Cracking PDF Hashes with hashcat - Nicholas --- 使用hashcat破解PDF哈希 - 尼古拉斯
type
status
date
slug
summary
tags
category
icon
password
Tweet Link
Author
Add Date
Do you have a PDF document lying around somewhere, but it’s encrypted and you’ve forgotten the password to it?
您是否在某处有一个PDF文档,但它是加密的并且您忘记了密码?
hashcat is a great open-source hash cracker with GPU acceleration. It also comes with features such as masking, dictionary attacks and even statistical methods of password guessing. It also supports 300+ hash types (e.g. SHA-1, MD5, WPA, Django…) out of the box.hashcat 是一个很棒的开源哈希破解器,具有 GPU 加速功能。它还具有屏蔽,字典攻击甚至密码猜测的统计方法等功能。它还支持300+哈希类型(例如SHA-1,MD5,WPA,Django…)。Don’t use this for unlawful purposes!
不要将其用于非法目的!
First, we need to extract the password hash from the PDF. There’s an online tool for this, but for now let’s use this python script (pdf2john.py).
首先,我们需要从 PDF 中提取密码哈希。有一个在线工具,但现在让我们使用这个python脚本(pdf2john.py)。
Run it with
python pdf2john.py <your-pdf-file>.使用
python pdf2john.py <your-pdf-file> 运行它。The output should resemble something like this:
输出应类似于以下内容:
|
b'aa.pdf':b'$pdf$4*4*128*-1028*1*16*51cacf728db0cc489bd42a56dd58d87c*32*fa9ce7f2daef91b171ec19e04edc00ba00000000000000000000000000000000*32*c431fab9cc5ef7b59c244b61b745f71ac5ba427b1b9102da468e77127f1e69d6':::::b'D:\\Desktop\\<your PDF file>.pdf'|
We’re only interested in the second part (beginning with
$pdf$4... up till ...69d6). So, let’s copy that out:我们只对第二部分感兴趣(从
$pdf$4... 开始到 ...69d6 )。所以,让我们把它复制出来:|
$pdf$4*4*128*-1028*1*16*51cacf728db0cc489bd42a56dd58d87c*32*fa9ce7f2daef91b171ec19e04edc00ba00000000000000000000000000000000*32*c431fab9cc5ef7b59c244b61b745f71ac5ba427b1b9102da468e77127f1e69d6|
This is the hash we’ll supply to
hashcat later on.这是我们稍后将提供给
hashcat 的哈希值。Starting brute force with
hashcat使用
hashcat 启动暴力破解 ———————————————————First, grab the latest copy of
hashcat from here.首先,从这里获取
hashcat 的最新副本。This command runs a brute force attack on the hash (up till the maximum number of characters):
此命令对哈希运行暴力攻击(直到最大字符数):
hashcat -a 3 -m 10500 '<hash>' (note: the hash must be in quotes, or else some OSes might interpret the $ as a variable)hashcat -a 3 -m 10500 '<hash>' (注意:哈希必须用引号引起来,否则某些操作系统可能会将 $ 解释为变量)Let’s break it down.让我们分解一下。
aspecifies the attack mode. In this case,3indicates brute force.
a指定攻击模式。在这种情况下,3表示暴力破解。
mspecifies the type of hash.hashcatcan actually autodetect the hash type, but for this purpose, we’ll specify it as as10500, which isPDF 1.4 - 1.6 (Acrobat 5 - 8).
m指定哈希的类型。hashcat实际上可以自动检测哈希类型,但为此,我们将其指定为10500,即PDF 1.4 - 1.6 (Acrobat 5 - 8)。
hashcat also supports masking options. So if you wanted to try all lowercase alphanumeric passwords (a-z, 0-9) up to 10 characters, you could dohashcat 还支持屏蔽选项。因此,如果您想尝试所有最多 10 个字符的小写字母数字密码(a-z,0-9),您可以这样做.\hashcat -a 3 -1 ?l?d -i -m 10500 '<hash>' ?1?1?1?1?1?1?1?1?1?1?1?11specifies the character set in the first position (hashcatsupports multiple character sets). In this case,?lrefers to the setabcde...xyz, and?drefers to all digits 0-9.
1指定第一个位置的字符集(hashcat支持多个字符集)。在这种情况下,?l表示集合abcde...xyz,?d表示所有数字 0-9。
ispecifies that we want to progressively try the mask, starting from-increment-min(default 1). What this does is it will try only 1 character of the mask (e.g.a), then 2, up till-increment-max(default being the length of the mask, e.g.zzzzzzzzzz).
i指定我们要从-increment-min(默认为 1)开始逐步尝试掩码。这样做是它只会尝试掩码的 1 个字符(例如a),然后是 2,直到-increment-max(默认为掩码的长度,例如zzzzzzzzzz).
?1?1?1?1?1?1?1?1?1?1?1?1 is the mask itself. ?1 refers to the character set in the first position, that we specified above with -1.?1?1?1?1?1?1?1?1?1?1?1?1 是掩码本身。 ?1 是指我们在上面用 -1 指定的第一个位置的字符集。
Cracking speed on my GTX 970
For comparison, cracking speed on an A100 on GCloud (approx 10x speedup)
相比之下,在 GCloud 上 A100 上的破解速度(大约 10 倍加速)
And that’s it! Password cracking is exponentially slower with regards to the length of the password1, so any clues as to the content of the password will speed it up greatly.
就是这样!密码破解在密码 1 的长度方面呈指数级增长,因此有关密码内容的任何线索都将大大加快速度。