这篇文章中会讲解john工具的简单应用,以及介绍unshadow、unique工具。
unshadow命令基本上会结合/etc/passwd的数据和/etc/shadow的数据,创建1个含有用户名和密码详细信息的文件。
示范:
root@kali:unshadow /etc/passwd /etc/shadow > shadow
生成了一个名为shadow的密码文件。
unique工具可以从一个密码字典中去除重复行,为我们使用密码字典进行爆破提供了很大的便利。
用法:
root@kali:~# unique
Usage: unique [-v] [-inp=fname] [-cut=len] [-mem=num] OUTPUT-FILE [-ex_file=FNAME2] [-ex_file_only=FNAME2]
reads from stdin 'normally', but can be overridden by optional -inp=
If -ex_file=XX is used, then data from file XX is also used to
unique the data, but nothing is ever written to XX. Thus, any data in
XX, will NOT output into OUTPUT-FILE (for making iterative dictionaries)
-ex_file_only=XX assumes the file is 'unique', and only checks against XX
-cut=len Will trim each input lines to 'len' bytes long, prior to running
the unique algorithm. The 'trimming' is done on any -ex_file[_only] file
-mem=num. A number that overrides the UNIQUE_HASH_LOG value from within
params.h. The default is 21. This can be raised, up to 25 (memory usage
doubles each number). If you go TOO large, unique will swap and thrash and
work VERY slow
-v is for 'verbose' mode, outputs line counts during the run
示例:
root@kali:~# unique -v -inp=allwords.txt uniques.txt
Total lines read 6089 Unique lines written 5083
john the ripper是一款本地密码破解工具,可以从我们上面生成的shadow文件(密码散列)中破解出密码。破解时间取决于密码的复杂程度以及破解模式。
用法:john工具官方文档
示例:
在这里,我们使用john自带的密码字典,位置为/usr/share/john/password.lst。
root@kali:~# john --wordlist=/usr/share/john/password.lst --rules shadow
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [64/64])
123456 (root)
guesses: 1 time: 0:00:00:07 DONE (Mon May 19 08:13:05 2014) c/s: 482 trying: 1701d - andrew
Use the "--show" option to display all of the cracked passwords reliably
可以看到,在第五行中已经破解出来了密码为123456。
root@kali:~# john shadow
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [64/64])
123456 (root)
guesses: 1 time: 0:00:00:07 DONE (Mon May 19 08:13:05 2014) c/s: 482 trying: 1701d - andrew
Use the "--show" option to display all of the cracked passwords reliably
john中还包含多种破解模式,这里不再举例,有兴趣的话可以自行查询上方给出的官方文档。
john工具对于同一个shadow文件只会进行一次爆破,如果第二次执行john shadow是不会得到结果的,只会得到如下输出。
root@kali2017:~# john shadow
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
No password hashes left to crack (see FAQ)
如果想查看上一次爆破的结果,可以使用以下命令。
root@kali2017:~# john --show shadow
root:123456:0:0:root:/root:/bin/bash
1 password hash cracked, 0 left