1. 首页
  2. 渗透测试

kali下的常用破解密码方法

【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。

Decoding

Crack Linux Hash

unshadow passwd.txt shadow.txt > hashes.txt
john —wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Cisco hashes

python3 cisco_pwdecrypt.py -u “\$1\$pdQG\$o8nrSzsGXeaduXrjlvKc91” -d /usr/share/wordlists/rockyou.txt

Base64 encoding example:

ZENvZGU=
to decode string into png: nano encoded.txt | base64 —decode > out.png OR https://onlinepngtools.com/convert-base64-to-png
to decode string to string: echo `echo <base64string> | base64 —decode`

Base32 encoding example:

MRBW6ZDFEBBGC43FGMZA====

To Decrypt gpg files:

gpg —batch —passphrase whateverThePasswordIs-d theGPGfile

To extract strings from images (something you come across in ARG’s and CTF’s) NOT just for images, this is VERY useful against binary files to recon/escalation

strings Safe_Password.jpg | more

SAM files

either in C:\windows\system32\config\sam or C:\windows\repair\sam – (THIS WILL NOT ALWAYS CONTAIN COMPLETE OR UP TO DATE LISTINGS)
will be encrypted 128bit rivest cipher – the key to syskey utility is called “bootkey” which is stored in system file which is in C:\windows\repair\system
after this we use samdump2 to both get the syskey from system file and use that to decrypt the hashes from uncle Sam (bless his cotton socks)
example: samdump2 system_file sam_file

After this you can run hashes through johnny boi

john <outputfile.txt>

SHA1 Example (just like MD5 the hash should be challenged with an online DB such as https://www.sha1online.org)

d8b8dd5e7f000b8dea26ef8428caf38c04466b3e

If you see the below header after running strings, it has been encoded with steganography

56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

To decrypt the file I use steghide

steghide extract -sf <OR> info <image.jpg> NOTE that it will always ask for a passphrase! this does not mean it HAS one, try enter!

WordPress Hash example:

$P$B9wJdX0NkO95U2L.kqAGXsFufwSp5N1
hashcat —force -m 400 hash.txt /usr/share/wordlists/rockyou.txt

SSH key bruteforce

To bruteforce pubkey grep -lr against one of the folders from here: https://github.com/g0tmi1k/debian-ssh/tree/master/common_keys

dsa = 1024
rsa = 2048

Encrypted Disk or .img?

binwalk -e

Zip files

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <file_name>
zip2john file.zip > file.zip.hash
john -w:/usr/share/wordlists/rockyou.txt file.zip.hash

SSH2john

/usr/share/john/ssh2john.py id_rsa > ssh.hash
john -w:/usr/share/wordlists/rockyou.txt ssh.hash

List of known/common passwords or keywords through cewl?

Narrow them down into a custom wordlist

grep -i hentai /usr/share/wordlists/rockyou.txt > pass.lst
grep -i pokemon /usr/share/wordlists/rockyou.txt » pass.lst
grep -i monkey /usr/share/wordlists/rockyou.txt » pass.lst
grep -i startrek /usr/share/wordlists/rockyou.txt » pass.lst

Ceaser decode

echo “string” | tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’

原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/591.html

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息