众所周知,GPU的计算能力在某些特定场景对比CPU会有数量级的差异。 在密码破解这块更是如此。
john是一个开源的离线密码解密工具,合理利用gpu算力可以大幅度加快爆破速度。官方支持通过opencl进行爆破解密。
pfx 是一种密码归档文件,一般用来存放 证书链、私钥等内容。我们的爆破主要是爆破私钥的密文。
硬件配置
在云计算的时代,我们自然优先考虑云上算力,随用随开,用完即走,而且配合使用竞价实例,物美价廉。
如下图所示,40C160G 2NVIDIA T4的机器,只要不到¥5.5/h,堪称网吧级定价,超算级享受。
john安装
购买完CVM,使用ssh登录后,可以看到贴心的腾讯云已经为我们安装好了Nvidia驱动和CUDA加速包。
使用 nvidia-smi指令可以查看硬件信息,我购置的是 1/4 T4显卡的机型。
ubuntu@VM-1-3-ubuntu:~/john/src$ nvidia-smi
Fri Jun 11 15:17:26 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 450.80.02 Driver Version: 450.80.02 CUDA Version: 11.0 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|===============================+======================+======================|
| 0 GRID T4-4C On | 00000000:00:08.0 Off | 0 |
| N/A N/A P0 N/A / N/A | 560MiB / 4096MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=============================================================================|
| No running processes found |
+-----------------------------------------------------------------------------+
因为john放弃掉了cuda的支持,采用了opencl进行加速,安装一下 opencl的开发包
sudo apt install ocl-icd-opencl-dev
接下来配置john
git clone https://hub.fastgit.org/openwall/john.git && cd ~/john/src/ && ./configure
不出意外的话可以看到OpenCL support ............................. yes,如果没有这个值的话则说明环境存在问题
接下来 执行 make -j 4 && make install 就好了
安装完成之后,在 src 的同级目录可以看到 run文件夹
cd ../ && ./run/john
破解pfx密钥
下载测试pfx文件,先使用指令安装python依赖
sudo apt install python3-pip && pip3 install --user asn1crypto
执行 python3 run/pfx2john.py ./server.pfx > server.hash 将pfx文件转成john可识别的格式。
这个 pfx2john的脚本也很简单,把pfx密钥的加密格式、salt值等提取出来,用固定格式输出。
def parse_pkcs12(filename):
data = open(filename, "rb").read()
pfx = pkcs12.Pfx.load(data)
auth_safe = pfx['auth_safe']
if auth_safe['content_type'].native != 'data':
raise ValueError(
'''
Only password-protected PKCS12 files are currently supported
'''
)
mac_data = pfx['mac_data']
if mac_data:
mac_algo = mac_data['mac']['digest_algorithm']['algorithm'].native
key_length = {
'sha1': 20,
'sha224': 28,
'sha256': 32,
'sha384': 48,
'sha512': 64,
'sha512_224': 28,
'sha512_256': 32,
}[mac_algo]
salt = mac_data['mac_salt'].native
iterations = mac_data['iterations'].native
mac_algo_numeric = -1
if mac_algo == "sha1":
mac_algo_numeric = 1
elif mac_algo == "sha224":
mac_algo_numeric = 224
elif mac_algo == "sha256":
mac_algo_numeric = 256
elif mac_algo == "sha384":
mac_algo_numeric = 384
elif mac_algo == "sha512":
mac_algo_numeric = 512
else:
sys.stderr.write("mac_algo %s is not supported yet!\n" % mac_algo)
return
stored_hmac = mac_data['mac']['digest'].native
data = auth_safe['content'].contents
size = len(salt)
sys.stdout.write("%s:$pfxng$%s$%s$%s$%s$%s$%s$%s:::::%s\n" %
(os.path.basename(filename), mac_algo_numeric,
key_length, iterations, size, binascii.hexlify(salt).decode(),
binascii.hexlify(data).decode(),
binascii.hexlify(stored_hmac).decode(), filename))
下载密码包
wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
接下来使用john进行破解
ubuntu@VM-1-3-ubuntu:~/john$ ./run/john ./server.hash --format=pfx-opencl --wordlist=./10-million-password-list-top-1000000.txt
Device 1: GRID T4-4C
Using default input encoding: UTF-8
Loaded 1 password hash (pfx-opencl, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA-256/512) OpenCL])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 256:SHA256 512:SHA512]) is 1 for all loaded hashes
LWS=128 GWS=10240 (80 blocks)
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789 (server.pfx)
1g 0:00:00:06 DONE (2021-06-11 16:04) 0.1594g/s 1633p/s 1633c/s 1633C/s 123456..jesus123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
可以看到,已经爆破成功啦~ 使用openssl工具可以查看信息
ubuntu@VM-1-3-ubuntu:~/john$ openssl pkcs12 -info -in ./server.pfx
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 5C 5B 4B 74 27 F1 5F DF 23 9C D6 47 5B 67 B9 66 C8 7A 2C D6
subject=C = cn, OU = custer, O = custer, CN = localhost
issuer=C = cn, ST = shanghai, L = shanghai, O = cluster, OU = cluster, CN = localhost
参考链接
- https://github.com/openwall/john
- https://zh.wikipedia.org/wiki/PKCS_12