Hashcat은,
아래와 같이 패스워드 복구 도구라고 설명하고 있지만,
Pentest과정에서 패스워드 등 탈취한 Hash 값을 Crack 하기 위해 대입공격을 시도하는 도구이다.
Linux, macOS, Windows에서 사용가능한 버전이 존재하며,
지원하는 알고리즘으로는 LM hash, MD4, MD5, SHA계열 등이 존재한다.
Hashcat is a password recovery tool. Versions are available for Linux, macOS, and Windows. Examples of hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family and Unix Crypt formats as well as algorithms used in MySQL and Cisco PIX.
Hashcat 사용법
hashcat은 --help 명령어를 통해 option별로 자세한 설명을 제공하고 있어,
사전에 학습할 필요없이 찾아보며 바로 사용이 가능했지만,
숙달되기 전까지 찾아보는데 시간이 다소 걸려 정리의 필요성을 느꼈다.
사용법을 확인하기 위해 help명령어를 입력하여 매뉴얼을 확인한다.
MacBookPro-2 ~ % hashcat --help
hashcat (v6.2.5-532-gcd77e488d) starting in help mode
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
- [ Options ] -
Options Short / Long | Type | Description | Example
================================+======+======================================================+=======================
-m, --hash-type | Num | Hash-type, references below (otherwise autodetect) | -m 1000
-a, --attack-mode | Num | Attack-mode, see references below | -a 3
-V, --version | | Print version |
-h, --help | | Print help |
--quiet | | Suppress output |
--hex-charset | | Assume charset is given in hex |
--hex-salt | | Assume salt is given in hex |
--hex-wordlist | | Assume words in wordlist are given in hex |
--force | | Ignore warnings |
--deprecated-check-disable | | Enable deprecated plugins |
--status | | Enable automatic update of the status screen |
--status-json | | Enable JSON format for status output |
--status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
--stdin-timeout-abort | Num | Abort if there is no input from stdin for X seconds | --stdin-timeout-abort=300
--machine-readable | | Display the status view in a machine-readable format |
--keep-guessing | | Keep guessing the hash after it has been cracked |
--self-test-disable | | Disable self-test functionality on startup |
--loopback | | Add new plains to induct directory |
--markov-hcstat2 | File | Specify hcstat2 file to use | --markov-hcstat2=my.hcstat2
--markov-disable | | Disables markov-chains, emulates classic brute-force |
--markov-classic | | Enables classic markov-chains, no per-position |
--markov-inverse | | Enables inverse markov-chains, no per-position |
-t, --markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50
--runtime | Num | Abort session after X seconds of runtime | --runtime=10
--session | Str | Define specific session name | --session=mysession
--restore | | Restore session from --session |
--restore-disable | | Do not write restore file |
--restore-file-path | File | Specific path to restore file | --restore-file-path=x.restore
-o, --outfile | File | Define outfile for recovered hash | -o outfile.txt
--outfile-format | Str | Outfile format to use, separated with commas | --outfile-format=1,3
--outfile-autohex-disable | | Disable the use of $HEX[] in output plains |
--outfile-check-timer | Num | Sets seconds between outfile checks to X | --outfile-check=30
--wordlist-autohex-disable | | Disable the conversion of $HEX[] from the wordlist |
-p, --separator | Char | Separator char for hashlists and outfile | -p :
--stdout | | Do not crack a hash, instead print candidates only |
--show | | Compare hashlist with potfile; show cracked hashes |
--left | | Compare hashlist with potfile; show uncracked hashes |
--username | | Enable ignoring of usernames in hashfile |
--remove | | Enable removal of hashes once they are cracked |
--remove-timer | Num | Update input hash file each X seconds | --remove-timer=30
--potfile-disable | | Do not write potfile |
--potfile-path | File | Specific path to potfile | --potfile-path=my.pot
--encoding-from | Code | Force internal wordlist encoding from X | --encoding-from=iso-8859-15
--encoding-to | Code | Force internal wordlist encoding to X | --encoding-to=utf-32le
--debug-mode | Num | Defines the debug mode (hybrid only by using rules) | --debug-mode=4
--debug-file | File | Output file for debugging rules | --debug-file=good.log
--induction-dir | Dir | Specify the induction directory to use for loopback | --induction=inducts
--outfile-check-dir | Dir | Specify the outfile directory to monitor for plains | --outfile-check-dir=x
--logfile-disable | | Disable the logfile |
--hccapx-message-pair | Num | Load only message pairs from hccapx matching X | --hccapx-message-pair=2
--nonce-error-corrections | Num | The BF size range to replace AP's nonce last bytes | --nonce-error-corrections=16
--keyboard-layout-mapping | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
--truecrypt-keyfiles | File | Keyfiles to use, separated with commas | --truecrypt-keyf=x.png
--veracrypt-keyfiles | File | Keyfiles to use, separated with commas | --veracrypt-keyf=x.txt
--veracrypt-pim-start | Num | VeraCrypt personal iterations multiplier start | --veracrypt-pim-start=450
--veracrypt-pim-stop | Num | VeraCrypt personal iterations multiplier stop | --veracrypt-pim-stop=500
-b, --benchmark | | Run benchmark of selected hash-modes |
--benchmark-all | | Run benchmark of all hash-modes (requires -b) |
--speed-only | | Return expected speed of the attack, then quit |
--progress-only | | Return ideal progress step size and time to process |
-c, --segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32
--bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | --bitmap-min=24
--bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | --bitmap-max=24
--cpu-affinity | Str | Locks to CPU devices, separated with commas | --cpu-affinity=1,2,3
--hook-threads | Num | Sets number of threads for a hook (per compute unit) | --hook-threads=8
--hash-info | | Show information for each hash-mode |
--example-hashes | | Alias of --hash-info |
--backend-ignore-cuda | | Do not try to open CUDA interface on startup |
--backend-ignore-hip | | Do not try to open HIP interface on startup |
--backend-ignore-metal | | Do not try to open Metal interface on startup |
--backend-ignore-opencl | | Do not try to open OpenCL interface on startup |
-I, --backend-info | | Show system/evironment/backend API info | -I or -II
-d, --backend-devices | Str | Backend devices to use, separated with commas | -d 1
-D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
-O, --optimized-kernel-enable | | Enable optimized kernels (limits password length) |
-M, --multiply-accel-disable | | Disable multiply kernel-accel with processor count |
-w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
-n, --kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64
-u, --kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256
-T, --kernel-threads | Num | Manual workload tuning, set thread count to X | -T 64
--backend-vector-width | Num | Manually override backend vector-width to X | --backend-vector=4
--spin-damp | Num | Use CPU for device synchronization, in percent | --spin-damp=10
--hwmon-disable | | Disable temperature and fanspeed reads and triggers |
--hwmon-temp-abort | Num | Abort if temperature reaches X degrees Celsius | --hwmon-temp-abort=100
--scrypt-tmto | Num | Manually override TMTO value for scrypt to X | --scrypt-tmto=3
-s, --skip | Num | Skip X words from the start | -s 1000000
-l, --limit | Num | Limit X words from the start + skipped words | -l 1000000
--keyspace | | Show keyspace base:mod values and quit |
-j, --rule-left | Rule | Single rule applied to each word from left wordlist | -j 'c'
-k, --rule-right | Rule | Single rule applied to each word from right wordlist | -k '^-'
-r, --rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule
-g, --generate-rules | Num | Generate X random rules | -g 10000
--generate-rules-func-min | Num | Force min X functions per rule |
--generate-rules-func-max | Num | Force max X functions per rule |
--generate-rules-func-sel | Str | Pool of rule operators valid for random rule engine | --generate-rules-func-sel=ioTlc
--generate-rules-seed | Num | Force RNG seed set to X |
-1, --custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u
-2, --custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s
-3, --custom-charset3 | CS | User-defined charset ?3 |
-4, --custom-charset4 | CS | User-defined charset ?4 |
--identify | | Shows all supported algorithms for input hashes | --identify my.hash
-i, --increment | | Enable mask increment mode |
--increment-min | Num | Start mask incrementing at X | --increment-min=4
--increment-max | Num | Stop mask incrementing at X | --increment-max=8
-S, --slow-candidates | | Enable slower (but advanced) candidate generators |
--brain-server | | Enable brain server |
--brain-server-timer | Num | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
-z, --brain-client | | Enable brain client, activates -S |
--brain-client-features | Num | Define brain client features, see below | --brain-client-features=3
--brain-host | Str | Brain server host (IP or domain) | --brain-host=127.0.0.1
--brain-port | Port | Brain server port | --brain-port=13743
--brain-password | Str | Brain server authentication password | --brain-password=bZfhCvGUSjRq
--brain-session | Hex | Overrides automatically calculated brain session | --brain-session=0x2ae611db
--brain-session-whitelist | Hex | Allow given sessions only, separated with commas | --brain-session-whitelist=0x2ae611db
Hashcat 명령어 사용
hashcat 명령어 입력시 필요한 argument는 아래와 같다. 많은 옵션들이 존재하지만 주요 옵션들에 대해서 정리해 보면,,
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
hashcat [옵션*] [crack 대상 hash] [hash crack에 사용할 사전파일, 마스크, 디렉토리]
Hashcat 옵션
1. Attack mode(-a)
- a 또는 --attack-mode : Hash crack을 진행할 공격 방법
ex ) -a 0, -a 1, - a 3,
# | Mode
===+======
0 | Straight //trying all words in a list; also called “straight” mode
1 | Combination // concatenating words from multiple wordlists
3 | Brute-force // trying all characters from given charsets, per position
6 | Hybrid Wordlist + Mask //6,7 : Hybrid Wordlist + Mask, Hybrid Mask + Wordlist : combining wordlists+masks and masks+wordlists
7 | Hybrid Mask + Wordlist
9 | Association
- 0 : Straight
사전 공격 또는 워드리스트 공격으로 제공한 사전 파일과 비교(-a 0)
- 1 : Combination
두개의 사전을 결합하여 공격시도
사전 dict1.txt :
12345
세상에
테스트 통과
사전 dict2.txt :
alice
bob
cat
dog
./hashcat -m 0 -a 1 hash.txt dict1.txt dict2.txt
passalice
passbob
passcat
passdog
12345alice
12345bob
12345cat
12345dog
omgalice
omgbob
omgcat
omgdog
Testalice
Testbob
Testcat
Testdog
* ./hashcat -m 0 -a 1 hash.txt dict1.txt dict1.txt 와 같이 동일한 사전으로도 가능하다
- 3 : Brute-force
keyspace의 모든 조합을 적용하여 공격하거나, 특정 마스크*를 지정하여 무작위 대입공격을 진행
* 마스크에 관한 사항은, 하단에서 설명
- 6,7 : Hybrid Wordlist + Mask, Hybrid Mask + Wordlist
사전단어와 무차별 공격(Brute-Force Attack) 또는 마스크로 생성된 단어를 합친 공격
-a 6 : example.dict ?d?d?d?d
password0000
password0001
password0002
-a 7 : ?d?d?d?d example.dict
0000password
0001password
0002password
1-1. Built-in Charsets
brute force, Hybrid 등 attack mode에서 Mask를 적용이 가능하여 Mask에 관한 내용을 살펴본다.
무차별 대입 공격은 일반적으로 decrytion 된 패스워드 9자 이상부터는 hash를 crack 하는 것이 매우 많은 시간을 필요로 하거나, 불가능하기 때문에 crack 성공할 가능성이 제한되어 있지만, 사용하는 알고리즘과 hashcat에 사용 가능한 리소스(GPU 등)에 따라 달라질 수 있다. 이와 함께, decrytion 된 문자의 형태, 형식을 어느 정도 유추 할 수 있는 상황이라면, Mask를 사용하여 원하는 문자, 길이에 제한을 둠으로써 시도하는 키값을 줄여 효율적으로 공격이 가능하다.
- [ Built-in Charsets ] -
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz [a-z] // 소문자[a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z] // 대문자[A-Z]
d | 0123456789 [0-9] // 숫자[0-9]
h | 0123456789abcdef [0-9a-f] // 숫자[0-9]+소문자[a-z]
H | 0123456789ABCDEF [0-9A-F] // 숫자[0-9]+대문자[A-Z]
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ // 특수문자
a | ?l?u?d?s // l+u+d+s = 소문자[a-z]+대문자[A-Z]+숫자[0-9]+특수문자
b | 0x00 - 0xff
위의 규칙을 통해 소문자로만 공격을 시도할 것인지, 소문자와 숫자를 사용하거나 a와 같이 복합적으로 사용할 것인지를 지정할 수 있으며 추가적으로, 시도할 문자의 길이도 지정할 수 있다.
example)
- 4자리 숫자 - ?d?d?d?d,
- 8자리 무작위 글자 - ?a?a?a?a?a?a?a?a
이러한 경우는 자릿수가 고정되어, 8자리 무작위 글자(?a?a?a?a?a?a?a?a)의 경우 5자리, 6자리의 패스워드는 확인하지 않는다. 이때 -i 또는 ‐‐increment 옵션을 사용하는 경우 1자리부터 지정한 자릿수까지 순차적으로 진행한다.
* 최소, 최대 범위 지정도 가능한데, -i --increment-min=3 --increment-max=6 와 같이 사용하여 3~6자리 문자로 지정가능하며, increment-max의 범위는 위에서 지정한 마스크(8자리) 범위 이상(9자리 등)으로는 설정하여도 동작하지 않는다.
예를 통해 실제로 사용 예를 살펴보면,
example) 비밀번호 *H4ck* 의 NTLM(-m 1000) 해시를 가져와서 무차별 대입 모드(-a 3)로 공격
- hashcat -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
2. Hash modes(-m)
m 또는 --hash-type : Hash crack을 진행하고자 하는 대상 알고리즘
ex ) -m 0, -m 100, -m 1000, -m 1410
- 0 : MD5, 100 : SHA1, 1000 : NTLM, 1410 : SHA256($pass,$salt)
- [ Hash modes ] -
# | Name | Category
======+============================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
6000 | RIPEMD-160 | Raw Hash
600 | BLAKE2b-512 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
17010 | GPG (AES-128/AES-256 (SHA-1($pass))) | Raw Hash
5100 | Half MD5 | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
6100 | Whirlpool | Raw Hash
10100 | SipHash | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
170 | sha1(utf16le($pass)) | Raw Hash
1470 | sha256(utf16le($pass)) | Raw Hash
10870 | sha384(utf16le($pass)) | Raw Hash
1770 | sha512(utf16le($pass)) | Raw Hash
610 | BLAKE2b-512($pass.$salt) | Raw Hash salted and/or iterated
620 | BLAKE2b-512($salt.$pass) | Raw Hash salted and/or iterated
10 | md5($pass.$salt) | Raw Hash salted and/or iterated
20 | md5($salt.$pass) | Raw Hash salted and/or iterated
3800 | md5($salt.$pass.$salt) | Raw Hash salted and/or iterated
3710 | md5($salt.md5($pass)) | Raw Hash salted and/or iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash salted and/or iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash salted and/or iterated
21300 | md5($salt.sha1($salt.$pass)) | Raw Hash salted and/or iterated
40 | md5($salt.utf16le($pass)) | Raw Hash salted and/or iterated
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
4410 | md5(sha1($pass).$salt) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
21200 | md5(sha1($salt).md5($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
30 | md5(utf16le($pass).$salt) | Raw Hash salted and/or iterated
110 | sha1($pass.$salt) | Raw Hash salted and/or iterated
120 | sha1($salt.$pass) | Raw Hash salted and/or iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash salted and/or iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash salted and/or iterated
24300 | sha1($salt.sha1($pass.$salt)) | Raw Hash salted and/or iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash salted and/or iterated
19300 | sha1($salt1.$pass.$salt2) | Raw Hash salted and/or iterated
14400 | sha1(CX) | Raw Hash salted and/or iterated
4700 | sha1(md5($pass)) | Raw Hash salted and/or iterated
4710 | sha1(md5($pass).$salt) | Raw Hash salted and/or iterated
21100 | sha1(md5($pass.$salt)) | Raw Hash salted and/or iterated
18500 | sha1(md5(md5($pass))) | Raw Hash salted and/or iterated
4500 | sha1(sha1($pass)) | Raw Hash salted and/or iterated
4510 | sha1(sha1($pass).$salt) | Raw Hash salted and/or iterated
5000 | sha1(sha1($salt.$pass.$salt)) | Raw Hash salted and/or iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash salted and/or iterated
1410 | sha256($pass.$salt) | Raw Hash salted and/or iterated
1420 | sha256($salt.$pass) | Raw Hash salted and/or iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash salted and/or iterated
20720 | sha256($salt.sha256($pass)) | Raw Hash salted and/or iterated
21420 | sha256($salt.sha256_bin($pass)) | Raw Hash salted and/or iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash salted and/or iterated
20800 | sha256(md5($pass)) | Raw Hash salted and/or iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash salted and/or iterated
21400 | sha256(sha256_bin($pass)) | Raw Hash salted and/or iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash salted and/or iterated
10810 | sha384($pass.$salt) | Raw Hash salted and/or iterated
10820 | sha384($salt.$pass) | Raw Hash salted and/or iterated
10840 | sha384($salt.utf16le($pass)) | Raw Hash salted and/or iterated
10830 | sha384(utf16le($pass).$salt) | Raw Hash salted and/or iterated
1710 | sha512($pass.$salt) | Raw Hash salted and/or iterated
1720 | sha512($salt.$pass) | Raw Hash salted and/or iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash salted and/or iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash salted and/or iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash authenticated
11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash authenticated
11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash authenticated
28700 | Amazon AWS4-HMAC-SHA256 | Raw Hash authenticated
11500 | CRC32 | Raw Checksum
27900 | CRC32C | Raw Checksum
28000 | CRC64Jones | Raw Checksum
18700 | Java Object hashCode() | Raw Checksum
25700 | MurmurHash | Raw Checksum
27800 | MurmurHash3 | Raw Checksum
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-plaintext attack
14500 | Linux Kernel Crypto API (2.4) | Raw Cipher, Known-plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-plaintext attack
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
8900 | scrypt | Generic KDF
400 | phpass | Generic KDF
16100 | TACACS+ | Network Protocol
11400 | SIP digest authentication (MD5) | Network Protocol
5300 | IKE-PSK MD5 | Network Protocol
5400 | IKE-PSK SHA1 | Network Protocol
25100 | SNMPv3 HMAC-MD5-96 | Network Protocol
25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96 | Network Protocol
25200 | SNMPv3 HMAC-SHA1-96 | Network Protocol
26700 | SNMPv3 HMAC-SHA224-128 | Network Protocol
26800 | SNMPv3 HMAC-SHA256-192 | Network Protocol
26900 | SNMPv3 HMAC-SHA384-256 | Network Protocol
27300 | SNMPv3 HMAC-SHA512-384 | Network Protocol
2500 | WPA-EAPOL-PBKDF2 | Network Protocol
2501 | WPA-EAPOL-PMK | Network Protocol
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL | Network Protocol
16800 | WPA-PMKID-PBKDF2 | Network Protocol
16801 | WPA-PMKID-PMK | Network Protocol
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocol
10200 | CRAM-MD5 | Network Protocol
16500 | JWT (JSON Web Token) | Network Protocol
29200 | Radmin3 | Network Protocol
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
28800 | Kerberos 5, etype 17, DB | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
28900 | Kerberos 5, etype 18, DB | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocol
27000 | NetNTLMv1 / NetNTLMv1+ESS (NT) | Network Protocol
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol
29100 | Flask Session Cookie ($salt.$salt.$pass) | Network Protocol
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocol
8500 | RACF | Operating System
6300 | AIX {smd5} | Operating System
6700 | AIX {ssha1} | Operating System
6400 | AIX {ssha256} | Operating System
6500 | AIX {ssha512} | Operating System
3000 | LM | Operating System
19000 | QNX /etc/shadow (MD5) | Operating System
19100 | QNX /etc/shadow (SHA256) | Operating System
19200 | QNX /etc/shadow (SHA512) | Operating System
15300 | DPAPI masterkey file v1 (context 1 and 2) | Operating System
15310 | DPAPI masterkey file v1 (context 3) | Operating System
15900 | DPAPI masterkey file v2 (context 1 and 2) | Operating System
15910 | DPAPI masterkey file v2 (context 3) | Operating System
7200 | GRUB 2 | Operating System
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System
12400 | BSDi Crypt, Extended DES | Operating System
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
5800 | Samsung Android Password/PIN | Operating System
28100 | Windows Hello PIN/Password | Operating System
13800 | Windows Phone 8+ PIN/password | Operating System
2410 | Cisco-ASA MD5 | Operating System
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System
9300 | Cisco-IOS $9$ (scrypt) | Operating System
5700 | Cisco-IOS type 4 (SHA256) | Operating System
2400 | Cisco-PIX MD5 | Operating System
8100 | Citrix NetScaler (SHA1) | Operating System
22200 | Citrix NetScaler (SHA512) | Operating System
1100 | Domain Cached Credentials (DCC), MS Cache | Operating System
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating System
7000 | FortiGate (FortiOS) | Operating System
26300 | FortiGate256 (FortiOS256) | Operating System
125 | ArubaOS | Operating System
501 | Juniper IVE | Operating System
22 | Juniper NetScreen/SSG (ScreenOS) | Operating System
15100 | Juniper/NetBSD sha1crypt | Operating System
26500 | iPhone passcode (UID key + System Keybag) | Operating System
122 | macOS v10.4, macOS v10.5, macOS v10.6 | Operating System
1722 | macOS v10.7 | Operating System
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System
1500 | descrypt, DES (Unix), Traditional DES | Operating System
29000 | sha1($salt.sha1(utf16le($username).':'.utf16le($pass))) | Operating System
7400 | sha256crypt $5$, SHA256 (Unix) | Operating System
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
24600 | SQLCipher | Database Server
131 | MSSQL (2000) | Database Server
132 | MSSQL (2005) | Database Server
1731 | MSSQL (2012, 2014) | Database Server
24100 | MongoDB ServerKey SCRAM-SHA-1 | Database Server
24200 | MongoDB ServerKey SCRAM-SHA-256 | Database Server
12 | PostgreSQL | Database Server
11100 | PostgreSQL CRAM (MD5) | Database Server
28600 | PostgreSQL SCRAM-SHA-256 | Database Server
3100 | Oracle H: Type (Oracle 7+) | Database Server
112 | Oracle S: Type (Oracle 11+) | Database Server
12300 | Oracle T: Type (Oracle 12+) | Database Server
7401 | MySQL $A$ (sha256crypt) | Database Server
11200 | MySQL CRAM (SHA1) | Database Server
200 | MySQL323 | Database Server
300 | MySQL4.1/MySQL5 | Database Server
8000 | Sybase ASE | Database Server
8300 | DNSSEC (NSEC3) | FTP, HTTP, SMTP, LDAP Server
25900 | KNX IP Secure - Device Authentication Code | FTP, HTTP, SMTP, LDAP Server
16400 | CRAM-MD5 Dovecot | FTP, HTTP, SMTP, LDAP Server
1411 | SSHA-256(Base64), LDAP {SSHA256} | FTP, HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | FTP, HTTP, SMTP, LDAP Server
24900 | Dahua Authentication MD5 | FTP, HTTP, SMTP, LDAP Server
10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256) | FTP, HTTP, SMTP, LDAP Server
15000 | FileZilla Server >= 0.9.55 | FTP, HTTP, SMTP, LDAP Server
12600 | ColdFusion 10+ | FTP, HTTP, SMTP, LDAP Server
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
141 | Episerver 6.x < .NET 4 | FTP, HTTP, SMTP, LDAP Server
1441 | Episerver 6.x >= .NET 4 | FTP, HTTP, SMTP, LDAP Server
1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | FTP, HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | FTP, HTTP, SMTP, LDAP Server
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS)
21500 | SolarWinds Orion | Enterprise Application Software (EAS)
21501 | SolarWinds Orion v2 | Enterprise Application Software (EAS)
24 | SolarWinds Serv-U | Enterprise Application Software (EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
26200 | OpenEdge Progress Encode | Enterprise Application Software (EAS)
20600 | Oracle Transportation Management (SHA256) | Enterprise Application Software (EAS)
4711 | Huawei sha1(md5($pass).$salt) | Enterprise Application Software (EAS)
20711 | AuthMe sha256 | Enterprise Application Software (EAS)
22400 | AES Crypt (SHA256) | Full-Disk Encryption (FDE)
27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC) | Full-Disk Encryption (FDE)
14600 | LUKS v1 (legacy) | Full-Disk Encryption (FDE)
29541 | LUKS v1 RIPEMD-160 + AES | Full-Disk Encryption (FDE)
29542 | LUKS v1 RIPEMD-160 + Serpent | Full-Disk Encryption (FDE)
29543 | LUKS v1 RIPEMD-160 + Twofish | Full-Disk Encryption (FDE)
29511 | LUKS v1 SHA-1 + AES | Full-Disk Encryption (FDE)
29512 | LUKS v1 SHA-1 + Serpent | Full-Disk Encryption (FDE)
29513 | LUKS v1 SHA-1 + Twofish | Full-Disk Encryption (FDE)
29521 | LUKS v1 SHA-256 + AES | Full-Disk Encryption (FDE)
29522 | LUKS v1 SHA-256 + Serpent | Full-Disk Encryption (FDE)
29523 | LUKS v1 SHA-256 + Twofish | Full-Disk Encryption (FDE)
29531 | LUKS v1 SHA-512 + AES | Full-Disk Encryption (FDE)
29532 | LUKS v1 SHA-512 + Serpent | Full-Disk Encryption (FDE)
29533 | LUKS v1 SHA-512 + Twofish | Full-Disk Encryption (FDE)
13711 | VeraCrypt RIPEMD160 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13712 | VeraCrypt RIPEMD160 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13713 | VeraCrypt RIPEMD160 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29411 | VeraCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
29412 | VeraCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
29413 | VeraCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
29441 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29442 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29443 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13751 | VeraCrypt SHA256 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13752 | VeraCrypt SHA256 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13753 | VeraCrypt SHA256 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29451 | VeraCrypt SHA256 + XTS 512 bit | Full-Disk Encryption (FDE)
29452 | VeraCrypt SHA256 + XTS 1024 bit | Full-Disk Encryption (FDE)
29453 | VeraCrypt SHA256 + XTS 1536 bit | Full-Disk Encryption (FDE)
29461 | VeraCrypt SHA256 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29462 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29463 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13721 | VeraCrypt SHA512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13722 | VeraCrypt SHA512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13723 | VeraCrypt SHA512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29421 | VeraCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
29422 | VeraCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29423 | VeraCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13771 | VeraCrypt Streebog-512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13772 | VeraCrypt Streebog-512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13773 | VeraCrypt Streebog-512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29471 | VeraCrypt Streebog-512 + XTS 512 bit | Full-Disk Encryption (FDE)
29472 | VeraCrypt Streebog-512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29473 | VeraCrypt Streebog-512 + XTS 1536 bit | Full-Disk Encryption (FDE)
29481 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29482 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29483 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13731 | VeraCrypt Whirlpool + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
13732 | VeraCrypt Whirlpool + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
13733 | VeraCrypt Whirlpool + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29431 | VeraCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
29432 | VeraCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
29433 | VeraCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
23900 | BestCrypt v3 Volume Encryption | Full-Disk Encryption (FDE)
16700 | FileVault 2 | Full-Disk Encryption (FDE)
27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS) | Full-Disk Encryption (FDE)
27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS) | Full-Disk Encryption (FDE)
20011 | DiskCryptor SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
20012 | DiskCryptor SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
20013 | DiskCryptor SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
22100 | BitLocker | Full-Disk Encryption (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE)
8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE)
18300 | Apple File System (APFS) | Full-Disk Encryption (FDE)
6211 | TrueCrypt RIPEMD160 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6212 | TrueCrypt RIPEMD160 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6213 | TrueCrypt RIPEMD160 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode (legacy) | Full-Disk Encryption (FDE)
29311 | TrueCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
29312 | TrueCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
29313 | TrueCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
29341 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
29342 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
29343 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
6221 | TrueCrypt SHA512 + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6222 | TrueCrypt SHA512 + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6223 | TrueCrypt SHA512 + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29321 | TrueCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
29322 | TrueCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
29323 | TrueCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
6231 | TrueCrypt Whirlpool + XTS 512 bit (legacy) | Full-Disk Encryption (FDE)
6232 | TrueCrypt Whirlpool + XTS 1024 bit (legacy) | Full-Disk Encryption (FDE)
6233 | TrueCrypt Whirlpool + XTS 1536 bit (legacy) | Full-Disk Encryption (FDE)
29331 | TrueCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
29332 | TrueCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
29333 | TrueCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
12200 | eCryptfs | Full-Disk Encryption (FDE)
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Document
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Document
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Document
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Document
25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - user and owner pass | Document
10600 | PDF 1.7 Level 3 (Acrobat 9) | Document
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Document
9400 | MS Office 2007 | Document
9500 | MS Office 2010 | Document
9600 | MS Office 2013 | Document
25300 | MS Office 2016 - SheetProtection | Document
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Document
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Document
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Document
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Document
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Document
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Document
18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Document
18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Document
16200 | Apple Secure Notes | Document
23300 | Apple iWork | Document
6600 | 1Password, agilekeychain | Password Manager
8200 | 1Password, cloudkeychain | Password Manager
9000 | Password Safe v2 | Password Manager
5200 | Password Safe v3 | Password Manager
6800 | LastPass + LastPass sniffed | Password Manager
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager
23400 | Bitwarden | Password Manager
16900 | Ansible Vault | Password Manager
26000 | Mozilla key3.db | Password Manager
26100 | Mozilla key4.db | Password Manager
23100 | Apple Keychain | Password Manager
11600 | 7-Zip | Archive
12500 | RAR3-hp | Archive
23800 | RAR3-p (Compressed) | Archive
23700 | RAR3-p (Uncompressed) | Archive
13000 | RAR5 | Archive
17220 | PKZIP (Compressed Multi-File) | Archive
17200 | PKZIP (Compressed) | Archive
17225 | PKZIP (Mixed Multi-File) | Archive
17230 | PKZIP (Mixed Multi-File Checksum-Only) | Archive
17210 | PKZIP (Uncompressed) | Archive
20500 | PKZIP Master Key | Archive
20510 | PKZIP Master Key (6 byte optimization) | Archive
23001 | SecureZIP AES-128 | Archive
23002 | SecureZIP AES-192 | Archive
23003 | SecureZIP AES-256 | Archive
13600 | WinZip | Archive
18900 | Android Backup | Archive
24700 | Stuffit5 | Archive
13200 | AxCrypt 1 | Archive
13300 | AxCrypt 1 in-memory SHA1 | Archive
23500 | AxCrypt 2 AES-128 | Archive
23600 | AxCrypt 2 AES-256 | Archive
14700 | iTunes backup < 10.0 | Archive
14800 | iTunes backup >= 10.0 | Archive
8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce
2612 | PHPS | Forums, CMS, E-Commerce
121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce
3711 | MediaWiki B type | Forums, CMS, E-Commerce
4521 | Redmine | Forums, CMS, E-Commerce
24800 | Umbraco HMAC-SHA1 | Forums, CMS, E-Commerce
11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce
13900 | OpenCart | Forums, CMS, E-Commerce
11000 | PrestaShop | Forums, CMS, E-Commerce
16000 | Tripcode | Forums, CMS, E-Commerce
7900 | Drupal7 | Forums, CMS, E-Commerce
4522 | PunBB | Forums, CMS, E-Commerce
2811 | MyBB 1.2+, IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce
2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce
2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
21 | osCommerce, xt:Commerce | Forums, CMS, E-Commerce
18100 | TOTP (HMAC-SHA1) | One-Time Password
2000 | STDOUT | Plaintext
99999 | Plaintext | Plaintext
21600 | Web2py pbkdf2-sha512 | Framework
10000 | Django (PBKDF2-SHA256) | Framework
124 | Django (SHA-1) | Framework
12001 | Atlassian (PBKDF2-HMAC-SHA1) | Framework
19500 | Ruby on Rails Restful-Authentication | Framework
27200 | Ruby on Rails Restful Auth (one round, no sitekey) | Framework
20200 | Python passlib pbkdf2-sha512 | Framework
20300 | Python passlib pbkdf2-sha256 | Framework
20400 | Python passlib pbkdf2-sha1 | Framework
24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES) | Private Key
24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES) | Private Key
15500 | JKS Java Key Store Private Keys (SHA1) | Private Key
22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$) | Private Key
22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$) | Private Key
22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$) | Private Key
22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$) | Private Key
22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$) | Private Key
23200 | XMPP SCRAM PBKDF2-SHA1 | Instant Messaging Service
28300 | Teamspeak 3 (channel hash) | Instant Messaging Service
22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1) | Instant Messaging Service
24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512) | Instant Messaging Service
22301 | Telegram Mobile App Passcode (SHA256) | Instant Messaging Service
23 | Skype | Instant Messaging Service
26600 | MetaMask Wallet | Cryptocurrency Wallet
21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Cryptocurrency Wallet
28501 | Bitcoin WIF private key (P2PKH), compressed | Cryptocurrency Wallet
28502 | Bitcoin WIF private key (P2PKH), uncompressed | Cryptocurrency Wallet
28503 | Bitcoin WIF private key (P2WSH, Bech32), compressed | Cryptocurrency Wallet
28504 | Bitcoin WIF private key (P2WSH, Bech32), uncompressed | Cryptocurrency Wallet
11300 | Bitcoin/Litecoin wallet.dat | Cryptocurrency Wallet
16600 | Electrum Wallet (Salt-Type 1-3) | Cryptocurrency Wallet
21700 | Electrum Wallet (Salt-Type 4) | Cryptocurrency Wallet
21800 | Electrum Wallet (Salt-Type 5) | Cryptocurrency Wallet
12700 | Blockchain, My Wallet | Cryptocurrency Wallet
15200 | Blockchain, My Wallet, V2 | Cryptocurrency Wallet
18800 | Blockchain, My Wallet, Second Password (SHA256) | Cryptocurrency Wallet
25500 | Stargazer Stellar Wallet XLM | Cryptocurrency Wallet
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Cryptocurrency Wallet
15700 | Ethereum Wallet, SCRYPT | Cryptocurrency Wallet
22500 | MultiBit Classic .key (MD5) | Cryptocurrency Wallet
27700 | MultiBit Classic .wallet (scrypt) | Cryptocurrency Wallet
22700 | MultiBit HD (scrypt) | Cryptocurrency Wallet
28200 | Exodus Desktop Wallet (scrypt) | Cryptocurrency Wallet
3. Device Types(-d, -D)
crack에 사용할 자원 CPU, GPU 등 선택하여 공격을 진행할 수 있다.
ex ) - d 1, -D 2
-d : 사용할 백엔드 장치, 쉼표로 구분
-D : 사용할 OpenCL 장치
- [ Options ] -
-d, --backend-devices | Str | Backend devices to use, separated with commas | -d 1
-D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
- [ OpenCL Device Types ] -
# | Device Type
===+=============
1 | CPU
2 | GPU
3 | FPGA, DSP, Co-Processor
두 가지 방식이 존재하는데, 현재 운영 중인 시스템의 장치 목록 조회를 위해서는
-I 옵션을 통해서 확인이 가능하다.
- [ Options ] -
-I, --backend-info | | Show system/evironment/backend API info | -I or -II
MacBookPro-2 ~ % hashcat -I
hashcat (v6.2.5-532-gcd77e488d) starting in backend information mode
Metal Info:
===========
Metal.Version.: 306.7.4
Backend Device ID #1 (Alias: #2)
Type...........: GPU
Vendor.ID......: 2
Vendor.........: Apple
Name...........: Apple M1 Max
Processor(s)...: 24
Clock..........: N/A
Memory.Total...: 49152 MB (limited to 18432 MB allocatable in one block)
Memory.Free....: 24512 MB
Local.Memory...: 32 KB
Phys.Location..: built-in
Feature.Set....: macOS GPU Family 2 v1
Registry.ID....: 2416
Max.TX.Rate....: N/A
GPU.Properties.: headless 0, low-power 0, removable 0
OpenCL Info:
============
OpenCL Platform ID #1
Vendor..: Apple
Name....: Apple
Version.: OpenCL 1.2 (Apr 15 2023 03:24:33)
Backend Device ID #2 (Alias: #1)
Type...........: GPU
Vendor.ID......: 2
Vendor.........: Apple
Name...........: Apple M1 Max
Version........: OpenCL 1.2
Processor(s)...: 24
Clock..........: 1000
Memory.Total...: 49152 MB (limited to 4608 MB allocatable in one block)
Memory.Free....: 24512 MB
Local.Memory...: 32 KB
OpenCL.Version.: OpenCL C 1.2
Driver.Version.: 1.2 1.0
도무지 무슨 말인지 명확히 이해가 가지는 않음, 이게 mac이라서 문제가 있는듯한데. 아래처럼 device#2가 Device#1의 별칭이라며 건너뛰기도 하였다. 아래는 테스트한 내용이니 단순 참고.
MacBookPro-2 ~ % hashcat -d 1,2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable. You have been warned.
The device #2 specifically listed was skipped because it is an alias of device #1
장치 #1의 별칭이므로 특별히 나열된 장치 #2를 건너뛰었습니다
METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
Watchdog: Temperature abort trigger set to 100c
Host memory required for this attack: 843 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 42ef98f2e9b77304716d2aeca2f0bd96
Time.Started.....: Wed Nov 15 19:38:35 2023 (4 secs)
Time.Estimated...: Wed Nov 15 21:15:04 2023 (1 hour, 36 mins)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12060.4 MH/s (7.25ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 52602077184/69833729609375 (0.08%)
Rejected.........: 0/52602077184 (0.00%)
Restore.Point....: 5505024/7737809375 (0.07%)
Restore.Sub.#1...: Salt:0 Amplifier:3712-3840 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: pG@|G& -> LH(*@'
Hardware.Mon.SMC.: Fan0: 39%, Fan1: 40%
Hardware.Mon.#1..: Util:100%
Case1)
hashcat -d 1 -D 1 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
No devices found/left.
Case2)
hashcat -d 2 -D 1 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
No devices found/left.
Case3)
hashcat -d 1 -D 2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped
Case4)
hashcat -d 2 -D 2 -O -m 1000 42EF98F2E9B77304716D2AECA2F0BD96 -a3 '?a?a?a?a?a?a?a'
hashcat (v6.2.5-532-gcd77e488d) starting
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable. You have been warned.
METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, skipped
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, GPU, 24512/49152 MB (4608 MB allocatable), 24MCU
위 case로 볼 때 OpenCL은 ID가 2번이므로 -D 2에서만 정상적으로 동작하는 듯하다. -d 2에서 돌아간 이유는? alias 때문인가 ㅎㅎㅎㅎ 잘 모르겠다 몇 번 테스트해보고 성능에 맞게 쓰면 좋을듯하다.
4. Workload Profiles(-w)
hash crack에 사용할 workload Profiles를 사용한다. Profiles 종류로는 아래의 내용을 참고* 숫자가 높을수록 고성능, 많은 자원필요
- [ Options ] -
-w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
- [ Workload Profiles ] -
# | Performance | Runtime | Power Consumption | Desktop Impact
===+=============+=========+===================+=================
1 | Low | 2 ms | Low | Minimal
2 | Default | 12 ms | Economic | Noticeable
3 | High | 96 ms | High | Unresponsive
4 | Nightmare | 480 ms | Insane | Headless
5. Optimized-kernel-enable(-O)
정확히 어떤 옵션인지, 의미인지는 모르겠으나, -O 옵션이 없는 상황에서 사용했을 때 다음과 같은 알림이 발생함.
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
주의! 최적화되지 않은 순수 백엔드 커널이 선택되었습니다.
순수 커널은 더 긴 암호를 해독할 수 있지만 성능은 크게 저하됩니다.
최적화된 커널로 전환하려면 명령줄에 -O를 추가합니다.
- [ Options ] -
-O, --optimized-kernel-enable | | Enable optimized kernels (limits password length) |
알림대로 -O 옵션을 사용하였을 때 성능면에서 훨씬 높은 성능을 확인할 수 있었음
< -O 옵션 미사용 >
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 20:09:09 2023 (52 secs)
Time.Estimated...: Sun Nov 19 05:21:43 2023 (3 days, 9 hours)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4618 H/s (81.34ms) @ Accel:8 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 239616/1350125107 (0.02%)
Rejected.........: 0/239616 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:39-40 Iteration:81920-98304
Candidate.Engine.: Device Generator
Candidates.#1....: Lasecurity123 -> LSsecurityuna
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util:100%
< -O 옵션 사용 >
Session..........: hashcat
Status...........: Running
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 20:10:09 2023 (52 secs)
Time.Estimated...: Fri Nov 17 08:50:18 2023 (1 day, 12 hours)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10228 H/s (148.73ms) @ Accel:32 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 516096/1350125107 (0.04%)
Rejected.........: 0/516096 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:21-22 Iteration:163840-180224
Candidate.Engine.: Device Generator
Candidates.#1....: wasecurity123 -> wPsecurityzya
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util:100%
Hashcat 사용 예시
example) 응용 사용 예
hashcat -m 12500 -d 1 -D 2 -a 3 -O -w 3 -a 3 '$RAR3$*0*de64fbe39c668063*6d67dc531cc348e568
cdd30e623a00bc' -1 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%' -i
--increment-min=13 --increment-max 13 '?1?1security?1?1?1'
- -m 12500 : RAR3-hp
- -1 : 사용자 마스크 : abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%
- -i --increment-min=13 --increment-max 13 : 최소, 최대 13글자 고정
- ?1?1security?1?1?1 : 사용자마스크 ?1?1 + security + 사용자마스크?1?1?1
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 12500 (RAR3-hp)
Hash.Target......: $RAR3$*0*de64fbe39c668063*6d67dc531cc348e568cdd30e623a00bc
Time.Started.....: Wed Nov 15 19:56:49 2023 (57 secs)
Time.Estimated...: Fri Nov 17 08:11:46 2023 (1 day, 12 hours)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1security?1?1?1 [13]
Guess.Charset....: -1 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10346 H/s (143.84ms) @ Accel:32 Loops:16384 Thr:32 Vec:1
Recovered.Total..: 0/1 (0.00%) Digests
Progress.........: 589824/1350125107 (0.04%)
Rejected.........: 0/589824 (0.00%)
Restore.Point....: 0/20151121 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:24-25 Iteration:49152-65536
Candidate.Engine.: Device Generator
Candidates.#1....: vasecurity123 -> vPsecurityzya
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util: 98%
etc. tip?
가끔 명령어가 인식이 안될 때는 옵션 뒤에 붙이는 문자열, 패턴 등에 세미콜론(')을 찍어보자.
etc. benchmark mode
Hashcat의 알고리즘 별로 crack 속도 테스트를 진행하여 결과를 출력해 준다.
example) hashcat -b
MacBookPro-2 ~ % hashcat -b
hashcat (v6.2.5-532-gcd77e488d) starting in benchmark mode
Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
You have been warned.
METAL API (Metal 306.7.4)
=========================
* Device #1: Apple M1 Max, 24512/49152 MB, 24MCU
OpenCL API (OpenCL 1.2 (Apr 15 2023 03:24:33)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped
Benchmark relevant options:
===========================
* --optimized-kernel-enable
-------------------
* Hash-Mode 0 (MD5)
-------------------
Speed.#1.........: 8638.3 MH/s (92.16ms) @ Accel:1024 Loops:1024 Thr:32 Vec:1
----------------------
* Hash-Mode 100 (SHA1)
----------------------
Speed.#1.........: 3280.9 MH/s (60.35ms) @ Accel:256 Loops:1024 Thr:32 Vec:1
---------------------------
* Hash-Mode 1400 (SHA2-256)
---------------------------
Speed.#1.........: 1297.6 MH/s (76.56ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
---------------------------
* Hash-Mode 1700 (SHA2-512)
---------------------------
Speed.#1.........: 326.2 MH/s (76.16ms) @ Accel:256 Loops:64 Thr:64 Vec:1