企业内网敏感文件破解:Office/PDF/压缩包/KeePass 爆破实战
企业内网敏感文件破解:Office/PDF/压缩包/KeePass 爆破实战
Ms08067安全实验室
发布于 2026-03-26 14:45:18
发布于 2026-03-26 14:45:18
本文选自《内网安全攻防:红队之路》
在内网渗透测试过程,我们经常会遇到一些敏感文件被设置了密码,比如主机登录信息,网络拓扑信息等。此时,我们可以尝试使用常见的弱口令和针对目标企业定制的密码字典进行暴力破解。
爆力破解文档文件
常见的文档文件有office文档,pdf文档等。对于office文档,我们可以使用John the Ripper进行破解,工具下载地址为:https://www.openwall.com/john/。
首先需要将密码信息转换为john支持的hash格式,可以使用office2john.py 进行转换,地址为https://github.com/openwall/john/blob/bleeding-jumbo/run/office2john.py:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python office2john.py .\ms08067\ms08067.docx > office.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python office2john.py .\ms08067\ms08067.xlsx >> office.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type office.txt ms08067.docx:$office$*2013*100000*256*16*5133eac9d7ed599366d5dee5dbc3ccb6*636ec27b7ab6901f64fb74 5f641b1a5b*5cb5657a8c16cd46b7ee0ce676aff65f02624d15c80d971888f708ab4459fe2b ms08067.xlsx:$office$*2013*100000*256*16*d27f8878236c5a0002037aad390a9196*24277fea5d8a223a35fc9a 596b67b5f6*a8cb1481d36ad38b71dca80aebd829a804b8b2b7651934bf7120e0472b24e9f3 然后使用john进行破解,可以看到成功爆破出两个文档密码都为ms08067:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john.exe -- wordlist=password.lst office.txtWarning: detected hash type "Office", but the string is also recognized as "office-opencl" Use the "--format=office-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x /
SHA512 256/256 AVX2 4x AES])Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (ms08067.docx)
ms08067 (ms08067.xlsx)
2g 0:00:00:01 DONE (2021-09-26 22:08) 1.115g/s 142.7p/s 285.5c/s 285.5C/s lacrosse..flipper
Use the "--show" option to display all of the cracked passwords reliably
Session completed对于PDF文档,也可以使用john进行破解,流程和破解office文档一样,先转换成john支持的hash格式:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>perl pdf2john.pl .\ms08067\006.pdf > pdf.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type pdf.txt
./ms08067/006.pdf:$pdf$4*4*128*-1028*1*16*1730ea102d5e5f4b9c60982b6629230e*32*0ded63df38b8340ff0 bfc12b4807932100000000000000000000000000000000*32*9a670082327ba294b296232851313350661f2892bfb804 72e0f9caea1677f6ed 然后使用john进行破解:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst pdf.txt Warning: invalid UTF-8 seen reading pdf.txt Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (./ms08067/006.pdf)
1g 0:00:00:00 DONE (2021-09-26 22:24) 21.27g/s 5446p/s 5446c/s 5446C/s 123456..flipper
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed暴力破解keepass数据库文件
keepass是一款密码管理软件,如果我们在渗透测试过程发现目标主机使用了keepass软件,也可以尝试使用John the Ripper对keepass数据库密码进行暴力破解来访问里面保存的密码信息。
首先将keepass数据库密码信息转换成john支持的hash格式:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1- win64\run>keepass2john.exe .\ms08067\ms08067.kdbx > kdbx.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type kdbx.txt ms08067:$keepass$*2*60000*0*05b9d680013b739917b17bad820193561956d7e98eee40ef1c7c95fd86cf75e1*4b1 85303cbf67555f3753a855e69f59c0944b4fb95fda5e154491b855d7a0da1*97ef796dcf8e24ed26e35b7c00f29efc*4 f9b8cba8f317e8b41bb17ac3372c6fc7287c85914bb9f5a30dc7add8af8407d*ea3f4c70aabff2bb9cfb5125e7b14f77 9663217a80cb6741909f60a4dbe9ac08 然后使用john进行破解。可以看到成功爆破出密码为ms08067:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst kdbx.txt Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl" Use the "--format=KeePass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (ms08067)
1g 0:00:00:01 DONE (2021-09-26 22:27) 0.8210g/s 183.9p/s 183.9c/s 183.9C/s lacrosse..tommy
Use the "--show" option to display all of the cracked passwords reliably
Session completed暴力破解压缩文件
常见的压缩文件,如zip,7z,rar等,如果设置了密码,也可以使用John the Ripper进行破解。流程基本都一样,首先将压缩文件密码信息转换成john支持的hash格式,然后使用john.exe进行破解。
zip文件密码破解过程如下:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>zip2john.exe .\ms08067\ms08067.zip > zip.txtver 2.0 ms08067.zip/test.docx PKZIP Encr: cmplen=13349, decmplen=17920, crc=D2B97C0A
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type zip.txt
ms08067.zip/test.docx:$pkzip2$1*1*2*0*3425*4600*d2b97c0a*0*27*8*3425*d2b9*b6c0*618ffe9014e5802c4647727d8bf7ad62f41edce21a49cdec39939a98c8f798b133a6dd681175b1d1f
...省略...
9f6d5d748fd2b25f9fd3a4f11*$/pkzip2$:test.docx:ms08067.zip::.\ms08067\ms08067.zip
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst zip.txtUsing default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (ms08067.zip/test.docx)
1g 0:00:00:00 DONE (2021-09-26 22:29) 20.00g/s 70940p/s 70940c/s 70940C/s 123456..sss
Use the "--show" option to display all of the cracked passwords reliably
Session completed7z文件密码破解过程如下:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>perl 7z2john.pl .\ms08067\ms08067.7z > 7z.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type 7z.txt ms08067.7z:$7z$0$19$0$$8$5936cc98cdd54bdc0000000000000000$2638155691$128$128$3de888a246590da5acf 1f052ead3a2a439bc103081e365b5f849aa3ca61316953bfb3313132ff8089393b58ebd35d3be3518712824248d0a56e 08077a5d4e23ea64b9479c1387f4a7e4bf2199d407be5d54a76578556a64074b6334217a63de4f51bfb8cc48c3e8c9ba fb8a813e68d7473ff3ef42e88762e15001a7f47525f77
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst 7z.txt Warning: detected hash type "7z", but the string is also recognized as "7z-opencl" Use the "--format=7z-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (ms08067.7z)
1g 0:00:00:02 DONE (2021-09-26 22:31) 0.4397g/s 112.5p/s 112.5c/s 112.5C/s lacrosse..flipper
Use the "--show" option to display all of the cracked passwords reliably
Session completedrar文件密码破解过程如下:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>rar2john.exe .\ms08067\ms08067.rar > rar.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type rar.txt
.\ms08067\ms08067.rar:$rar5$16$73402e4e30b84b2a8644e2b12e73fd7d$15$9c4b7cf5791cf67239f2e3b4da531 27c$8$616aafce8c4d7743
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst rar.txtWarning: detected hash type "RAR5", but the string is also recognized as "RAR5-opencl" Use the "--format=RAR5-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ms08067 (.\ms08067\ms08067.rar)
1g 0:00:00:00 DONE (2021-09-26 22:35) 3.891g/s 996.1p/s 996.1c/s 996.1C/s 123456..flipper
Use the "--show" option to display all of the cracked passwords reliably
Session completed暴力破解pfx证书
John the Ripper也支持破解pfx证书文件的密码。同样,先将密码信息转换成hash:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>python pfx2john.py .\ms08067\ms08067.pfx > pfx.txt
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>type pfx.txt
ms08067.pfx:$pfxng$1$20$2048$8$da005f7d3510770c$308209b03082046706092a864886f70d01070
...省略...
65f7499b4c0b84182d592f2$0f0a94e6edf446bfdc8266563ba010ebd9b33cc9:::::.\ms08067\ms08067.pfx然后使用john.exe进行破解:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>john -- wordlist=password.lst pfx.txtWarning: detected hash type "pfx", but the string is also recognized as "pfx-opencl" Use the "--format=pfx-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (pfx [PKCS12 PBE (.pfx, .p12) (SHA-1 to SHA-512) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded
hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (ms08067.pfx)
1g 0:00:00:00 DONE (2021-09-26 22:36) 12.34g/s 25283p/s 25283c/s 25283C/s 123456..mylove
Use the "--show" option to display all of the cracked passwords reliably
Session completed破解完成后,我们可以使用certutil进行验证。密码正确时,可以看到证书的详细信息:
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>certutil - dump .\ms08067\ms08067.pfx Enter PFX password:(错误密码) Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
C:\Users\test\Desktop\ms08067\内网安全2.0\12Brute-force\john-1.9.0-jumbo-1-win64\run>certutil - dump .\ms08067\ms08067.pfx Enter PFX password:(正确密码)================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3285e458285080fbb584ca986fc3000bcf5ff652
Issuer: E=root@ms08067.cn, OU=ms08067, O=ms08067, L=shanghai, S=SH, C=CN
NotBefore: 2021/8/22 22:27
NotAfter: 2031/8/20 22:27
Subject: E=root@ms08067.cn, OU=ms08067, O=ms08067, L=shanghai, S=SH, C=CN
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 7c518c92c2126bec265f7499b4c0b84182d592f2
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2026-03-16,如有侵权请联系 cloudcommunity@tencent.com 删除
本文分享自 Ms08067安全实验室 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号