hashcat 破解RAR密码操作使用记录

因为忘记了一个重要rar文件的密码，怎么都想不起来了，只好翻工具把密码给找出来了

这次用的是hashcat v6.2.6

官网下载地址戳这里hashcat - advanced password recovery

github地址戳这里GitHub - hashcat/hashcat: World's fastest and most advanced password recovery utility 

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking. 

按照它在github上的说法，世界上最快最先进的密码还原套件，个人也是很支持这种说法^_^

这里把主要功能记录一下

一、获取hash值，确定hash类型

获取RAR的hash值这里就不得不提到一个工具

John the Ripper

官网下载地址：John the Ripper password cracker (openwall.com)

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office's, etc.) These are just some of the examples - there are many more.

对于RAR来说用法很简单， 在安装路径下john-1.9.0-jumbo-1-win64\run有个rar2john.exe文件

PS D:\tools\john-1.9.0-jumbo-1-win64\run> .\rar2john.exe crack.rar
crack.rar:$rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d03625b8e2d8c79efaadede8aefb17$8$d4429c96a8b71499

rar5就是它的加密类型，使用hashcat的时候需要选择对应的类型

同时$rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d03625b8e2d8c79efaadede8aefb17$8$d4429c96a8b71499就是它的hash值

二、常用破解参数

（一）指定加密类型 -m 13000 

 Options Short / Long           | Type | Description    | Example
================================+======+======================================================+=======================

-m, --hash-type                    | Num  | Hash-type | -m 1000

      # | Name                                                       | Category
 ======+============================================================+======================================
       0 | MD5                                                        | Raw Hash

11600 | 7-Zip                                                       | Archive
12500 | RAR3-hp                                              | Archive
23800 | RAR3-p (Compressed)                        | Archive
23700 | RAR3-p (Uncompressed)                    | Archive
13000 | RAR5                                                   | Archive

以上列出了集中常见类型，RAR5是13000,所以是

PS D:\tools\hashcat-6.2.6> .\hashcat.exe -m 13000

（二）指定破解方式和字符集 -a 3 ?d

- [ Attack Modes ] -

  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
  9 | Association

这里使用 3 | Brute-force 爆破模式，因为我记得是之前设置的密码是数字，根据掩码类型参考

- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz [a-z]
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
  d | 0123456789                 [0-9]
  h | 0123456789abcdef           [0-9a-f]
  H | 0123456789ABCDEF           [0-9A-F]
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

这里直接用 ?d 来缩小爆破的字符范围，全字符就是 ?a ，当然也可以自定义，hashcat提供了4个自定义字符集

 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |

例如使用小写字母+数字的字符集，使用第一个自定义字符集可以这么写，

-1 ?d?l ?1?1?1?1?1

（三）设置破解位数 -i --increment-min=1 --increment-max=10

因为不记得具体位数，就从1位到10位逐个开始破解，需要启用递增模式

 -i, --increment                   |           | Enable mask increment mode  |
     --increment-min            | Num  | Start mask incrementing at X    | --increment-min=4
     --increment-max           | Num  | Stop mask incrementing at X    | --increment-max=8

 所以最后执行的破解命令为

.\hashcat.exe -m 13000 -a 3 -i --increment-min=1 --increment-max=10 '$rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d03625b8e2d8c79efaadede8aefb17$8$d4429c96a8b71499' ?d?d?d?d?d?d?d?d?d?d

就会从1到10位开始破解密码，这里只抽其中3个记录留存

hashcat (v6.2.6) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
CUDA API (CUDA 12.0)
====================
* Device #1: NVIDIA GeForce RTX 3080, 9087/10239 MB, 68MCU

OpenCL API (OpenCL 3.0 CUDA 12.0.70) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 3080, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1474 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13000 (RAR5)
Hash.Target......: $rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d036...b71499
Time.Started.....: Sun Nov 13 09:01:11 2022 (2 secs)
Time.Estimated...: Sun Nov 13 09:01:13 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d [1]
Guess.Queue......: 1/10 (10.00%)
Speed.#1.........:        8 H/s (0.10ms) @ Accel:32 Loops:32 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 10/10 (100.00%)
Rejected.........: 0/10 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:9-10 Iteration:32768-32799
Candidate.Engine.: Device Generator
Candidates.#1....: 6 -> 6
Hardware.Mon.#1..: Temp: 44c Fan:  0% Util: 77% Core:1950MHz Mem:9251MHz Bus:16

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13000 (RAR5)
Hash.Target......: $rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d036...b71499
Time.Started.....: Sun Nov 13 09:01:27 2022 (18 secs)
Time.Estimated...: Sun Nov 13 09:01:45 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d [6]
Guess.Queue......: 6/10 (60.00%)
Speed.#1.........:    56689 H/s (0.67ms) @ Accel:32 Loops:32 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1000000/1000000 (100.00%)
Rejected.........: 0/1000000 (0.00%)
Restore.Point....: 100000/100000 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:9-10 Iteration:32768-32799
Candidate.Engine.: Device Generator
Candidates.#1....: 623450 -> 676464
Hardware.Mon.#1..: Temp: 56c Fan: 53% Util: 90% Core:1950MHz Mem:9251MHz Bus:16

Approaching final keyspace - workload adjusted.

$rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d03625b8e2d8c79efaadede8aefb17$8$d4429c96a8b71499:20221111

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13000 (RAR5)
Hash.Target......: $rar5$16$8ca9b503880e86a5fe6f15009cce8e34$15$98d036...b71499
Time.Started.....: Sun Nov 13 09:03:36 2022 (2 mins, 34 secs)
Time.Estimated...: Sun Nov 13 09:06:10 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]
Guess.Queue......: 8/10 (80.00%)
Speed.#1.........:    94469 H/s (11.09ms) @ Accel:32 Loops:32 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14483456/100000000 (14.48%)
Rejected.........: 0/14483456 (0.00%)
Restore.Point....: 1114112/10000000 (11.14%)
Restore.Sub.#1...: Salt:0 Amplifier:2-3 Iteration:32768-32799
Candidate.Engine.: Device Generator
Candidates.#1....: 28118989 -> 29947979
Hardware.Mon.#1..: Temp: 64c Fan: 67% Util: 96% Core:1830MHz Mem:9251MHz Bus:16

Started: Sun Nov 13 09:01:10 2022
Stopped: Sun Nov 13 09:06:10 2022

在最后一个结果的第一行末可以看到破解的结果为20221111

记录几个注意点

默认是用opencl来调用破解

我的是RTX3080显卡，安装CUDA驱动以后速度对比下来增加了近10%

安装CPU驱动以后才能找到CPU设备

status有3个状态，Running|Exhausted|Cracked

Running就是正在破解中

Exhausted为当前位数已经破解完依然没有找到结果

Cracked为找到了破解结果