1获取windows密码
1,下载
https://github.com/gentilkiwi/mimikatz
2.管理员权限运行
run as admin
3,提升权限
mimikatz # privilege::debug
4,启动日志 内容会输出到文件
mimikatz # log nameoflog.log
默认位置程序运行目录下
5,内存中获取明文密码
mimikatz # sekurlsa::logonpasswords
2防范措施
Restrict admin privileges. This can be done by limiting admin privileges to only users who need them.
6.Windows获取密码及hash
https://cloud.tencent.com/developer/article/2149139Disable password-caching. Windows caches password hashes that were recently used through their system registry. Mimikatz can then gain access to these cached passwords, which is why it’s important to change your default settings to cache zero recent passwords. This can be accessed through Windows Settings > Local Policy > Security Options > Interactive Logon.
**Turn off debug privileges. **Windows’ default settings allows local admins to debug the system, which Mimikatz can exploit. Turning off debugging privileges on machines is a best practice to safeguard your system.
**Configure additional local security authority (LSA) protection. **Upgrading to Windows 10 can help mitigate the types of authentication attacks that Mimikatz enables. However, when this isn’t possible, Microsoft has additional LSA configuration items that help reduce the attack surface area.
3 hashcat
https://hashcat.net/wiki/doku.php?id=hashcat
1.根据相应文件获取对应文件的hash值
*文件使用哈希破解工具John来提取哈希值,包含了提取rar,zip,office等多种软件的哈希值
https://www.openwall.com/john/
https://github.com/openwall/john/archive/refs/tags/1.9.0-Jumbo-1.zip
https://github.com/openwall/john-packages
https://github.com/openwall/john
*windows系统使用wce,mimikatz,cain,saminside等获取hash值
https://github.com/gentilkiwi/mimikatz
2,下载软件
https://github.com/hashcat/hashcat
https://hashcat.net/files/hashcat-4.1.0.7z
2,用法
https://hashcat.net/wiki/doku.php?id=example_hashes
3.实例
将准备好的字典password.lst、需要破解的hash值文件win.hash复制到hashcat程序所在文件夹下,执行一下命令进行破解:
hashcat-m 1000 -a 0 -o winpassok.txt win.hash password.lst --username
参数说明:
“-m 1000” 表示破解密码类型为“NTLM”;
“-a 0”表示采用字典破解;
“-o”将破解后的结果输出到winpassok.txt;
“--remove win.hash”表示从win.hash移除破解成功的hash,带username不能跟remove同时使用,也就可以对单一密码值进行整理,然后使用该参数。
“password.lst”为密码字典文件。
https://blog.csdn.net/weixin_50464560/article/details/120578225
4 RAR
rar2john+hashcat 破解 文件密码
1.获取压缩文件hash值
rar2john test.rar > hash.txt
2.利用命令破解hash值,
命令:john hash.txt
使用自带的密码本password.lst进行破解
3对应的hash值破解成功
- 利用破解hash值得到的密码解压加密的压缩包
5 彩虹表-- Rainbow Tables
彩虹表的根本原理就是组合了暴力法和查表法,并在这两者之中取得一个折中,用我们可以承受的时间和存储空间进行破解
最出名的Tables是Rainbow Tables,即安全界中常提及的彩虹表,它是以Windows的用户帐户LM/NTLM散列为破解对象的。简单说明一下,在 Windows2000/XP/2003系统下,账户密码并不是明文保存的,而是通过微软所定义的算法,保存为一种无法直接识别的文件,即通常所说的SAM文件,这个文件在系统工作时因为被调用所以不能够被直接破解。但我们可以将其以Hash即散列的方式提取,
https://freerainbowtables.com/
http://project-rainbowcrack.com/table.htm
6John the Ripper的使用
1 zip
- zip2john FILE > zip.hash
- zip2john /mnt/disk_d/Share/test/file.zip > zip.hash
- john --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/zip.hash
多核cpu 字典攻击 - john --fork=CORES --mask='?d' --min-length=1 --max-length=10 /PATH/TO/zip.hash
多核cpu 掩码攻击 数字排列。
*john --format=ZIP-opencl --wordlist=/PATH/TO/DICTIONARY /PATH/TO/zip.hash
显卡 字典攻击
2 rar - rar2john FILE > rar.hash
- rar2john /mnt/disk_d/Share/test/file.rar > rar.hash
3 7z - 7z2john FILE > 7z.hash
- john --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/7z.hash
- john --format=7z-opencl --wordlist=/PATH/TO/DICTIONARY /PATH/TO/7z.hash
3 docx - office2john FILE > office.hash
- john --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/office.hash
4 LibreOffice - libreoffice2john FILE > odf.hash
5 pdf - pdf2john FILE > pdf.hash
6 GPG password - gpg --export-secret-key -a "NAME SURNAME" > private.key
- gpg2john private.key > gpg.hash
- john --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/gpg.hash
7 TrueCrypt
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_truecrypt_volumes
for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.
Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62).
if TrueCrypt uses a hidden partition or volume, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
in all other cases (files, non-booting partitions) you need the first 512 Bytes of the file or partition.
You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).
1.dd.exe if=..\encrypted\target of=..\encrypted\target_hash.tc bs=512 count=1
2.hashcat.exe -w 1 -m 13721 hash.tc wordlist.txt
http://www.chrysocome.net/dd
8 破解模式
John支持四种密码破解模式:
1.字典模式:在这种模式下,用户只需要提供字典和密码列表用于破解。
2.单一破解模式:这是john作者推荐的首选模式。John会使用登录名、全名和家庭通讯录作为候选密码。
3.递增模式:在该模式下john会尝试所有可能的密码组合。这是最具威力的一种。
4.外部模式:在这种模式下,用户可以使用john的外部破解模式。使用之前,需要创建一个名为(list.external : mode)的配置文件,其中mode由用户分配。
7 Ophcrack
Ophcrack是基于Rainbow Tables的Windows密码破解程序。功能破解LM和NTLM Windows散列Windows XP,Vista和7暴力破解模块可用的免费表,用于简单的密码审核模式和CSV导出实时图形分析密码LiveCD,
https://ophcrack.sourceforge.io/download.php
8 Router Default Password
路由器默认密码
https://www.sordum.org/downloads/?st-router-default-passwords
9 LaZagne
查询本机保存的密码
https://github.com/AlessandroZ/LaZagne
10 cryptohaze
11 GovCracker GovCrypto
https://github.com/Are-s-h/GovCracker
https://www.decrypta-technologies.com/english/software/
