hashcat 使用手册

官方网站

安装

1
brew install hashcat

参数

-m

破解hash类型

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
- [ Hash modes ] -

# | Name | Category
======+==================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
600 | BLAKE2b-512 | Raw Hash
10100 | SipHash | Raw Hash
6000 | RIPEMD-160 | Raw Hash
6100 | Whirlpool | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
30 | md5(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
40 | md5($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
3800 | md5($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
3710 | md5($salt.md5($pass)) | Raw Hash, Salted and/or Iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash, Salted and/or Iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
2600 | md5(md5($pass)) | Raw Hash, Salted and/or Iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash, Salted and/or Iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash, Salted and/or Iterated
4400 | md5(sha1($pass)) | Raw Hash, Salted and/or Iterated
110 | sha1($pass.$salt) | Raw Hash, Salted and/or Iterated
120 | sha1($salt.$pass) | Raw Hash, Salted and/or Iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
4500 | sha1(sha1($pass)) | Raw Hash, Salted and/or Iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash, Salted and/or Iterated
4700 | sha1(md5($pass)) | Raw Hash, Salted and/or Iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
14400 | sha1(CX) | Raw Hash, Salted and/or Iterated
1410 | sha256($pass.$salt) | Raw Hash, Salted and/or Iterated
1420 | sha256($salt.$pass) | Raw Hash, Salted and/or Iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash, Authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash, Authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash, Authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash, Authenticated
11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash, Authenticated
11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash, Authenticated
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-Plaintext attack
400 | phpass | Generic KDF
8900 | scrypt | Generic KDF
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
23 | Skype | Network Protocols
2500 | WPA-EAPOL-PBKDF2 | Network Protocols
2501 | WPA-EAPOL-PMK | Network Protocols
16800 | WPA-PMKID-PBKDF2 | Network Protocols
16801 | WPA-PMKID-PMK | Network Protocols
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols
5300 | IKE-PSK MD5 | Network Protocols
5400 | IKE-PSK SHA1 | Network Protocols
5500 | NetNTLMv1 | Network Protocols
5500 | NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network Protocols
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocols
7500 | Kerberos 5 AS-REQ Pre-Auth etype 23 | Network Protocols
8300 | DNSSEC (NSEC3) | Network Protocols
10200 | CRAM-MD5 | Network Protocols
11100 | PostgreSQL CRAM (MD5) | Network Protocols
11200 | MySQL CRAM (SHA1) | Network Protocols
11400 | SIP digest authentication (MD5) | Network Protocols
13100 | Kerberos 5 TGS-REP etype 23 | Network Protocols
16100 | TACACS+ | Network Protocols
16500 | JWT (JSON Web Token) | Network Protocols
18200 | Kerberos 5 AS-REP etype 23 | Network Protocols
121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce, Frameworks
400 | phpBB3 (MD5) | Forums, CMS, E-Commerce, Frameworks
2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce, Frameworks
2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce, Frameworks
2811 | MyBB 1.2+ | Forums, CMS, E-Commerce, Frameworks
2811 | IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce, Frameworks
8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce, Frameworks
11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce, Frameworks
400 | Joomla >= 2.5.18 (MD5) | Forums, CMS, E-Commerce, Frameworks
400 | WordPress (MD5) | Forums, CMS, E-Commerce, Frameworks
2612 | PHPS | Forums, CMS, E-Commerce, Frameworks
7900 | Drupal7 | Forums, CMS, E-Commerce, Frameworks
21 | osCommerce | Forums, CMS, E-Commerce, Frameworks
21 | xt:Commerce | Forums, CMS, E-Commerce, Frameworks
11000 | PrestaShop | Forums, CMS, E-Commerce, Frameworks
124 | Django (SHA-1) | Forums, CMS, E-Commerce, Frameworks
10000 | Django (PBKDF2-SHA256) | Forums, CMS, E-Commerce, Frameworks
16000 | Tripcode | Forums, CMS, E-Commerce, Frameworks
3711 | MediaWiki B type | Forums, CMS, E-Commerce, Frameworks
13900 | OpenCart | Forums, CMS, E-Commerce, Frameworks
4521 | Redmine | Forums, CMS, E-Commerce, Frameworks
4522 | PunBB | Forums, CMS, E-Commerce, Frameworks
12001 | Atlassian (PBKDF2-HMAC-SHA1) | Forums, CMS, E-Commerce, Frameworks
12 | PostgreSQL | Database Server
131 | MSSQL (2000) | Database Server
132 | MSSQL (2005) | Database Server
1731 | MSSQL (2012, 2014) | Database Server
200 | MySQL323 | Database Server
300 | MySQL4.1/MySQL5 | Database Server
3100 | Oracle H: Type (Oracle 7+) | Database Server
112 | Oracle S: Type (Oracle 11+) | Database Server
12300 | Oracle T: Type (Oracle 12+) | Database Server
8000 | Sybase ASE | Database Server
141 | Episerver 6.x < .NET 4 | HTTP, SMTP, LDAP Server
1441 | Episerver 6.x >= .NET 4 | HTTP, SMTP, LDAP Server
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | HTTP, SMTP, LDAP Server
12600 | ColdFusion 10+ | HTTP, SMTP, LDAP Server
1421 | hMailServer | HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | HTTP, SMTP, LDAP Server
1411 | SSHA-256(Base64), LDAP {SSHA256} | HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | HTTP, SMTP, LDAP Server
16400 | CRAM-MD5 Dovecot | HTTP, SMTP, LDAP Server
15000 | FileZilla Server >= 0.9.55 | FTP Server
11500 | CRC32 | Checksums
3000 | LM | Operating Systems
1000 | NTLM | Operating Systems
1100 | Domain Cached Credentials (DCC), MS Cache | Operating Systems
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating Systems
15300 | DPAPI masterkey file v1 | Operating Systems
15900 | DPAPI masterkey file v2 | Operating Systems
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating Systems
1500 | descrypt, DES (Unix), Traditional DES | Operating Systems
12400 | BSDi Crypt, Extended DES | Operating Systems
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating Systems
3200 | bcrypt $2*$, Blowfish (Unix) | Operating Systems
7400 | sha256crypt $5$, SHA256 (Unix) | Operating Systems
1800 | sha512crypt $6$, SHA512 (Unix) | Operating Systems
122 | macOS v10.4, MacOS v10.5, MacOS v10.6 | Operating Systems
1722 | macOS v10.7 | Operating Systems
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating Systems
6300 | AIX {smd5} | Operating Systems
6700 | AIX {ssha1} | Operating Systems
6400 | AIX {ssha256} | Operating Systems
6500 | AIX {ssha512} | Operating Systems
2400 | Cisco-PIX MD5 | Operating Systems
2410 | Cisco-ASA MD5 | Operating Systems
500 | Cisco-IOS $1$ (MD5) | Operating Systems
5700 | Cisco-IOS type 4 (SHA256) | Operating Systems
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating Systems
9300 | Cisco-IOS $9$ (scrypt) | Operating Systems
22 | Juniper NetScreen/SSG (ScreenOS) | Operating Systems
501 | Juniper IVE | Operating Systems
15100 | Juniper/NetBSD sha1crypt | Operating Systems
7000 | FortiGate (FortiOS) | Operating Systems
5800 | Samsung Android Password/PIN | Operating Systems
13800 | Windows Phone 8+ PIN/password | Operating Systems
8100 | Citrix NetScaler | Operating Systems
8500 | RACF | Operating Systems
7200 | GRUB 2 | Operating Systems
9900 | Radmin2 | Operating Systems
125 | ArubaOS | Operating Systems
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7701 | SAP CODVN B (BCODE) via RFC_READ_TABLE | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
7801 | SAP CODVN F/G (PASSCODE) via RFC_READ_TABLE | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS)
11600 | 7-Zip | Archives
12500 | RAR3-hp | Archives
13000 | RAR5 | Archives
13200 | AxCrypt | Archives
13300 | AxCrypt in-memory SHA1 | Archives
13600 | WinZip | Archives
14700 | iTunes backup < 10.0 | Backup
14800 | iTunes backup >= 10.0 | Backup
62XY | TrueCrypt | Full-Disk Encryption (FDE)
X | 1 = PBKDF2-HMAC-RIPEMD160 | Full-Disk Encryption (FDE)
X | 2 = PBKDF2-HMAC-SHA512 | Full-Disk Encryption (FDE)
X | 3 = PBKDF2-HMAC-Whirlpool | Full-Disk Encryption (FDE)
X | 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure AES | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Serpent | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure AES | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Serpent | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded AES-Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Serpent-AES | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent | Full-Disk Encryption (FDE)
Y | 3 = XTS 1536 bit all | Full-Disk Encryption (FDE)
8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE)
12200 | eCryptfs | Full-Disk Encryption (FDE)
137XY | VeraCrypt | Full-Disk Encryption (FDE)
X | 1 = PBKDF2-HMAC-RIPEMD160 | Full-Disk Encryption (FDE)
X | 2 = PBKDF2-HMAC-SHA512 | Full-Disk Encryption (FDE)
X | 3 = PBKDF2-HMAC-Whirlpool | Full-Disk Encryption (FDE)
X | 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode | Full-Disk Encryption (FDE)
X | 5 = PBKDF2-HMAC-SHA256 | Full-Disk Encryption (FDE)
X | 6 = PBKDF2-HMAC-SHA256 + boot-mode | Full-Disk Encryption (FDE)
X | 7 = PBKDF2-HMAC-Streebog-512 | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure AES | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Serpent | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Twofish | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Camellia | Full-Disk Encryption (FDE)
Y | 1 = XTS 512 bit pure Kuznyechik | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure AES | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Serpent | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Camellia | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit pure Kuznyechik | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded AES-Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Camellia-Kuznyechik | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Camellia-Serpent | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Kuznyechik-AES | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Kuznyechik-Twofish | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Serpent-AES | Full-Disk Encryption (FDE)
Y | 2 = XTS 1024 bit cascaded Twofish-Serpent | Full-Disk Encryption (FDE)
Y | 3 = XTS 1536 bit all | Full-Disk Encryption (FDE)
14600 | LUKS | Full-Disk Encryption (FDE)
16700 | FileVault 2 | Full-Disk Encryption (FDE)
18300 | Apple File System (APFS) | Full-Disk Encryption (FDE)
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Documents
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Documents
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Documents
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Documents
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Documents
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Documents
9400 | MS Office 2007 | Documents
9500 | MS Office 2010 | Documents
9600 | MS Office 2013 | Documents
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents
10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents
16200 | Apple Secure Notes | Documents
9000 | Password Safe v2 | Password Managers
5200 | Password Safe v3 | Password Managers
6800 | LastPass + LastPass sniffed | Password Managers
6600 | 1Password, agilekeychain | Password Managers
8200 | 1Password, cloudkeychain | Password Managers
11300 | Bitcoin/Litecoin wallet.dat | Password Managers
12700 | Blockchain, My Wallet | Password Managers
15200 | Blockchain, My Wallet, V2 | Password Managers
16600 | Electrum Wallet (Salt-Type 1-3) | Password Managers
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers
15500 | JKS Java Key Store Private Keys (SHA1) | Password Managers
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers
15700 | Ethereum Wallet, SCRYPT | Password Managers
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Password Managers
16900 | Ansible Vault | Password Managers
18100 | TOTP (HMAC-SHA1) | One-Time Passwords
99999 | Plaintext | Plaintext

-a

破解模式

1
2
3
4
5
6
7
8
9
- [ Attack Modes ] -

# | Mode
===+======
0 | Straight # 直接字典破解
1 | Combination # 组合破解
3 | Brute-force # 掩码暴力破解
6 | Hybrid Wordlist + Mask # 字典+掩码破解
7 | Hybrid Mask + Wordlist # 掩码+字典破解

–increment

启用增量破解模式,让hashcat在指定的密码长度范围内执行破解

–increment-min

密码最小长度,后面直接等于一个整数即可,配置increment模式一起使用

–increment-max

密码最大长度,后面直接等于一个整数即可,配置increment模式一起使用

–force

忽略破解过程中的警告信息

–remove

删除已被破解成功的hash

–username

忽略hash文件中的指定的用户名,在破解linux系统用户密码hash会用到

–potfile-disable

不在potfile中记录破解成功的hash

-I

–opencl-info显示有关检测到的OpenCL平台/设备的信息,如果有一块好的显卡的话破解速度会快很多。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
❯ hashcat -I
hashcat (v6.1.1) starting...

OpenCL Info:
============

OpenCL Platform ID #1
Vendor..: Apple
Name....: Apple
Version.: OpenCL 1.2 (Feb 28 2021 03:51:16)

Backend Device ID #1
Type...........: CPU
Vendor.ID......: 4
Vendor.........: Intel
Name...........: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Version........: OpenCL 1.2
Processor(s)...: 16
Clock..........: 2400
Memory.Total...: 65536 MB (limited to 16384 MB allocatable in one block)
Memory.Free....: 65472 MB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 1.1

Backend Device ID #2
Type...........: GPU
Vendor.ID......: 8
Vendor.........: Intel Inc.
Name...........: Intel(R) UHD Graphics 630
Version........: OpenCL 1.2
Processor(s)...: 24
Clock..........: 1250
Memory.Total...: 1536 MB (limited to 384 MB allocatable in one block)
Memory.Free....: 1472 MB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 1.2(Mar 12 2021 21:25:05)

Backend Device ID #3
Type...........: GPU
Vendor.ID......: 1
Vendor.........: AMD
Name...........: AMD Radeon Pro 5600M Compute Engine
Version........: OpenCL 1.2
Processor(s)...: 40
Clock..........: 1144
Memory.Total...: 8176 MB (limited to 2044 MB allocatable in one block)
Memory.Free....: 8112 MB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 1.2 (Mar 12 2021 18:06:33)

-o

–outfile 指定破解成功后的hash及所对应的明文密码的存放位置

-O

–optimized-kernel-enable 启用优化的内核(限制密码长度)

-d

–opencl-devices指定opencl的设备,我这里支持的设备列表如下:

1
hashcat -a 3 -m 0 --force 'cb7a53dd721f4ca90b8fd3dbdabeda5a' 'shaktictf{?a?a?a?a?a}' -O

-D

–opencl-device-types指定opencl的设备类型,Hashcat支持如下设备类型:

1
2
3
1 | CPU
2 | GPU
3 | FPGA, DSP, Co-Processor

一般常用-D 2指定GPU破解

掩码破解

掩码规则

1
2
3
4
5
6
7
8
9
10
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz # 小写字母 a-z
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ # 大写字母 A-Z
d | 0123456789 # 数字 0-9
h | 0123456789abcdef # 数字 + abcdef
H | 0123456789ABCDEF # 数字 + ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ # 特殊字符
a | ?l?u?d?s # 键盘上所有可见的字符
b | 0x00 - 0xff # 可能是用来匹配像空格这种密码的

自定义掩码规则

1
2
3
4
--custom-charset1 [chars]等价于 -1
--custom-charset2 [chars]等价于 -2
--custom-charset3 [chars]等价于 -3
--custom-charset4 [chars]等价于 -4

字典破解

1
hashcat -a 0 -m 0 '5416d7cd6ef195a0f7622a9c56b55e84' hashpass.txt -o success.txt

删除已破解密码

有时候破解的时候会出现如下提示:

1
INFO: All hashes found in potfile! Use --show to display them.

这表明在之前该密码已经被我们破解成功了,Hashcat故不再显示出来,可以在后面添加参数–show来显示密码:

1
2
hashcat -a 0 -m 0 'cbc8f5435c87e13c5d14e6ce92358d68' hashpass.txt --show
cbc8f5435c87e13c5d14e6ce92358d68:123456@abc

Hashcat存放已经成功破解的密码文件位置为:~/.hashcat/hashcat.potfile

如果想要直接显示破解的密码的话,可以直接删除掉该文件。

1
~/.hashcat/hashcat.potfile

破解案例

8位MD5加密的数字破解

对23323323进行MD5加密:

1
2
$ echo -n 23323323 |openssl md5
5a745e31dbbd93f4c86d1ef82281688b

使用Hashcat来进行破解:

1
hashcat -a 3 -m 0 --force '5a745e31dbbd93f4c86d1ef82281688b' '?d?d?d?d?d?d?d?d' -O

8位MD5加密的大小写字母破解
Bash
$ echo -n PassWord |openssl md5
a9d402bfcde5792a8b531b3a82669585
使用Hashcat来进行破解:

Bash
hashcat -a 3 -m 0 -1 ‘?l?u’ –force ‘a9d402bfcde5792a8b531b3a82669585’ ‘?1?1?1?1?1?1?1?1’ -O
这里面定义了个自定义规则-1,此时?1就表示?l?u,即大小写字母。

5-7位MD5加密的大小写字母+数字破解
Admin88的MD5值为d41e98d1eafa6d6011d3a70f1a5b92f0

Bash
hashcat -a 3 -m 0 -1 ‘?l?u?d’ –force ‘2792e40d60bac94b4b163b93566e65a9’ –increment –increment-min 5 –increment-max 7 ‘?1?1?1?1?1?1?1’ -O
这里面定义了个自定义规则-1,此时?1就表示?l?u?d,即大小写字母+数字。

admin开头10位MD5加密的大小写字母+数字破解
admin23323的MD5值为a9991129897a44e0d1c2855c3d7dccc4

Bash
hashcat -a 3 -m 0 -1 ‘?l?u?d’ –force ‘a9991129897a44e0d1c2855c3d7dccc4’ ‘admin?1?1?1?1?1’ -O
MySQL4.1/MySQL5
查看MySQL的密码:

Mysql
mysql> select Password from mysql.user;
+——————————————-+
| Password |
+——————————————-+
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+——————————————-+
4 rows in set (0.00 sec)
然后开始使用字典破解:

Bash
hashcat -a 0 -m 300 –force ‘81F5E21E35407D884A6CD4A731AEBFB6AF209E1B’ hashpass.txt -O
Linux /etc/shadow sha512crypt $6$, SHA512 (Unix)
查看/etc/shadow密码文件:

Bash
root@kali-linux:~# cat /etc/shadow
root:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1:18201:0:99999:7:::
daemon::18024:0:99999:7:::
bin:
:18024:0:99999:7:::
sys::18024:0:99999:7:::
sync:
:18024:0:99999:7:::
games::18024:0:99999:7:::
man:
:18024:0:99999:7:::
lp::18024:0:99999:7:::
mail:
:18024:0:99999:7:::
news::18024:0:99999:7:::
uucp:
:18024:0:99999:7:::
proxy::18024:0:99999:7:::
www-data:
:18024:0:99999:7:::
backup::18024:0:99999:7:::
list:
:18024:0:99999:7:::
irc::18024:0:99999:7:::
gnats:
:18024:0:99999:7:::
nobody::18024:0:99999:7:::
_apt:
:18024:0:99999:7:::
systemd-timesync::18024:0:99999:7:::
systemd-network:
:18024:0:99999:7:::
systemd-resolve::18024:0:99999:7:::
mysql:!:18024:0:99999:7:::
ntp:
:18024:0:99999:7:::
messagebus::18024:0:99999:7:::
arpwatch:!:18024:0:99999:7:::
Debian-exim:!:18024:0:99999:7:::
uuidd:
:18024:0:99999:7:::
redsocks:!:18024:0:99999:7:::
tss::18024:0:99999:7:::
rwhod:
:18024:0:99999:7:::
iodine::18024:0:99999:7:::
miredo:
:18024:0:99999:7:::
dnsmasq::18024:0:99999:7:::
postgres:
:18024:0:99999:7:::
usbmux::18024:0:99999:7:::
rtkit:
:18024:0:99999:7:::
stunnel4:!:18024:0:99999:7:::
sshd::18024:0:99999:7:::
Debian-snmp:!:18024:0:99999:7:::
sslh:!:18024:0:99999:7:::
pulse:
:18024:0:99999:7:::
speech-dispatcher:!:18024:0:99999:7:::
avahi::18024:0:99999:7:::
saned:
:18024:0:99999:7:::
inetsim::18024:0:99999:7:::
colord:
:18024:0:99999:7:::
geoclue::18024:0:99999:7:::
king-phisher:
:18024:0:99999:7:::
Debian-gdm::18024:0:99999:7:::
dradis:
:18024:0:99999:7:::
beef-xss:*:18024:0:99999:7:::
systemd-coredump:!!:18082::::::
可以看到root是有密码的,前面使用的是$6表面hash的加密方式为:sha512crypt $6$, SHA512 (Unix)。

Bash

掩码破解root密码 不在potfile中记录破解成功的hash 指定设备2(核显)来跑密码 并开启优化

hashcat -a 3 -m 1800 –force ‘$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1’ ‘?l?l?l?l’ -O -d 2 –potfile-disable

掩码破解root密码 忽略用户名 不在potfile中记录破解成功的hash 指定设备2(核显)来跑密码 并开启优化

hashcat -a 3 -m 1800 –force ‘root:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1’ ‘?l?l?l?l’ -O -d 2 –username –potfile-disable
macOS下自带的CPU和独显无法破解,这里国光本人手动切换了-d 2用核显才成功跑出来:

字典破解Windows LM Hash
Bash
hashcat -a 0 -m 3000 –force ‘921988ba001dc8e14a3b108f3fa6cb6d’ password.txt
字典破解Windows NTLM Hash
Bash
hashcat -a 0 -m 1000 –force ‘e19ccf75ee54e06b06a5907af13cef42’ password.txt

参考链接:1