使用 python 中的字典破解盐渍 hash
[英]Cracking a salted hash using a dictionary in python
问题描述
im currently attempting a question where i have to crack a salted hash in python given the hash e77decd0e7c8a7b4688b010241bece45 and the salt "$goodluck$".
我目前正在尝试一个问题,我必须破解 python 中的盐渍 hash 给定 hash e77decd0e70$luck2417b4688b 和“盐”。 I have tried downloading 10 million of the most popular passwords ( https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt ), and using that as a dictionary.我尝试下载 1000 万个最流行的密码( https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt ),并且用它作为字典。 I then attach the salt to the word, encrypt it and then hash it.然后我将盐附加到单词上,对其进行加密,然后对其进行 hash 加密。 This is then compared to the given hash value.然后将其与给定的 hash 值进行比较。 However i still have not been able to crack it.但是我仍然无法破解它。 Here is my code:这是我的代码:
import hashlib
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Hash import MD5
def dictionary_attack(password_hash):
dic = lines #extracted from file
pass_found = False
for word in dic:
word = word+"$goodluck$"
key = get_random_bytes(16)
cipher = AES.new(key, AES.MODE_EAX)
ciphertext, tag = cipher.encrypt_and_digest(word.encode('utf-8'))
hashed_val = MD5.new()
hashed_val.update(ciphertext)
hashed_val = hashed_val.hexdigest()
if hashed_val == password_hash:
pass_found = True
recovered_password = word
if pass_found:
print("Your password is: {}".format(recovered_password))
else:
print("Password not found")
dictionary_attack("e77decd0e7c8a7b4688b010241bece45")
Any help would be greatly appreciated.任何帮助将不胜感激。 Thanks谢谢
1 个解决方案
解决方案1
0 2020-04-22 10:04:54
Did you use this or this list?你用了这个还是这个列表?
Please try a reverse approach so see if you algorithm works or if there is something wrong:请尝试反向方法,以查看您的算法是否有效或是否有问题:
- pick a password选一个密码
- salt it加盐
- get the hash获取 hash
- generate some small list with that password and some others使用该密码和其他一些生成一些小列表
- feed that list and the hash to your function and see if it works将该列表和 hash 提供给您的 function 并查看它是否有效
Ok, so that means that your code actually works and the password is not on the list.好的,这意味着您的代码确实有效,并且密码不在列表中。 Instead of using that list, find the "The Top 500 Worst Passwords " and try them.不要使用该列表,而是找到“最糟糕的 500 个密码”并尝试它们。
I don't know which library is faster, so just try it and get the duration for a reasonable amount of passwords to average out overhead, eg pick that many passwords that the duration is about one minute.我不知道哪个库更快,所以只需尝试并获得合理数量的密码的持续时间以平均开销,例如选择持续时间约为一分钟的那么多密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.