hashcat

也可以通过

pip install hashcat

nvidia需要cuda kit支持

常用hash模式标识符

-m 0 	#MD5
-m 100 	#SHA1
-m 1400 #SHA256
-m 1700	#SHA512
-m 3200	#bcrypt
-m 1000 #NTLm
-m 400	#WordPress
-m 300	#MySQL

常用攻击模式

字典攻击

根据字典内值进行暴力搜索

-a 0 -m hash模式标识符 待破解hash 字典

组合攻击

组合多个字典值进行猜测

-a 1 -m hash模式标识符 待破解hash 后可跟多个字典

掩码攻击

-a 3 -m hash模式标识符 待破解hash 带掩码字符串

?a	任意字符
?H	大写16进制字符
?h	小写16进制字符
?d	数字字符
?u	大写字母
?l	小写字符
?s	特殊字符
?b	一字节内所有字符

自定义掩码字符集

hsahcat -a 3 -m hash模式标识符待破解hash -1 “字符集地址 “ 带掩码字符串

可以使用-w 线程数来使用多线程

其余用法可见hashcat -help

例题

[LitCTF 2023]md5的破解 | NSSCTF

from Crypto.Util.number import *
from hashlib import md5
from secret import flag

#flag全是由小写字母及数字组成
m=md5(flag).hexdigest()
print(flag[:13]+flag[15:18]+flag[19:34]+flag[35:38])
print(m)
# b'LitCTF{md5can3derypt213thoughcrsh}'
# 496603d6953a15846cd7cc476f146771

给了一部分字符和字符串的hash值可以通过hashcat掩码进行求值

hashcat -a 3 -m 0 496603d6953a15846cd7cc476f146771 LitCTF{md5can?a?a3de?arypt213thoughcr?ash}

hashcat -a 3 -m 0 496603d6953a15846cd7cc476f146771 LitCTF{md5can?a?a3de?arypt213thoughcr?ash}
hashcat (v6.2.5) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.2)
====================
* Device #1: NVIDIA GeForce RTX 3060 Laptop GPU, 5135/6143 MB, 30MCU

OpenCL API (OpenCL 3.0 CUDA 12.2.79) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 3060 Laptop GPU, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1473 MB

496603d6953a15846cd7cc476f146771:LitCTF{md5can123dexrypt213thoughcrpsh}

在最后hash值冒号后就是破解出的值