Hashcat is a password blasting artifact, one of the essential tools for information security, hereby collect this article record summary for future needs, and may also help netizens who read this article.
Hashcat is the world's fastest password cracker and is an open-source, distributed tool that supports multiple platforms and algorithms.
Official: https://hashcat.net/hashcat/
Github:https://github.com/hashcat/hashcat
https://github.com/hashcat/hashcat/releases Download the latest version of the archive and unzip it to run hashcat64.exe or hashcat32.exe according to your platform
Specify the type of hash to be cracked, followed by a number corresponding to the hash type
Specify the cracking mode to be used, the value of which is followed by a reference to the parameter:
- [ Attack Modes ] - # | Mode ===+====== 0 | Straight # 直接字典破解 1 | Combination # 組合破解 3 | Brute-force # 掩碼暴力破解 6 | Hybrid Wordlist + Mask # 字典+掩碼破解 7 | Hybrid Mask + Wordlist # 掩碼+字典破解
Enable incremental crack mode to have hashcat crack within the specified password length
The minimum length of the password, which is directly equal to an integer, can be used in increment mode
The maximum length of the password is directly equal to an integer, and the increment mode can be used together
Ignore warnings during the cracking process
Delete hashes that have been cracked
Ignore the specified username in the hash file, which will be used to crack the password hash of Linux users
Do not record the hash of successful cracks in the potfile
--opencl-info shows information about the detected OpenCL platform/device, and if you have a good graphics card, it will be much faster to crack.
--outfile specifies the location of the hash and the corresponding plaintext password after the crack is successful
--optimized-kernel-enable 啟用優(yōu)化的內(nèi)核(限制密碼長度)
--opencl-devices 指定 opencl 的設(shè)備,我這里支持的設(shè)備列表如下:
Code
* Device #1: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, skipped. * Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 555X Compute Engine, 1024/4096 MB allocatable, 12MCU
--opencl-device-types 指定 opencl 的設(shè)備類型,Hashcat 支持如下設(shè)備類型:
bash
1 | CPU2 | GPU3 | FPGA, DSP, Co-Processor
General Routine -D 2 Specified GPU Breakdown
bash
? | Charset===+========= l | abcdefghijklmnopqrstuvwxyz # 小寫字母 a-z u | ABCDEFGHIJKLMNOPQRSTUVWXYZ # 大寫字母 A-Z d | 0123456789 # 數(shù)字 0-9 h | 0123456789abcdef # 數(shù)字 + abcdef H | 0123456789ABCDEF # 數(shù)字 + ABCDEF s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ # 特殊字符 a | ?l?u?d?s # 鍵盤上所有可見的字符 b | 0x00 - 0xff # 可能是用來匹配像空格這種密碼的
bash
--custom-charset1 [chars]等價(jià)于 -1 --custom-charset2 [chars]等價(jià)于 -2 --custom-charset3 [chars]等價(jià)于 -3 --custom-charset4 [chars]等價(jià)于 -4
It is represented in the mask by ?1, ?2, ?3, ?4
Some cases:
bash
--custom-charset1 abcd123456!@-+
At this point? 1 means abcd123456!@-+
bash
--custom-charset2 ?l?d
At this point? 2 means ?l?d, i.e. ?h number + lowercase letter:
bash
-3 abcdef -4 123456
In this case, ?3?3?3?4?4?4?4 is represented as the first four digits may be abcdef, and the last four digits may be 123456
Code
1q2w3e4r`的MD5值為`5416d7cd6ef195a0f7622a9c56b55e84
bash
hashcat -a 0 -m 0 '5416d7cd6ef195a0f7622a9c56b55e84' hashpass.txt -o success.txt
Sometimes the following prompt will appear when cracking:
Code
INFO: All hashes found in potfile! Use --show to display them.
This shows that the password has been cracked by us before, so Hashcat will no longer show it, you can add the parameter --show to show the password at the end:
bash
hashcat -a 0 -m 0 'cbc8f5435c87e13c5d14e6ce92358d68' hashpass.txt --show cbc8f5435c87e13c5d14e6ce92358d68:123456@abc
Hashcat 存放已經(jīng)成功破解的密碼文件位置為:~/.hashcat/hashcat.potfile
如果想要直接顯示破解的密碼的話,可以直接刪除掉該文件。
bash
# 刪除之前破解成功的記錄rm ~/.hashcat/hashcat.potfile# hash.txt為要破解的密碼 hashpass.txt為字典 導(dǎo)出破解的結(jié)果到success.txt 并從hash.txt刪除掉破解成功的hashcat -a 0 -m 0 hash.txt hashpass.txt -o success.txt --remove
bash
hashcat -a 1 -m 0 '5416d7cd6ef195a0f7622a9c56b55e84' hashpass1.txt hashpass1.txt
bash
echo -n admin888 |openssl md5 7fef6171469e80d32c0559f88b377245
Hack the MD5 value of admin888:
bash
hashcat -a 6 -m 0 '7fef6171469e80d32c0559f88b377245' hashpass.txt -O
bash
hashcat -a 7 -m 0 '7fef6171469e80d32c0559f88b377245' 'admi?l?d?d?d' hashpass.txt -O
MD5 encryption for 23323323:
bash
$ echo -n 23323323 |openssl md5 5a745e31dbbd93f4c86d1ef82281688b
Use Hashcat to crack it:
bash
hashcat -a 3 -m 0 --force '5a745e31dbbd93f4c86d1ef82281688b' '?d?d?d?d?d?d?d?d' -O
bash
$ echo -n PassWord |openssl md5 a9d402bfcde5792a8b531b3a82669585
Use Hashcat to crack it:
bash
hashcat -a 3 -m 0 -1 '?l?u' --force 'a9d402bfcde5792a8b531b3a82669585' '?1?1?1?1?1?1?1?1' -O
There is a custom rule -1 defined here, in which case ?1 means ?l?u, i.e., uppercase and lowercase letters.
Admin88 的 MD5 值為 2792e40d60bac94b4b163b93566e65a9
bash
hashcat -a 3 -m 0 -1 '?l?u?d' --force '2792e40d60bac94b4b163b93566e65a9' --increment --increment-min 5 --increment-max 7 '?1?1?1?1?1?1?1' -O
There is a custom rule -1 defined here, in which case ?1 means ?l?u?d, i.e. uppercase and lowercase letters + numbers.
admin23323 的 MD5 值為 a9991129897a44e0d1c2855c3d7dccc4
bash
hashcat -a 3 -m 0 -1 '?l?u?d' --force 'a9991129897a44e0d1c2855c3d7dccc4' 'admin?1?1?1?1?1' -O
To view the password for MySQL:
mysql
mysql> select Password from mysql.user; +-------------------------------------------+ | Password | +-------------------------------------------+ | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | +-------------------------------------------+ 4 rows in set (0.00 sec)
Then start using the dictionary to crack:
bash
hashcat -a 0 -m 300 --force '81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' hashpass.txt -O
To view the /etc/shadow password file:
bash
root@kali-linux:~# cat /etc/shadowroot:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1:18201:0:99999:7::: daemon:*:18024:0:99999:7::: bin:*:18024:0:99999:7::: sys:*:18024:0:99999:7::: sync:*:18024:0:99999:7::: games:*:18024:0:99999:7::: man:*:18024:0:99999:7::: lp:*:18024:0:99999:7::: mail:*:18024:0:99999:7::: news:*:18024:0:99999:7::: uucp:*:18024:0:99999:7::: proxy:*:18024:0:99999:7::: www-data:*:18024:0:99999:7::: backup:*:18024:0:99999:7::: list:*:18024:0:99999:7::: irc:*:18024:0:99999:7::: gnats:*:18024:0:99999:7::: nobody:*:18024:0:99999:7::: _apt:*:18024:0:99999:7::: systemd-timesync:*:18024:0:99999:7::: systemd-network:*:18024:0:99999:7::: systemd-resolve:*:18024:0:99999:7::: mysql:!:18024:0:99999:7::: ntp:*:18024:0:99999:7::: messagebus:*:18024:0:99999:7::: arpwatch:!:18024:0:99999:7::: Debian-exim:!:18024:0:99999:7::: uuidd:*:18024:0:99999:7::: redsocks:!:18024:0:99999:7::: tss:*:18024:0:99999:7::: rwhod:*:18024:0:99999:7::: iodine:*:18024:0:99999:7::: miredo:*:18024:0:99999:7::: dnsmasq:*:18024:0:99999:7::: postgres:*:18024:0:99999:7::: usbmux:*:18024:0:99999:7::: rtkit:*:18024:0:99999:7::: stunnel4:!:18024:0:99999:7::: sshd:*:18024:0:99999:7::: Debian-snmp:!:18024:0:99999:7::: sslh:!:18024:0:99999:7::: pulse:*:18024:0:99999:7::: speech-dispatcher:!:18024:0:99999:7::: avahi:*:18024:0:99999:7::: saned:*:18024:0:99999:7::: inetsim:*:18024:0:99999:7::: colord:*:18024:0:99999:7::: geoclue:*:18024:0:99999:7::: king-phisher:*:18024:0:99999:7::: Debian-gdm:*:18024:0:99999:7::: dradis:*:18024:0:99999:7::: beef-xss:*:18024:0:99999:7::: systemd-coredump:!!:18082::::::
You can see that root has a password, and the encryption method used in front of the $6 surface hash is: sha512crypt $6$, SHA512 (Unix).
bash
# 掩碼破解root密碼 不在potfile中記錄破解成功的hash 指定設(shè)備2(核顯)來跑密碼 并開啟優(yōu)化hashcat -a 3 -m 1800 --force '$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1' '?l?l?l?l' -O -d 2 --potfile-disable# 掩碼破解root密碼 忽略用戶名 不在potfile中記錄破解成功的hash 指定設(shè)備2(核顯)來跑密碼 并開啟優(yōu)化hashcat -a 3 -m 1800 --force 'root:$6$4ojiBMDPrehqrLkX$d2T7Cn8LKkLk4SDXgCh1IEqjhnsUekXaNUXSxiZIwUTndSqyd.9sEcu80sX9DuEHGmHOeoMev2O0ACYtjMett1' '?l?l?l?l' -O -d 2 --username --potfile-disable
The built-in CPU and independent graphics card under macOS can't be cracked, and here Guoguang himself manually switched -d 2 with the core graphics to successfully run out:
bash
hashcat -a 0 -m 3000 --force '921988ba001dc8e14a3b108f3fa6cb6d' password.txt
bash
hashcat -a 0 -m 1000 --force 'e19ccf75ee54e06b06a5907af13cef42' password.txt
parameter | type | illustrate | Kunimitsu's understanding | example |
---|---|---|---|---|
–brain-server | Enable brain server | Enable the primary server | ||
-z, –brain-client | Enable brain client, activates -S | Enable distributed clients | ||
–brain-client-features | A | Define brain client features, see below | Define client capabilities | –brain-client-features=3 |
–brain-host | St | Brain server host (IP or domain) | The IP or domain of the primary server | –brain-host=127.0.0.1 |
–brain-port | Port | Brain server port | Primary server port | –brain-port=13743 |
–brain-password | St | Brain server authentication password | The authentication password of the primary server | –brain-password=e8acfc7280c48009 |
–brain-session | Hex | Overrides automatically calculated brain session | Automatically overwrite the primary session that has already been calculated | –brain-session=0x2ae611db |
–brain-session-whitelist | Hex | Allow given sessions only, separated with commas | Only given conversations are allowed, separated by commas | –brain-session-whitelist=0x2ae611db |
bash
- [ Brain Client Features ] - # | Features ===+======== 1 | Send hashed passwords # 發(fā)送已破解的密碼 2 | Send attack positions # 發(fā)送已破解的位置 3 | Send hashed passwords and attack positions # 發(fā)送已破解的密碼和已破解的位置