Crack Exlce by yourself word、pdf、 Compressed Password Tutorial

2024-12-25 15:15:13

Brief introduction

GPU
CPU
APU
DSP
FPGA
Coprocessor

GPU driver requirements

AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (1.6.180 or later)
AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
NVIDIA GPUs require "NVIDIA Driver" (367.x or later)

parameter

The following are common parameters, if you want to know more parameters you can hashcat --help view

-a  指定要使用的破解模式，其值參考后面對參數(shù)。“-a 0”字典攻擊，“-a 1” 組合攻擊；“-a 3”掩碼攻擊。
-m  指定要破解的hash類型，如果不指定類型，則默認(rèn)是MD5
-o  指定破解成功后的hash及所對應(yīng)的明文密碼的存放位置,可以用它把破解成功的hash寫到指定的文件中
--force 忽略破解過程中的警告信息,跑單條hash可能需要加上此選項(xiàng)
--show  顯示已經(jīng)破解的hash及該hash所對應(yīng)的明文
--increment  啟用增量破解模式,你可以利用此模式讓hashcat在指定的密碼長度范圍內(nèi)執(zhí)行破解過程
--increment-min  密碼最小長度,后面直接等于一個(gè)整數(shù)即可,配置increment模式一起使用
--increment-max  密碼最大長度,同上
--outfile-format 指定破解結(jié)果的輸出格式id,默認(rèn)是3
--username   忽略hash文件中的指定的用戶名,在破解linux系統(tǒng)用戶密碼hash可能會(huì)用到
--remove     刪除已被破解成功的hash
-r       使用自定義破解規(guī)則

Attack Patterns:

# | Mode
 ===+======
  0 | Straight（字段破解）
  1 | Combination（組合破解）
  3 | Brute-force（掩碼暴力破解）
  6 | Hybrid Wordlist + Mask（字典+掩碼破解）
  7 | Hybrid Mask + Wordlist（掩碼+字典破解）

Output format

1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
8 = crackpos
9 = hash[:salt]:crackpos
10 = plain:crackpos
11 = hash[:salt]:plain:crackpos
12 = hex_plain:crackpos
13 = hash[:salt]:hex_plain:crackpos
14 = plain:hex_plain:crackpos
15 = hash[:salt]:plain:hex_plain:crackpos

Hash ID comparison table

Because there are so many, I will post some common hash types, if you want to know all the parameters, you can go to the hashcat wiki to see, or directly hashcat --help to view the hash comparison table

- [ Hash modes ] -

      # | Name                                             | Category
  ======+==================================================+======================================
    900 | MD4                                              | Raw Hash
      0 | MD5                                              | Raw Hash
   5100 | Half MD5                                         | Raw Hash
    100 | SHA1                                             | Raw Hash
   1300 | SHA2-224                                         | Raw Hash
   1400 | SHA2-256                                         | Raw Hash
  10800 | SHA2-384                                         | Raw Hash
   1700 | SHA2-512                                         | Raw Hash
  17300 | SHA3-224                                         | Raw Hash
  17400 | SHA3-256                                         | Raw Hash
  17500 | SHA3-384                                         | Raw Hash
  17600 | SHA3-512                                         | Raw Hash
     10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                      | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                      | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                  | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                       | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                 | Raw Hash, Salted and/or Iterated
    110 | sha1($pass.$salt)                                | Raw Hash, Salted and/or Iterated
    120 | sha1($salt.$pass)                                | Raw Hash, Salted and/or Iterated
    130 | sha1(utf16le($pass).$salt)                       | Raw Hash, Salted and/or Iterated
    140 | sha1($salt.utf16le($pass))                       | Raw Hash, Salted and/or Iterated
   4500 | sha1(sha1($pass))                                | Raw Hash, Salted and/or Iterated
   4520 | sha1($salt.sha1($pass))                          | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                 | Raw Hash, Salted and/or Iterated
   4900 | sha1($salt.$pass.$salt)                          | Raw Hash, Salted and/or Iterated
  14400 | sha1(CX)                                         | Raw Hash, Salted and/or Iterated
   1410 | sha256($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1420 | sha256($salt.$pass)                              | Raw Hash, Salted and/or Iterated
   1430 | sha256(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
   1440 | sha256($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
   1710 | sha512($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                              | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
  14000 | DES (PT = $salt, key = $pass)                    | Raw Cipher, Known-Plaintext attack
  14100 | 3DES (PT = $salt, key = $pass)                   | Raw Cipher, Known-Plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                 | Raw Cipher, Known-Plaintext attack
  15400 | ChaCha20                                         | Raw Cipher, Known-Plaintext attack
   2500 | WPA-EAPOL-PBKDF2                                 | Network Protocols
   2501 | WPA-EAPOL-PMK                                    | Network Protocols
  16800 | WPA-PMKID-PBKDF2                                 | Network Protocols
  16801 | WPA-PMKID-PMK                                    | Network Protocols
   7300 | IPMI2 RAKP HMAC-SHA1                             | Network Protocols
   7500 | Kerberos 5 AS-REQ Pre-Auth etype 23              | Network Protocols
   8300 | DNSSEC (NSEC3)                                   | Network Protocols
  10200 | CRAM-MD5                                         | Network Protocols
  11100 | PostgreSQL CRAM (MD5)                            | Network Protocols
  11200 | MySQL CRAM (SHA1)                                | Network Protocols
  16100 | TACACS+                                          | Network Protocols
  16500 | JWT (JSON Web Token)                             | Network Protocols
    121 | SMF (Simple Machines Forum) > v1.1               | Forums, CMS, E-Commerce, Frameworks
    400 | phpBB3 (MD5)                                     | Forums, CMS, E-Commerce, Frameworks
   2811 | MyBB 1.2+                                        | Forums, CMS, E-Commerce, Frameworks
   2811 | IPB2+ (Invision Power Board)                     | Forums, CMS, E-Commerce, Frameworks
   8400 | WBB3 (Woltlab Burning Board)                     | Forums, CMS, E-Commerce, Frameworks
     11 | Joomla < 2.5.18                                  | Forums, CMS, E-Commerce, Frameworks
    400 | Joomla >= 2.5.18 (MD5)                           | Forums, CMS, E-Commerce, Frameworks
    400 | WordPress (MD5)                                  | Forums, CMS, E-Commerce, Frameworks
   2612 | PHPS                                             | Forums, CMS, E-Commerce, Frameworks
   7900 | Drupal7                                          | Forums, CMS, E-Commerce, Frameworks
     21 | osCommerce                                       | Forums, CMS, E-Commerce, Frameworks
     21 | xt:Commerce                                      | Forums, CMS, E-Commerce, Frameworks
  11000 | PrestaShop                                       | Forums, CMS, E-Commerce, Frameworks
    124 | Django (SHA-1)                                   | Forums, CMS, E-Commerce, Frameworks
  10000 | Django (PBKDF2-SHA256)                           | Forums, CMS, E-Commerce, Frameworks
     12 | PostgreSQL                                       | Database Server
    131 | MSSQL (2000)                                     | Database Server
    132 | MSSQL (2005)                                     | Database Server
   1731 | MSSQL (2012, 2014)                               | Database Server
    200 | MySQL323                                         | Database Server
    300 | MySQL4.1/MySQL5                                  | Database Server
   3100 | Oracle H: Type (Oracle 7+)                       | Database Server
    112 | Oracle S: Type (Oracle 11+)                      | Database Server
  12300 | Oracle T: Type (Oracle 12+)                      | Database Server
   8000 | Sybase ASE                                       | Database Server
  15000 | FileZilla Server >= 0.9.55                       | FTP Server
  11500 | CRC32                                            | Checksums
   3000 | LM                                               | Operating Systems
   1000 | NTLM                                             | Operating Systems
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
   3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating Systems
   7400 | sha256crypt $5$, SHA256 (Unix)                   | Operating Systems
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating Systems
    122 | macOS v10.4, MacOS v10.5, MacOS v10.6            | Operating Systems
   1722 | macOS v10.7                                      | Operating Systems
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating Systems
  11600 | 7-Zip                                            | Archives
  12500 | RAR3-hp                                          | Archives
  13000 | RAR5                                             | Archives
  13600 | WinZip                                           | Archives
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4               | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1  | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2  | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4              | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1    | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2    | Documents
   9400 | MS Office 2007                                   | Documents
   9500 | MS Office 2010                                   | Documents
   9600 | MS Office 2013                                   | Documents
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                    | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1       | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2       | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                    | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                      | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                | Documents
  99999 | Plaintext                                        | Plaintext

Mask settings

Here is a list of common mask character sets

l | abcdefghijklmnopqrstuvwxyz          純小寫字母
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ          純大寫字母
d | 0123456789                  純數(shù)字
h | 0123456789abcdef                常見小寫子目錄和數(shù)字
H | 0123456789ABCDEF                常見大寫字母和數(shù)字
s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~       特殊字符
a | ?l?u?d?s                    鍵盤上所有可見的字符
b | 0x00 - 0xff                 可能是用來匹配像空格這種密碼的

下面舉幾個(gè)簡單的例子來了解一下掩碼的設(shè)置

八位數(shù)字密碼：?d?d?d?d?d?d?d?d
八位未知密碼：?a?a?a?a?a?a?a?a
前四位為大寫字母，后面四位為數(shù)字：?u?u?u?u?d?d?d?d
前四位為數(shù)字或者是小寫字母，后四位為大寫字母或者數(shù)字：?h?h?h?h?H?H?H?H
前三個(gè)字符未知，中間為admin，后三位未知：?a?a?aadmin?a?a?a
6-8位數(shù)字密碼：--increment --increment-min 6 --increment-max 8 ?l?l?l?l?l?l?l?l
6-8位數(shù)字+小寫字母密碼：--increment --increment-min 6 --increment-max 8 ?h?h?h?h?h?h?h?h

If we want to set the character set to: abcd123456!@-+, then how do we do that. This requires the use of a custom character set, and hashcat allows users to define up to 4 sets of character sets

--custom-charset1 [chars]等價(jià)于 -1
--custom-charset2 [chars]等價(jià)于 -2
--custom-charset3 [chars]等價(jià)于 -3
--custom-charset4 [chars]等價(jià)于 -4
在掩碼中用?1、?2、?3、?4來表示。

Here are a few more examples:

--custom-charset1 abcd123456!@-+。然后我們就可以用"?1"去表示這個(gè)字符集了
--custom-charset2 ?l?d，這里和?2就等價(jià)于?h
-1 ?d?l?u，?1就表示數(shù)字+小寫字母+大寫字母
-3 abcdef -4 123456 那么?3?3?3?3?4?4?4?4就表示為前四位可能是“abcdef”，后四位可能是“123456”

example

PS: I'll give you the configuration of my machine here, and then compare the speed of cracking

CPU：Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz
顯卡：GTX 1050 Ti

7-digit number crack

hashcat64.exe -a 3 -m 0 --force 25c3e88f81b4853f2a8faacad4c871b6 ?d?d?d?d?d?d?d

7 Lowercase Letters Crack:

hashcat64.exe -a 3 -m 0 --force 7a47c6db227df60a6d67245d7d8063f3 ?l?l?l?l?l?l?l

1-8 digit crack:

hashcat64.exe -a 3 -m 0 --force 4488cec2aea535179e085367d8a17d75 --increment --increment-min 1 --increment-max 8 ?d?d?d?d?d?d?d?d

1-8 digits lowercase letters + numbers cracked

hashcat64.exe -a 3 -m 0 --force ab65d749cba1656ca11dfa1cc2383102 --increment --increment-min 1 --increment-max 8 ?h?h?h?h?h?h?h?h

Specific character marks: 123456abcdf!@+-

hashcat64.exe -a 3 -1 123456abcdf!@+- 8b78ba5089b11326290bc15cf0b9a07d ?1?1?1?1?1
注意一下：這里的-1和?1是數(shù)字1，不是字母l

1-8 is the set of bits: 123456abcdf!@+-

hashcat64.exe -a 3 -1 123456abcdf!@+- 9054fa315ce16f7f0955b4af06d1aa1b --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1

1-8 digits + uppercase and lowercase letters + visible special symbols

hashcat64.exe -a 3 -1 ?d?u?l?s d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?1?1?1?1?1?1?1?1
或者：
hashcat64.exe -a 3 d37fc9ee39dd45a7717e3e3e9415f65d --increment --increment-min 1 --increment-max 8 ?a?a?a?a?a?a?a?a

Dictionary cracking

-a 0是指定字典破解模式，-o是輸出結(jié)果到文件中
hashcat64.exe -a 0 ede900ac1424436b55dc3c9f20cb97a8 password.txt -o result.txt

Batch cracking

hashcat64.exe -a 0 hash.txt password.txt -o result.txt

Dictionary Combo Crack:

hashcat64.exe -a 1 25f9e794323b453885f5181f1b624d0b pwd1.txt pwd2.txt

Dictionary + mask cracking

hashcat64.exe -a 6 9dc9d5ed5031367d42543763423c24ee password.txt ?l?l?l?l?l

Mysql4.1/5的PASSWORD函數(shù)

hashcat64.exe -a 3 -m 300 --force 6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 ?d?d?d?d?d?d

sha512crypt $6$, SHA512 (Unix)破解

可以cat /etc/shadow獲取

hashcat64.exe -a 3 -m 1800 --force $6$mxuA5cdy$XZRk0CvnPFqOgVopqiPEFAFK72SogKVwwwp7gWaUOb7b6tVwfCpcSUsCEk64ktLLYmzyew/xd0O0hPG/yrm2X. ?l?l?l?l

Instead of sorting out the username, use --username

hashcat64.exe -a 3 -m 1800 --force qiyou:$6$QDq75ki3$jsKm7qTDHz/xBob0kF1Lp170Cgg0i5Tslf3JW/sm9k9Q916mBTyilU3PoOsbRdxV8TAmzvdgNjrCuhfg3jKMY1 ?l?l?l?l?l --username

Windows NT-hash，LM-hash破解

You can use saminside to get the values of NT-hash and LM-hash

NT-hash:
hashcat64.exe -a 3 -m 1000 209C6174DA490CAEB422F3FA5A7AE634 ?l?l?l?l?l
LM-hash:
hashcat64.exe -a 3 -m 3000 F0D412BD764FFE81AAD3B435B51404EE ?l?l?l?l?l

mssql

hashcat64.exe -a 3 -m 132 --force 0x01008c8006c224f71f6bf0036f78d863c3c4ff53f8c3c48edafb ?l?l?l?l?l?d?d?d

WordPress Password Hash Crack

The function in which the specific encryption script is in./wp-includes/class-phpass.phpHashPassword

hashcat64.exe -a 3 -m 400 --force $P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/ ?d?d?d?d?d?d

discuz用戶密碼hash破解

其密碼加密方式md5(md5($pass).$salt)

hashcat64.exe -a 3 -m 2611 --force 14e1b600b1fd579f47433b88e8d85291: ?d?d?d?d?d?d

Crack RAR compression password

First of all, rar2john gets the hash value of the rar file and downloads it

獲取rar文件的hash值：rar2john.exe 1.rar
結(jié)果：
1.rar:$rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e

hashcat64.exe -a 3 -m 13000 --force $rar5$16$639e9ce8344c680da12e8bdd4346a6a3$15$a2b056a21a9836d8d48c2844d171b73d$8$04a52d2224ad082e ?d?d?d?d?d?d

Note:

hashcat 支持 RAR3-hp 和 RAR5，官方示例如下：

-m參數(shù)    類型      示例 hash
12500    RAR3-hp    $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
13000    RAR5       $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe

zip密碼破解

用zip2john獲取文件的hash值：zip2john.exe 1.zip
結(jié)果：1.zip:$zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$:::::1.zip-1.txt

hashcat64.exe -a 3 -m 13600 $zip2$*0*3*0*554bb43ff71cb0cac76326f292119dfd*ff23*5*24b28885ee*d4fe362bb1e91319ab53*$/zip2$ --force ?d?d?d?d?d?d

破解office密碼

獲取office的hash值：python office2john.py 11.docx
結(jié)果：11.docx:$office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9

hashcat64.exe -a 3 -m 9600 $office$*2013*100000*256*16*e4a3eb62e8d3576f861f9eded75e0525*9eeb35f0849a7800d48113440b4bbb9c*577f8d8b2e1c5f60fed76e62327b38d28f25230f6c7dfd66588d9ca8097aabb9 --force ?d?d?d?d?d?d

Crack the WIFI password

First of all, we will convert our handshake package to HCCAPX format, now the latest version of HashCAT only supports HCCAPX format, and the previous HCCAP format is no longer supported

官方在線轉(zhuǎn)化https://hashcat.net/cap2hccapx/

hashcat64.exe -a 3 -m 2500 1.hccapx 1391040?d?d?d?d

Others

1. For cracked hash values, use View Resulthashcat64.exe hash --show

2. All hash cracking results are in the hashcat.potfile file

3. If the cracking time is too long, you can press the S key to check the cracking status, the P key to pause, the R key to continue cracking, and the Q key to exit the cracking.

4. When using GPU mode for cracking, optimization can be done automatically using the -O parameter

5. In the actual cracking, if we blindly crack it, it will take up a lot of our time and resources

   1.首先走一遍常用的弱口令字典
   2.組合密碼，如：zhang1999，用姓氏和出生年組合，當(dāng)然也可以用其它的組合，這里舉個(gè)例子而已
   3.把常用的掩碼組合整理起來放在masks中的.hcmask文件中，然后讓它自動(dòng)加載破解
   4.如果實(shí)在不行，你可以嘗試低位數(shù)的所有組合去跑，不過不建議太高位數(shù)的組合去破解，因?yàn)槿绻麑Ψ皆O(shè)置的密碼很復(fù)雜的話，到頭來你密碼沒有破解到，卻浪費(fèi)了大量的時(shí)間和資源，得不償失

   6.HashCat parameter optimizationConsidering
   the cracking speed of hashcat and the allocation of resources, we can configure
   some parameters: 1.Workload tuning.
   This parameter supports the following values: 1, 8, 40, 80, and 160

   --gpu-accel 160 可以讓GPU發(fā)揮最大性能。

   2. Gpu loops load fine-tuning
   : The range of values supported by this parameter is 8-1024 (some algorithms only support up to 1000).

   --gpu-loops 1024 可以讓GPU發(fā)揮最大性能。

   3.Segment size Dictionary cache size
   This parameter is to set the size of the memory cache, the function is to put the dictionary into the memory cache to speed up the dictionary cracking speed, the default is 32MB, you can set it according to your own memory situation, of course, the bigger the block.

   --segment-size 512 可以提高大字典破解的速度。