Guid for Hashcat
工具简介
Hashcat自称是世界上最快的密码破解工具,在2015年之前为私有代码库,但现在作为免费软件发布,适用于Linux,OS X和Windows版本,Hashcat支持的散列算法有Microsoft LM哈希、MD4、MD5、SHA系列、Unix加密、MySQL和Cisco PIX等,Hashcat支持以下计算核心:
GPU
CPU
APU
DSP
FPGA
CoprocessorGPU的驱动要求:
AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (1.6.180 or later)
AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
NVIDIA GPUs require "NVIDIA Driver" (367.x or later)参数介绍
下面是常见的参数,想了解更多的参数可以使用"hashcat --help"查看:
-a 指定要使用的破解模式,其值参考后面对参数, "-a 0"字典攻击,"-a 1" 组合攻击;"-a 3" 掩码攻击
-m 指定要破解的hash类型,如果不指定类型,则默认是MD5
-o 指定破解成功后的hash及所对应的明文密码的存放位置,可以用它把破解成功的hash写到指定的文件中
--force 忽略破解过程中的警告信息,跑单条hash可能需要加上此选项
--show 显示已经破解的hash及该hash所对应的明文
--increment 启用增量破解模式,你可以利用此模式让hashcat在指定的密码长度范围内执行破解过程
--increment-min 密码最小长度,后面直接等于一个整数即可,配置increment模式一起使用
--increment-max 密码最大长度,同上
--outfile-format 指定破解结果的输出格式id,默认是3
--username 忽略hash文件中的指定的用户名,在破解linux系统用户密码hash可能会用到
--remove 删除已被破解成功的hash
-r 使用自定义破解规则攻击模式
0 | Straight(字段破解)
1 | Combination(组合破解)
3 | Brute-force(掩码暴力破解)
6 | Hybrid Wordlist + Mask(字典+掩码破解)
7 | Hybrid Mask + Wordlist(掩码+字典破解)输出格式
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
8 = crackpos
9 = hash[:salt]:crackpos
10 = plain:crackpos
11 = hash[:salt]:plain:crackpos
12 = hex_plain:crackpos
13 = hash[:salt]:hex_plain:crackpos
14 = plain:hex_plain:crackpos
15 = hash[:salt]:plain:hex_plain:crackposHASH ID
关于Hash ID可以在Hashcat的Wiki上查看:
https://hashcat.net/wiki/doku.php?id=hashcat
- [ Hash modes ] -
# | Name | Category
======+==================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
6000 | RIPEMD-160 | Raw Hash
600 | BLAKE2b-512 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
5100 | Half MD5 | Raw Hash
18700 | Java Object hashCode() | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
21400 | sha256(sha256_bin($pass)) | Raw Hash
6100 | Whirlpool | Raw Hash
10100 | SipHash | Raw Hash
21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
3800 | md5($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
3710 | md5($salt.md5($pass)) | Raw Hash, Salted and/or Iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash, Salted and/or Iterated
21300 | md5($salt.sha1($salt.$pass)) | Raw Hash, Salted and/or Iterated
40 | md5($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
2600 | md5(md5($pass)) | Raw Hash, Salted and/or Iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash, Salted and/or Iterated
4400 | md5(sha1($pass)) | Raw Hash, Salted and/or Iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash, Salted and/or Iterated
21200 | md5(sha1($salt).md5($pass)) | Raw Hash, Salted and/or Iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash, Salted and/or Iterated
30 | md5(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
110 | sha1($pass.$salt) | Raw Hash, Salted and/or Iterated
120 | sha1($salt.$pass) | Raw Hash, Salted and/or Iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash, Salted and/or Iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
19300 | sha1($salt1.$pass.$salt2) | Raw Hash, Salted and/or Iterated
14400 | sha1(CX) | Raw Hash, Salted and/or Iterated
4700 | sha1(md5($pass)) | Raw Hash, Salted and/or Iterated
4710 | sha1(md5($pass).$salt) | Raw Hash, Salted and/or Iterated
21100 | sha1(md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
18500 | sha1(md5(md5($pass))) | Raw Hash, Salted and/or Iterated
4500 | sha1(sha1($pass)) | Raw Hash, Salted and/or Iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1410 | sha256($pass.$salt) | Raw Hash, Salted and/or Iterated
1420 | sha256($salt.$pass) | Raw Hash, Salted and/or Iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
20800 | sha256(md5($pass)) | Raw Hash, Salted and/or Iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash, Salted and/or Iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
19500 | Ruby on Rails Restful-Authentication | Raw Hash, Salted and/or Iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash, Authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash, Authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash, Authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash, Authenticated
11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash, Authenticated
11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash, Authenticated
11500 | CRC32 | Raw Checksum
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-Plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
8900 | scrypt | Generic KDF
400 | phpass | Generic KDF
16900 | Ansible Vault | Generic KDF
12001 | Atlassian (PBKDF2-HMAC-SHA1) | Generic KDF
20200 | Python passlib pbkdf2-sha512 | Generic KDF
20300 | Python passlib pbkdf2-sha256 | Generic KDF
20400 | Python passlib pbkdf2-sha1 | Generic KDF
16100 | TACACS+ | Network Protocols
11400 | SIP digest authentication (MD5) | Network Protocols
5300 | IKE-PSK MD5 | Network Protocols
5400 | IKE-PSK SHA1 | Network Protocols
2500 | WPA-EAPOL-PBKDF2 | Network Protocols
2501 | WPA-EAPOL-PMK | Network Protocols
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocols
22001 | WPA-PMK-PMKID+EAPOL | Network Protocols
16800 | WPA-PMKID-PBKDF2 | Network Protocols
16801 | WPA-PMKID-PMK | Network Protocols
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocols
10200 | CRAM-MD5 | Network Protocols
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols
16500 | JWT (JSON Web Token) | Network Protocols
22600 | Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1) | Network Protocols
22301 | Telegram Mobile App Passcode (SHA256) | Network Protocols
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocols
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocols
18200 | Kerberos 5, etype 23, AS-REP | Network Protocols
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocols
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocols
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocols
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocols
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network Protocols
23 | Skype | Network Protocols
11100 | PostgreSQL CRAM (MD5) | Network Protocols
11200 | MySQL CRAM (SHA1) | Network Protocols
8500 | RACF | Operating System
6300 | AIX {smd5} | Operating System
6700 | AIX {ssha1} | Operating System
6400 | AIX {ssha256} | Operating System
6500 | AIX {ssha512} | Operating System
3000 | LM | Operating System
19000 | QNX /etc/shadow (MD5) | Operating System
19100 | QNX /etc/shadow (SHA256) | Operating System
19200 | QNX /etc/shadow (SHA512) | Operating System
15300 | DPAPI masterkey file v1 | Operating System
15900 | DPAPI masterkey file v2 | Operating System
7200 | GRUB 2 | Operating System
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System
12400 | BSDi Crypt, Extended DES | Operating System
1000 | NTLM | Operating System
122 | macOS v10.4, macOS v10.5, MacOS v10.6 | Operating System
1722 | macOS v10.7 | Operating System
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System
9900 | Radmin2 | Operating System
5800 | Samsung Android Password/PIN | Operating System
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System
1500 | descrypt, DES (Unix), Traditional DES | Operating System
7400 | sha256crypt $5$, SHA256 (Unix) | Operating System
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
13800 | Windows Phone 8+ PIN/password | Operating System
2410 | Cisco-ASA MD5 | Operating System
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System
9300 | Cisco-IOS $9$ (scrypt) | Operating System
5700 | Cisco-IOS type 4 (SHA256) | Operating System
2400 | Cisco-PIX MD5 | Operating System
8100 | Citrix NetScaler (SHA1) | Operating System
22200 | Citrix NetScaler (SHA512) | Operating System
1100 | Domain Cached Credentials (DCC), MS Cache | Operating System
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating System
7000 | FortiGate (FortiOS) | Operating System
125 | ArubaOS | Operating System
501 | Juniper IVE | Operating System
22 | Juniper NetScreen/SSG (ScreenOS) | Operating System
15100 | Juniper/NetBSD sha1crypt | Operating System
131 | MSSQL (2000) | Database Server
132 | MSSQL (2005) | Database Server
1731 | MSSQL (2012, 2014) | Database Server
12 | PostgreSQL | Database Server
3100 | Oracle H: Type (Oracle 7+) | Database Server
112 | Oracle S: Type (Oracle 11+) | Database Server
12300 | Oracle T: Type (Oracle 12+) | Database Server
7401 | MySQL $A$ (sha256crypt) | Database Server
200 | MySQL323 | Database Server
300 | MySQL4.1/MySQL5 | Database Server
8000 | Sybase ASE | Database Server
1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server
8300 | DNSSEC (NSEC3) | FTP, HTTP, SMTP, LDAP Server
16400 | CRAM-MD5 Dovecot | FTP, HTTP, SMTP, LDAP Server
1411 | SSHA-256(Base64), LDAP {SSHA256} | FTP, HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | FTP, HTTP, SMTP, LDAP Server
10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256) | FTP, HTTP, SMTP, LDAP Server
15000 | FileZilla Server >= 0.9.55 | FTP, HTTP, SMTP, LDAP Server
12600 | ColdFusion 10+ | FTP, HTTP, SMTP, LDAP Server
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
141 | Episerver 6.x < .NET 4 | FTP, HTTP, SMTP, LDAP Server
1441 | Episerver 6.x >= .NET 4 | FTP, HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | FTP, HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | FTP, HTTP, SMTP, LDAP Server
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS)
21500 | SolarWinds Orion | Enterprise Application Software (EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
20600 | Oracle Transportation Management (SHA256) | Enterprise Application Software (EAS)
4711 | Huawei sha1(md5($pass).$salt) | Enterprise Application Software (EAS)
20711 | AuthMe sha256 | Enterprise Application Software (EAS)
12200 | eCryptfs | Full-Disk Encryption (FDE)
22400 | AES Crypt (SHA256) | Full-Disk Encryption (FDE)
14600 | LUKS | Full-Disk Encryption (FDE)
13711 | VeraCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
13712 | VeraCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
13713 | VeraCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13751 | VeraCrypt SHA256 + XTS 512 bit | Full-Disk Encryption (FDE)
13752 | VeraCrypt SHA256 + XTS 1024 bit | Full-Disk Encryption (FDE)
13753 | VeraCrypt SHA256 + XTS 1536 bit | Full-Disk Encryption (FDE)
13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13721 | VeraCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
13722 | VeraCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
13723 | VeraCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13771 | VeraCrypt Streebog-512 + XTS 512 bit | Full-Disk Encryption (FDE)
13772 | VeraCrypt Streebog-512 + XTS 1024 bit | Full-Disk Encryption (FDE)
13773 | VeraCrypt Streebog-512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13731 | VeraCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
13732 | VeraCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
13733 | VeraCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
16700 | FileVault 2 | Full-Disk Encryption (FDE)
20011 | DiskCryptor SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
20012 | DiskCryptor SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
20013 | DiskCryptor SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
22100 | BitLocker | Full-Disk Encryption (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE)
8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE)
18300 | Apple File System (APFS) | Full-Disk Encryption (FDE)
6211 | TrueCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
6212 | TrueCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
6213 | TrueCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
6221 | TrueCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
6222 | TrueCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
6223 | TrueCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
6231 | TrueCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
6232 | TrueCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
6233 | TrueCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents
10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents
9400 | MS Office 2007 | Documents
9500 | MS Office 2010 | Documents
9600 | MS Office 2013 | Documents
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Documents
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Documents
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Documents
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Documents
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Documents
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Documents
18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Documents
18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Documents
16200 | Apple Secure Notes | Documents
15500 | JKS Java Key Store Private Keys (SHA1) | Password Managers
6600 | 1Password, agilekeychain | Password Managers
8200 | 1Password, cloudkeychain | Password Managers
9000 | Password Safe v2 | Password Managers
5200 | Password Safe v3 | Password Managers
6800 | LastPass + LastPass sniffed | Password Managers
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers
11300 | Bitcoin/Litecoin wallet.dat | Password Managers
16600 | Electrum Wallet (Salt-Type 1-3) | Password Managers
21700 | Electrum Wallet (Salt-Type 4) | Password Managers
21800 | Electrum Wallet (Salt-Type 5) | Password Managers
12700 | Blockchain, My Wallet | Password Managers
15200 | Blockchain, My Wallet, V2 | Password Managers
18800 | Blockchain, My Wallet, Second Password (SHA256) | Password Managers
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Password Managers
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers
15700 | Ethereum Wallet, SCRYPT | Password Managers
22500 | MultiBit Classic .key (MD5) | Password Managers
22700 | MultiBit HD (scrypt) | Password Managers
11600 | 7-Zip | Archives
12500 | RAR3-hp | Archives
13000 | RAR5 | Archives
17200 | PKZIP (Compressed) | Archives
17220 | PKZIP (Compressed Multi-File) | Archives
17225 | PKZIP (Mixed Multi-File) | Archives
17230 | PKZIP (Mixed Multi-File Checksum-Only) | Archives
17210 | PKZIP (Uncompressed) | Archives
20500 | PKZIP Master Key | Archives
20510 | PKZIP Master Key (6 byte optimization) | Archives
14700 | iTunes backup < 10.0 | Archives
14800 | iTunes backup >= 10.0 | Archives
23001 | SecureZIP AES-128 | Archives
23002 | SecureZIP AES-192 | Archives
23003 | SecureZIP AES-256 | Archives
13600 | WinZip | Archives
18900 | Android Backup | Archives
13200 | AxCrypt | Archives
13300 | AxCrypt in-memory SHA1 | Archives
8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce
2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce
2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce
2612 | PHPS | Forums, CMS, E-Commerce
121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce
3711 | MediaWiki B type | Forums, CMS, E-Commerce
4521 | Redmine | Forums, CMS, E-Commerce
11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce
13900 | OpenCart | Forums, CMS, E-Commerce
11000 | PrestaShop | Forums, CMS, E-Commerce
16000 | Tripcode | Forums, CMS, E-Commerce
7900 | Drupal7 | Forums, CMS, E-Commerce
21 | osCommerce, xt:Commerce | Forums, CMS, E-Commerce
4522 | PunBB | Forums, CMS, E-Commerce
2811 | MyBB 1.2+, IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce
18100 | TOTP (HMAC-SHA1) | One-Time Passwords
2000 | STDOUT | Plaintext
99999 | Plaintext | Plaintext
21600 | Web2py pbkdf2-sha512 | Framework
10000 | Django (PBKDF2-SHA256) | Framework
124 | Django (SHA-1) | Framework掩码设置
下面是一些常见的掩码字符集:
l | abcdefghijklmnopqrstuvwxyz 纯小写字母
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ 纯大写字母
d | 0123456789 纯数字
h | 0123456789abcdef 常见小写子目录和数字
H | 0123456789ABCDEF 常见大写字母和数字
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 特殊字符
a | ?l?u?d?s 键盘上所有可见的字符
b | 0x00 - 0xff 可能是用来匹配像空格这种密码的下面举几个简单的例子来了解一下掩码的设置:
八位数字密码:?d?d?d?d?d?d?d?d
八位未知密码:?a?a?a?a?a?a?a?a
前四位为大写字母,后面四位为数字:?u?u?u?u?d?d?d?d
前四位为数字或者是小写字母,后四位为大写字母或者数字:?h?h?h?h?H?H?H?H
前三个字符未知,中间为admin,后三位未知:?a?a?aadmin?a?a?a
6-8位数字密码:--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l
6-8位数字+小写字母密码:--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h如果我们想设置字符集为:abcd123456!@-+,那该怎么做呢?这就需要用到自定义字符集这个参数了,hashcat支持用户最多定义4组字符集:
--custom-charset1 [chars]等价于 -1
--custom-charset2 [chars]等价于 -2
--custom-charset3 [chars]等价于 -3
--custom-charset4 [chars]等价于 -4
在掩码中用?1、?2、?3、?4来表示,例如:
--custom-charset1 abcd123456!@-+ 然后我们就可以用"?1"去表示这个字符集了
--custom-charset2 ?l?d 小写字母和数字
-1 ?d?l?u ?1就表示数字+小写字母+大写字母工具使用
数字破解
a、7位数字破解
hashcat64.exe -a 3 -m 0 --force 25c3e88f81b4853f2a8faacad4c871b6 ?d?d?d?d?d?d?d
b、7位小写字母破解
hashcat64.exe -a 3 -m 0 --force 7a47c6db227df60a6d67245d7d8063f3 ?l?l?l?l?l?l?lc、1-8位数字破解
hashcat64.exe -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 ?d?d?d?d?d?d?d?dd、1-8位小写字母+数字破解
hashcat64.exe -a 3 -m 0 --force ab65d749cba1656ca11dfa1cc2383102 --increment --increment-min 1 --increment-max 8 ?h?h?h?h?h?h?h?he、特定字符集:123456abcdf!@+-
hashcat64.exe -a 3 -1 123456abcdf!@+- 8b78ba5089b11326290bc15cf0b9a07d ?1?1?1?1?1
#这里的-1和?1是数字1,不是字母lf、1-8为位符集:123456abcdf!@+-
hashcat64.exe -a 3 -1 123456abcdf!@+- 9054fa315ce16f7f0955b4af06d1aa1b --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1g、1-8位数字+大小写字母+可见特殊符号
hashcat64.exe -a 3 -1 ?d?u?l?s d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1
或者:
hashcat64.exe -a 3 d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?a?a?a?a?a?a?a?a字典破解
参数"-a 0"用于指定字典破解模式,参数"-o"用于输出结果到文件中:
hashcat64.exe -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt批量破解
hashcat64.exe -a 0 hash.txt password.txt -o result.txt
字典掩码
hashcat64.exe -a 6 9dc9d5ed5031367d42543763423c24ee password.txt ?l?l?l?l?lMySQL
使用hashcat进行破解:
hashcat64.exe -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?Sha512
可以通过cat /etc/shadow获取:
hashcat64.exe -a 3 -m 1800 --force $6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. ?l?l?l?l不用整理用户名,使用--username:
hashcat64.exe -a 3 -m 1800 --force qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 ?l?l?l?l?l --usernameNT-Hash
hashcat64.exe -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?lLM-Hash
hashcat64.exe -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?lMSSQL
hashcat64.exe -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?dWordP
hashcat64.exe -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?dDIscuz
hashcat64.exe -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?dRAR密码
首先使用rar2john(获取rar文件hash值
http://openwall.info/wiki/_media/john/johntheripper-v1.8.0.12-jumbo-1-bleeding-e6214ceab-2018-02-07-win-x64.7z
rar2john.exe 1.rar
之后进行破解:
hashcat64.exe -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d
hashcat支持RAR3-hp和 RAR5,官方示例如下:
-m 参数 类型 示例 hash
12500 RAR3-hp $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
13000 RAR5 $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfeZIP密码
首先使用zip2john获取文件的hash值:
zip2john.exe 1.zip
之后使用hashcat进行破解:
hashcat64.exe -a 3 -m 13600 $zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d
Office密码
获取office的hash值:
python office2john.py 11.docx
之后使用hashcat进行破解:
hashcat64.exe -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d
WIFI密码
首先把我们的握手包转化为hccapx格式,现在最新版的hashcat只支持hccapx格式了,以前的hccap格式已经不支持了,官方在线转换:https://hashcat.net/cap2hccapx/
hashcat64.exe -a 3 -m 2500 1.hccapx 1391040?d?d?d?d
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2021-07-15,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号