
./hashcat -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?d
discuz用户密码hash破解
其密码加密方式md5(md5(\$pass).\$salt)
./hashcat -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?d
破解RAR压缩密码
首先rar2john获取rar文件hash值:
获取rar文件的hash值:rar2john.exe 1.rar
结果:
1.rar:$rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e
命令:
./hashcat -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d
注意:
hashcat 支持 RAR3-hp 和 RAR5,官方示例如下:
-m参数 类型 示例 hash
12500 RAR3-hp $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
13000 RAR5 $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe
zip密码破解
用zip2john获取文件的hash值:zip2john.exe 1.zip
结果:
1.zip:$zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$:::::1.zip-1.txt
命令:
./hashcat -a 3 -m 13600 $zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d
破解office密码
获取office的hash值:python office2john.py 11.docx
结果:
11.docx:$office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9
命令:
./hashcat -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d
破解WIFI密码
首先先把我们的握手包转化为hccapx格式,现在最新版的hashcat只支持hccapx格式了,以前的hccap格式已经不支持了
官方在线转化: https://hashcat.net/cap2hccapx/
命令:
hashcat64.exe -a 3 -m 2500 1.hccapx 1391040?d?d?d?d
Others
- 对于破解过的hash值,用
hashcat64.exe hash --show查看结果 - 所有的hash破解结果都在hashcat.potfile文件中
- 如果破解的时间太长,可以按s键可以查看破解的状态,p键暂停,r键继续破解,q键退出破解。
- 在使用GPU模式进行破解时,可以使用-O参数自动进行优化
- 在实际破解中的建议,如果我们盲目的去破解,会占用我们大量的时间和资源
- 首先走一遍常用的弱口令字典
- 组合密码,如:zhang1999,用姓氏和出生年组合,当然也可以用其它的组合,这里举个例子而已
- 把常用的掩码组合整理起来放在masks中的.hcmask文件中,然后让它自动加载破解
- 如果实在不行,你可以尝试低位数的所有组合去跑,不过不建议太高位数的组合去破解,因为如果对方设置的密码很复杂的话,到头来你密码没有破解到,却浪费了大量的时间和资源,得不偿失
HashCat参数优化
考虑到hashcat的破解速度以及资源的分配,我们可以对一些参数进行配置
- Workload tuning 负载调优。
该参数支持的值有1,8,40,80,160
--gpu-accel 160 可以让GPU发挥最大性能。
- Gpu loops 负载微调
该参数支持的值的范围是8-1024(有些算法只支持到1000)。
--gpu-loops 1024 可以让GPU发挥最大性能。
- Segment size 字典缓存大小
该参数是设置内存缓存的大小,作用是将字典放入内存缓存以加快字典破解速度,默认为32MB,可以根据自身内存情况进行设置,当然是越大越块了。
--segment-size 512 可以提高大字典破解的速度。