大家好,我正在弄清楚 Pbkdf2_sha256 是如何工作的。这是我目前正在研究的一些破解哈希值PBKDF2 pbkdf2_sha256$10000$005OtPxTXhPq$K/2GplWPJsBVj+qbgdKW8YEteQyUkIiquT5MaOhPo4Y=:harryPBKDF2 pbkdf2_sha256$10000$00Qhibr5Mbeg$l9grYueDrl3qN3NA7e9j5PodgV1XkGTz0Z6ajhF99AY=:radioPBKDF2 pbkdf2_sha256$10000$00h7h0g1ZKE1$YEobSm/y+cFg/VXhU4gGYJ6eOkZ68jhJ5axDu68Dack=:momoPBKDF2 pbkdf2_sha256$10000$01JMkfGk1RXh$vD+GGZshw5kExtZOpl5+Lht3xECULdbNVOesoTicxto=:fredPBKDF2 pbkdf2_sha256$10000$01vkw1viCg4J$2hjlbq10Jh/Su3yqjKfYCnCSt1WlKcKJtsqDET618M0=:getPBKDF2 pbkdf2_sha256$10000$01wayF5JLVSZ$2/9COWqb6SZG/raqabtU8fNBzkrt2puN7SaKw0U7jBs=:987456321这是我用于计算哈希值的代码和输出>>> from passlib.hash import pbkdf2_sha256>>> from passlib.utils.binary import ab64_decode>>> print(pbkdf2_sha256.hash("harry", rounds=10000, salt=ab64_decode(b'005OtPxTXhPq')))$pbkdf2-sha256$10000$005OtPxTXhPq$l9LhRMPBW.EEdlBE9b.P0Z70Kxidl9EJhfGK7FiLUHA比较这两者,您可以看到差异。$pbkdf2_sha256$10000$005OtPxTXhPq$K/2GplWPJsBVj+qbgdKW8YEteQyUkIiquT5MaOhPo4Y=$pbkdf2-sha256$10000$005OtPxTXhPq$l9LhRMPBW.EEdlBE9b.P0Z70Kxidl9EJhfGK7FiLUHA有人可以解释一下造成这种情况的原因以及如何计算正确的哈希值吗?
2 回答
繁星coding
TA贡献1797条经验 获得超4个赞
正如评论中已经提到的,发布的数据的格式与passlib不同:passlib格式解释如下。盐和哈希(校验和)是 Base64 编码的。使用了一种特殊的 Base64 变体,其解释如下:Padding( =) 和空格被省略并被.应用+。
另一方面,发布数据的哈希值是标准 Base64 编码(即用+代替.)和填充 ( =)。此外,盐是 UTF8 解码的。
如果考虑到这一点,盐和哈希值是相同的。以下代码从发布的数据中确定passlib数据,并比较 salt 和 hash,其中发布的数据的 salt 和 hash 以passlib格式显示(即使用passlib Base64 变体和 Base64 编码的 salt):
from passlib.hash import pbkdf2_sha256
from base64 import b64decode
from passlib.utils.binary import ab64_encode
def hashAndCompare(crackedHash):
crackedChain = crackedHash.split('$')
#crackedChainDigest = crackedChain[0]
crackedChainRounds = crackedChain[1]
crackedChainSalt = crackedChain[2]
crackedChainSaltPasslibFormat = ab64_encode(crackedChainSalt.encode('utf8')).decode('utf8')
crackedChainHashData = crackedChain[3].split(':')
crackedChainHash = crackedChainHashData[0]
crackedChainHashPasslibFormat = ab64_encode(b64decode(crackedChainHash)).decode('utf8')
crackedChainData = crackedChainHashData[1]
passlibHash = pbkdf2_sha256.hash(crackedChainData, rounds=crackedChainRounds, salt=crackedChainSalt.encode('utf8'))
passlibChain = passlibHash.split('$')
passlibChainSalt = passlibChain[3]
passlibChainHash = passlibChain[4]
print('Passlib: Hash: {0} Salt: {1}\nCracked: Hash: {2} Salt: {3}\n'.format(passlibChainHash, passlibChainSalt, crackedChainHashPasslibFormat, crackedChainSaltPasslibFormat))
hashAndCompare('pbkdf2_sha256$10000$005OtPxTXhPq$K/2GplWPJsBVj+qbgdKW8YEteQyUkIiquT5MaOhPo4Y=:harry')
hashAndCompare('pbkdf2_sha256$10000$00Qhibr5Mbeg$l9grYueDrl3qN3NA7e9j5PodgV1XkGTz0Z6ajhF99AY=:radio')
hashAndCompare('pbkdf2_sha256$10000$00h7h0g1ZKE1$YEobSm/y+cFg/VXhU4gGYJ6eOkZ68jhJ5axDu68Dack=:momo')
hashAndCompare('pbkdf2_sha256$10000$01JMkfGk1RXh$vD+GGZshw5kExtZOpl5+Lht3xECULdbNVOesoTicxto=:fred')
hashAndCompare('pbkdf2_sha256$10000$01vkw1viCg4J$2hjlbq10Jh/Su3yqjKfYCnCSt1WlKcKJtsqDET618M0=:get')
hashAndCompare('pbkdf2_sha256$10000$01wayF5JLVSZ$2/9COWqb6SZG/raqabtU8fNBzkrt2puN7SaKw0U7jBs=:987456321')
盐和哈希值与一致的编码相同:
Passlib: Hash: K/2GplWPJsBVj.qbgdKW8YEteQyUkIiquT5MaOhPo4Y Salt: MDA1T3RQeFRYaFBx
Cracked: Hash: K/2GplWPJsBVj.qbgdKW8YEteQyUkIiquT5MaOhPo4Y Salt: MDA1T3RQeFRYaFBx
Passlib: Hash: l9grYueDrl3qN3NA7e9j5PodgV1XkGTz0Z6ajhF99AY Salt: MDBRaGlicjVNYmVn
Cracked: Hash: l9grYueDrl3qN3NA7e9j5PodgV1XkGTz0Z6ajhF99AY Salt: MDBRaGlicjVNYmVn
Passlib: Hash: YEobSm/y.cFg/VXhU4gGYJ6eOkZ68jhJ5axDu68Dack Salt: MDBoN2gwZzFaS0Ux
Cracked: Hash: YEobSm/y.cFg/VXhU4gGYJ6eOkZ68jhJ5axDu68Dack Salt: MDBoN2gwZzFaS0Ux
Passlib: Hash: vD.GGZshw5kExtZOpl5.Lht3xECULdbNVOesoTicxto Salt: MDFKTWtmR2sxUlho
Cracked: Hash: vD.GGZshw5kExtZOpl5.Lht3xECULdbNVOesoTicxto Salt: MDFKTWtmR2sxUlho
Passlib: Hash: 2hjlbq10Jh/Su3yqjKfYCnCSt1WlKcKJtsqDET618M0 Salt: MDF2a3cxdmlDZzRK
Cracked: Hash: 2hjlbq10Jh/Su3yqjKfYCnCSt1WlKcKJtsqDET618M0 Salt: MDF2a3cxdmlDZzRK
Passlib: Hash: 2/9COWqb6SZG/raqabtU8fNBzkrt2puN7SaKw0U7jBs Salt: MDF3YXlGNUpMVlNa
Cracked: Hash: 2/9COWqb6SZG/raqabtU8fNBzkrt2puN7SaKw0U7jBs Salt: MDF3YXlGNUpMVlNa
GCT1015
TA贡献1827条经验 获得超4个赞
该格式由 Django 使用,并且 passlib 有该格式的函数:Django 1.4 Hashes。
所以,我在 python 的 shell 中这样做了:
>>> from passlib.hash import django_pbkdf2_sha256
>>> secret = 'harry'
>>> hash = 'pbkdf2_sha256$10000$005OtPxTXhPq$K/2GplWPJsBVj+qbgdKW8YEteQyUkIiquT5MaOhPo4Y='
>>> django_pbkdf2_sha256.verify(secret, hash)
True
>>> rounds = hash.split('$')[1]
>>> salt = hash.split('$')[2]
>>> django_pbkdf2_sha256.hash(secret, rounds=rounds, salt=salt) == hash
True
添加回答
举报
0/150
提交
取消