密码相关
1.简介
在渗透测试过程中会需要构建字典或者破解对应密码,在此收集相关工具
2.密码字典构建
密码字典通过公开字典集合进行收集和根据前期信息收集情况进行生成
公开字典集合
TheKingOfDuck/fuzzDicts: Web Pentesting Fuzz 字典,一个就够了。 (github.com)
insightglacier/Dictionary-Of-Pentesting: Dictionary collection project such as Pentesing, Fuzzing, Bruteforce and BugBounty. 渗透测试、SRC漏洞挖掘、爆破、Fuzzing等字典收集项目。 (github.com)
a3vilc0de/PentesterSpecialDict: Dictionary for penetration testers happy hacker (github.com)
danielmiessler/SecLists: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. (github.com)
ohmybahgosh/RockYou2021.txt: RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists. RockYou2021.txt DOES NOT CONTAIN USER:PASS logins! (github.com)
k8gege/PasswordDic: 2011-2019年Top100弱口令密码字典 Top1000密码字典 服务器SSH/VPS密码字典 后台管理密码字典 数据库密码字典 子域名字典 (github.com)
rootphantomer/Blasting_dictionary: 爆破字典 (github.com)
字典生成工具
LandGrey/pydictor: A powerful and useful hacker dictionary builder for a brute-force attack (github.com)
zgjx6/SocialEngineeringDictionaryGenerator: 社会工程学密码生成器,是一个利用个人信息生成密码的工具 (github.com)
achuna33/weak_password: 可通过姓名、身份证、QQ号、手机号、生日信息、域名、邮箱,生成弱口令字典 (github.com)
3.密码破解
有时候需要对密码hash进行破解以获取明文
分布式hashcat
hashtopolis/server: Hashtopolis - 用于分布式密码恢复的 Hashcat 包装器 (github.com)
离线破解+在线接口(非常好用,避免多个网页进行查询MD5)
L-codes/pwcrack-framework: Password Crack Framework (github.com)
john
openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs (github.com)
hashcat
hashcat/hashcat: World’s fastest and most advanced password recovery utility (github.com)
常用软件密码破解
moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。 (github.com)
JDArmy/SharpXDecrypt: Xshell全版本密码恢复工具 (github.com)