Offline bruteforce — различия между версиями
Материал из InformationSecurity WIKI
Drakylar (обсуждение | вклад) м |
Drakylar (обсуждение | вклад) м |
||
(не показаны 4 промежуточные версии этого же участника) | |||
Строка 5: | Строка 5: | ||
== TGS == | == TGS == | ||
+ | |||
+ | === Пример хеша === | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | $krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed | ||
+ | </syntaxhighlight> | ||
=== Перебор === | === Перебор === | ||
− | Hashcat | + | ====Hashcat==== |
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
hashcat -m 13100 --force -a0 ./tickget.kerberoast ./pass.txt | hashcat -m 13100 --force -a0 ./tickget.kerberoast ./pass.txt | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | JohnTheRipper | + | ====JohnTheRipper==== |
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file> | john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | == ASP-REP == | ||
+ | |||
+ | === Пример хеша === | ||
− | == | + | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > |
+ | $krb5asrep$23$spot@offense.local:3171ea207b3a6fdaee52ba247c20362e$56fe7dc0caba8cb7d3a02a140c612a917df3343c01bcdab0b669efa15b29b2aebbfed2b4f3368a897b833a6b95d5c2f1c2477121c8f5e005aa2a588c5ae72aadfcbf1aedd8b7ac2f2e94e94cb101e27a2e9906e8646919815d90b4186367b6d5072ab9edd0d7b85519fbe33997b3d3b378340e3f64caa92595523b0ad8dc8e0abe69dda178d8ba487d3632a52be7ff4e786f4c271172797dcbbded86020405b014278d5556d8382a655a6db1787dbe949b412756c43841c601ce5f21a36a0536cfed53c913c3620062fdf5b18259ea35de2b90c403fbadd185c0f54b8d0249972903ca8ff5951a866fc70379b9da | ||
+ | </syntaxhighlight> | ||
=== Преобразования === | === Преобразования === | ||
Строка 34: | Строка 44: | ||
=== Перебор === | === Перебор === | ||
− | JohnTheRipper | + | ====JohnTheRipper==== |
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
john --wordlist=dict.txt krbt.hashes | john --wordlist=dict.txt krbt.hashes | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | Hashcat | + | ====Hashcat==== |
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
hashcat -m18200 '$krb5asrep$23$spot@offense.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D3A02A140C612A917DF3343C01BCDAB0B669EFA15B29B2AEBBFED2B4F3368A897B833A6B95D5C2F1C2477121C8F5E005AA2A588C5AE72AADFCBF1AEDD8B7AC2F2E94E94CB101E27A2E9906E8646919815D90B4186367B6D5072AB9EDD0D7B85519FBE33997B3D3B378340E3F64CAA92595523B0AD8DC8E0ABE69DDA178D8BA487D3632A52BE7FF4E786F4C271172797DCBBDED86020405B014278D5556D8382A655A6DB1787DBE949B412756C43841C601CE5F21A36A0536CFED53C913C3620062FDF5B18259EA35DE2B90C403FBADD185C0F54B8D0249972903CA8FF5951A866FC70379B9DA' -a 3 /usr/share/wordlists/rockyou.txt | hashcat -m18200 '$krb5asrep$23$spot@offense.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D3A02A140C612A917DF3343C01BCDAB0B669EFA15B29B2AEBBFED2B4F3368A897B833A6B95D5C2F1C2477121C8F5E005AA2A588C5AE72AADFCBF1AEDD8B7AC2F2E94E94CB101E27A2E9906E8646919815D90B4186367B6D5072AB9EDD0D7B85519FBE33997B3D3B378340E3F64CAA92595523B0AD8DC8E0ABE69DDA178D8BA487D3632A52BE7FF4E786F4C271172797DCBBDED86020405B014278D5556D8382A655A6DB1787DBE949B412756C43841C601CE5F21A36A0536CFED53C913C3620062FDF5B18259EA35DE2B90C403FBADD185C0F54B8D0249972903CA8FF5951A866FC70379B9DA' -a 3 /usr/share/wordlists/rockyou.txt | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | == NTLM == | ||
+ | |||
+ | === Пример хеша === | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | b4b9b02e6f09a9bd760f388b67351e2b | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | === Перебор === | ||
+ | |||
+ | ====Hashcat==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | hashcat -m 1000 -a 0 hash.txt passwordlist.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====JohnTheRipper==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | john --format=nt hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == LM-hash == | ||
+ | |||
+ | === Пример хеша === | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | 299BD128C1101FD6 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Перебор === | ||
+ | |||
+ | ====Hashcat==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | hashcat -m 3000 -a 3 hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====JohnTheRipper==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | john --format=lm hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | == NTLMv1 == | ||
+ | |||
+ | === Пример хеша === | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Перебор === | ||
+ | |||
+ | ====Hashcat==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | hashcat -m 5500 -a 3 hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====JohnTheRipper==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | john --format=netntlm hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == NTLMv2 == | ||
+ | |||
+ | === Пример хеша === | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | Administrator::WIN-487IMQOIA8E:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Перебор === | ||
+ | |||
+ | ====Hashcat==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | hashcat -m 5600 -a 3 hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ====JohnTheRipper==== | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | john --format=netntlmv2 hash.txt | ||
+ | </syntaxhighlight> | ||
+ | |||
= Полезные материалы = | = Полезные материалы = |
Текущая версия на 18:02, 21 января 2022
Страница посвящена оффлайн перебору, например, хешей, паролей архивов и тд.
Содержание
Основная часть
TGS
Пример хеша
$krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed
Перебор
Hashcat
hashcat -m 13100 --force -a0 ./tickget.kerberoast ./pass.txt
JohnTheRipper
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
ASP-REP
Пример хеша
$krb5asrep$23$spot@offense.local:3171ea207b3a6fdaee52ba247c20362e$56fe7dc0caba8cb7d3a02a140c612a917df3343c01bcdab0b669efa15b29b2aebbfed2b4f3368a897b833a6b95d5c2f1c2477121c8f5e005aa2a588c5ae72aadfcbf1aedd8b7ac2f2e94e94cb101e27a2e9906e8646919815d90b4186367b6d5072ab9edd0d7b85519fbe33997b3d3b378340e3f64caa92595523b0ad8dc8e0abe69dda178d8ba487d3632a52be7ff4e786f4c271172797dcbbded86020405b014278d5556d8382a655a6db1787dbe949b412756c43841c601ce5f21a36a0536cfed53c913c3620062fdf5b18259ea35de2b90c403fbadd185c0f54b8d0249972903ca8ff5951a866fc70379b9da
Преобразования
Начальный хеш
$krb5asrep$spot@offense.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D3A02A140C612A917DF3343C01BCDAB0B669EFA15B29B2AEBBFED2B4F3368A897B833A6B95D5C2F1C2477121C8F5E005AA2A588C5AE72AADFCBF1AEDD8B7AC2F2E94E94CB101E27A2E9906E8646919815D90B4186367B6D5072AB9EDD0D7B85519FBE33997B3D3B378340E3F64CAA92595523B0AD8DC8E0ABE69DDA178D8BA487D3632A52BE7FF4E786F4C271172797DCBBDED86020405B014278D5556D8382A655A6DB1787DBE949B412756C43841C601CE5F21A36A0536CFED53C913C3620062FDF5B18259EA35DE2B90C403FBADD185C0F54B8D0249972903CA8FF5951A866FC70379B9DA
Если у вас нет 23 после второго доллара, то надо добавить. Результат:
$krb5asrep$23$spot@offense.local:3171ea207b3a6fdaee52ba247c20362e$56fe7dc0caba8cb7d3a02a140c612a917df3343c01bcdab0b669efa15b29b2aebbfed2b4f3368a897b833a6b95d5c2f1c2477121c8f5e005aa2a588c5ae72aadfcbf1aedd8b7ac2f2e94e94cb101e27a2e9906e8646919815d90b4186367b6d5072ab9edd0d7b85519fbe33997b3d3b378340e3f64caa92595523b0ad8dc8e0abe69dda178d8ba487d3632a52be7ff4e786f4c271172797dcbbded86020405b014278d5556d8382a655a6db1787dbe949b412756c43841c601ce5f21a36a0536cfed53c913c3620062fdf5b18259ea35de2b90c403fbadd185c0f54b8d0249972903ca8ff5951a866fc70379b9da
Перебор
JohnTheRipper
john --wordlist=dict.txt krbt.hashes
Hashcat
hashcat -m18200 '$krb5asrep$23$spot@offense.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D3A02A140C612A917DF3343C01BCDAB0B669EFA15B29B2AEBBFED2B4F3368A897B833A6B95D5C2F1C2477121C8F5E005AA2A588C5AE72AADFCBF1AEDD8B7AC2F2E94E94CB101E27A2E9906E8646919815D90B4186367B6D5072AB9EDD0D7B85519FBE33997B3D3B378340E3F64CAA92595523B0AD8DC8E0ABE69DDA178D8BA487D3632A52BE7FF4E786F4C271172797DCBBDED86020405B014278D5556D8382A655A6DB1787DBE949B412756C43841C601CE5F21A36A0536CFED53C913C3620062FDF5B18259EA35DE2B90C403FBADD185C0F54B8D0249972903CA8FF5951A866FC70379B9DA' -a 3 /usr/share/wordlists/rockyou.txt
NTLM
Пример хеша
b4b9b02e6f09a9bd760f388b67351e2b
Перебор
Hashcat
hashcat -m 1000 -a 0 hash.txt passwordlist.txt
JohnTheRipper
john --format=nt hash.txt
LM-hash
Пример хеша
299BD128C1101FD6
Перебор
Hashcat
hashcat -m 3000 -a 3 hash.txt
JohnTheRipper
john --format=lm hash.txt
NTLMv1
Пример хеша
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
Перебор
Hashcat
hashcat -m 5500 -a 3 hash.txt
JohnTheRipper
john --format=netntlm hash.txt
NTLMv2
Пример хеша
Administrator::WIN-487IMQOIA8E:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000
Перебор
Hashcat
hashcat -m 5600 -a 3 hash.txt
JohnTheRipper
john --format=netntlmv2 hash.txt