我有一个hashcat
通过 textarea 输入的命令行来验证。以下命令是正确的:
# wordlist attack
hashcat -a 0 -m 400 example400.hash example.dict
hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
hashcat -a 0 -m 0 example0.hash example.dict -r rules/rule1.rule -r rule2.rule
# bruteforce attack
hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
hashcat -a 3 -m 0 example0.hash -1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1
在哪里:
-a
后跟 0 或 3(攻击类型)-m
后跟一个整数(哈希模式)-r
后跟文件路径(规则列表)-1
是自定义字符集,后跟一个模式
基本语法是:
# Word List Attack
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME}
# Word List Attack with 1 Rule
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE_FILENAME}
# Word List Attack with multiple rules (can append infinite number of rules)
hashcat -a 0 -m {int} {HASH_FILENAME} {DICTIONARY_FILENAME} -r {RULE1_FILENAME} -r {RULE2_FILENAME}
其他语法可以在官方文档中找到。
我尝试在表单提交期间使用以下 jQuery 代码进行验证,但我未能捕捉到一些情况:
$('#frm_task').submit(function(event) {
event.preventDefault();
var cmd = $('#cmdLine').val(); // where the #cmdLine is the textarea
cmd = cmd.replace('hashcat', '').trim();
return checkCmd(cmd);
});
function checkCmd(cmd) {
var args = cmd.split(' ');
// Check for Attack Mode Flag
var attackFlagPos = $.inArray('-a', args);
if(attackFlagPos !== -1) {
if(args[attackFlagPos + 1] != undefined && Number.isInteger(args[attackFlagPos + 1])) {
args.splice(attackFlagPos, 2); // remove the found `-a` and the numeric value after
cmd = args.join(' ');
checkCmd(cmd); // check again
} else {
console.error('Syntax Error: Missing Attack Mode value');
return false;
}
} else {
console.error('Missing Attack flag');
return false;
}
// Check for Hash Mode Flag
var modeFlagPos = $.inArray('-m', args);
if(modeFlagPos !== -1) {
if(args[modeFlagPos + 1] != undefined && Number.isInteger(args[modeFlagPos + 1]) && (args[modeFlagPos + 1] == 0 || args[modeFlagPos + 1] == 3)) {
args.splice(modeFlagPos, 2); // remove the found `-m` and the numeric value after
cmd = args.join(' ');
checkCmd(cmd); // check again
} else {
console.error('Syntax Error: Missing Hash Mode value');
return false;
}
} else {
console.error('Missing Mode flag');
return false;
}
// Check for Rule Flags (extra rules will be checked and removed in the next iteration)
var ruleFlagPos = $.inArray('-r', args);
if(ruleFlagPos !== -1) { // Rule file flag exists
if(args[ruleFlagPos + 1] != undefined && typeof args[ruleFlagPos + 1] == 'string') {
args.splice(ruleFlagPos, 2); // remove the found `-r` and the rule file after
cmd = args.join(' ');
checkCmd(cmd); // check again
} else {
console.error('Missing Rule list');
return false;
}
}
// TODO: Check Bruteforce Attack syntaxes
// Can I use Regex for this?
// TODO: Check for Hashlist and Dictionary List
// I am confused in this part, how can I differentiate the hashlist and dictionary list?
// if everything is okay, return true to submit the form
return true;
}
我的问题是:
- 如何简化这段代码?
- 如何检查暴力攻击模式(即
-1 ?l?d?s?u ?1?1?1?1?1?1?1?1?1
)?
抱歉问了这么长的问题。提前致谢。