0

我有一个hashcat通过 textarea 输入的命令行来验证。以下命令是正确的:

# wordlist attack
hashcat -a 0 -m 400 example400.hash example.dict
hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
hashcat -a 0 -m 0 example0.hash example.dict -r rules/rule1.rule -r rule2.rule

# bruteforce attack
hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
hashcat -a 3 -m 0 example0.hash -1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1

在哪里:

  • -a后跟 0 或 3(攻击类型)
  • -m后跟一个整数(哈希模式)
  • -r后跟文件路径(规则列表)
  • -1是自定义字符集,后跟一个模式

基本语法是:

# Word List Attack
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME}
# Word List Attack with 1 Rule
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE_FILENAME}
# Word List Attack with multiple rules (can append infinite number of rules)
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE1_FILENAME} -r {RULE2_FILENAME}

其他语法可以在官方文档中找到。

我尝试在表单提交期间使用以下 jQuery 代码进行验证,但我未能捕捉到一些情况:

$('#frm_task').submit(function(event) {
    event.preventDefault();
    var cmd = $('#cmdLine').val(); // where the #cmdLine is the textarea
    cmd = cmd.replace('hashcat', '').trim();
    return checkCmd(cmd);
});

function checkCmd(cmd) {
    var args = cmd.split(' ');

    // Check for Attack Mode Flag
    var attackFlagPos = $.inArray('-a', args);
    if(attackFlagPos !== -1) {
        if(args[attackFlagPos + 1] != undefined && Number.isInteger(args[attackFlagPos + 1])) {
            args.splice(attackFlagPos, 2); // remove the found `-a` and the numeric value after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Syntax Error: Missing Attack Mode value');
            return false;
        }
    } else {
        console.error('Missing Attack flag');
        return false;
    }
    
    // Check for Hash Mode Flag
    var modeFlagPos = $.inArray('-m', args);
    if(modeFlagPos !== -1) {
        if(args[modeFlagPos + 1] != undefined && Number.isInteger(args[modeFlagPos + 1]) && (args[modeFlagPos + 1] == 0 || args[modeFlagPos + 1] == 3)) {
            args.splice(modeFlagPos, 2); // remove the found `-m` and the numeric value after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Syntax Error: Missing Hash Mode value');
            return false;
        }
    } else {
        console.error('Missing Mode flag');
        return false;
    }
    
    // Check for Rule Flags (extra rules will be checked and removed in the next iteration)
    var ruleFlagPos = $.inArray('-r', args);
    if(ruleFlagPos !== -1) { // Rule file flag exists
        if(args[ruleFlagPos + 1] != undefined && typeof args[ruleFlagPos + 1] == 'string') {
            args.splice(ruleFlagPos, 2); // remove the found `-r` and the rule file after
            cmd = args.join(' ');
            checkCmd(cmd); // check again
        } else {
            console.error('Missing Rule list');
            return false;
        }
    }

    // TODO: Check Bruteforce Attack syntaxes
    // Can I use Regex for this?
    
    // TODO: Check for Hashlist and Dictionary List
    // I am confused in this part, how can I differentiate the hashlist and dictionary list?

    // if everything is okay, return true to submit the form
    return true;
}

我的问题是:

  1. 如何简化这段代码?
  2. 如何检查暴力攻击模式(即-1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1)?

抱歉问了这么长的问题。提前致谢。

4

0 回答 0