{"id":1041,"date":"2021-01-05T10:05:51","date_gmt":"2021-01-05T09:05:51","guid":{"rendered":"https:\/\/blog.tiraquelibras.com\/?p=1041"},"modified":"2021-01-05T14:54:41","modified_gmt":"2021-01-05T13:54:41","slug":"cifrar-y-descifrar-contrasenas-por-fuerza-bruta-con-python","status":"publish","type":"post","link":"https:\/\/blog.tiraquelibras.com\/?p=1041","title":{"rendered":"Cifrar y descifrar contrase\u00f1as por fuerza bruta con Python"},"content":{"rendered":"\n<p>En esta entrada vamos a ver una t\u00e9cnica para descifrar contrase\u00f1as por fuerza bruta a partir de su <em>HASH<\/em> en cualquiera de los formatos <em>MD5, SHA1, SHA224, SHA256, SHA384<\/em> y <em>SHA512<\/em>.<\/p>\n\n\n\n<p>Primero vamos a obtener el <em>HASH<\/em> de una contrase\u00f1a en texto plano con todos estos formatos para poder realizar la prueba, que ser\u00e1 el que usaremos para hacer la comparaci\u00f3n entre credenciales.<\/p>\n\n\n\n<p><span class=\"has-inline-color has-vivid-red-color\"><strong>Esta entrada est\u00e1 creada \u00fanicamente con fines educativos y no para el uso malintencionado o delictivo de su informaci\u00f3n. Es responsabilidad del lector hacer buen uso de esta informaci\u00f3n.<\/strong><\/span><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69d4dafe53628\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69d4dafe53628\"  aria-label=\"Alternar\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Recursos\"  rel=\"nofollow\" target=\"_blank\">Recursos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Cifrar_contrasena\"  rel=\"nofollow\" target=\"_blank\">Cifrar contrase\u00f1a<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Consola\"  rel=\"nofollow\" target=\"_blank\">Consola<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Programa\"  rel=\"nofollow\" target=\"_blank\">Programa<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Descifrar_la_contrasena\"  rel=\"nofollow\" target=\"_blank\">Descifrar la contrase\u00f1a<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Conclusiones\"  rel=\"nofollow\" target=\"_blank\">Conclusiones<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1041\/#Enlaces\"  rel=\"nofollow\" target=\"_blank\">Enlaces<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Recursos\"><\/span>Recursos<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Para identificar la contrase\u00f1a haremos uso de la informaci\u00f3n de <strong>SecList<\/strong> publicada en el repositorio oficial de <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">GitHub<\/a>, en concreto haremos uso de la secci\u00f3n de <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\/tree\/master\/Passwords\/Common-Credentials\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">passwords &#8211; Common-Credentials<\/a> y descargaremos el archivo <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\/blob\/master\/Passwords\/Common-Credentials\/10-million-password-list-top-1000000.txt\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">10-million-password-list-top-1000000.txt<\/a>.<\/p>\n\n\n\n<p>Esta lista se encuentra como una <a href=\"https:\/\/tools.kali.org\/password-attacks\/seclists\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">herramienta de Kali Linux<\/a> para hacer pruebas de seguridad.<\/p>\n\n\n\n<p>Tambi\u00e9n usaremos la librer\u00eda de Python <a href=\"https:\/\/docs.python.org\/3\/library\/hashlib.html\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">hashlib<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cifrar_contrasena\"><\/span>Cifrar contrase\u00f1a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Primero vamos a ejecutar los comandos en una consola para ver como funcionar\u00eda el programa paso a paso.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Consola\"><\/span>Consola<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Para cifrar la contrase\u00f1a en los diferentes formatos usaremos como base esta en texto plano. Importamos la librer\u00eda y codificamos la contrase\u00f1a en formato <em>UTF-8<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">&gt;&gt;&gt; import hashlib\n&gt;&gt;&gt; pwd = 'q1w2e3r4t5'        \n&gt;&gt;&gt; pwd\n'q1w2e3r4t5'\n&gt;&gt;&gt; clave = pwd.encode('utf-8')\n&gt;&gt;&gt; clave\nb'q1w2e3r4t5'<\/code><\/pre>\n\n\n\n<p>Ahora ya podemos obtener el <em>HASH<\/em> de la contrase\u00f1a en cualquiera de los formatos indicados a partir del objeto creado con la librer\u00eda <em>hashlib<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">&gt;&gt;&gt; hashlib.md5(clave)\n&lt;md5 HASH object @ 0x010A3EC0&gt;\n\n&gt;&gt;&gt; dir(hashlib.md5(clave).hexdigest())\n['__add__', '__class__', '__contains__', '__delattr__', '__dir__', '__doc__', '__eq__',\n '__format__', '__ge__', '__getattribute__', '__getitem__', '__getnewargs__', '__gt__',\n '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__',\n '__mod__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__',\n '__rmod__', '__rmul__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__',\n 'capitalize', 'casefold', 'center', 'count', 'encode', 'endswith', 'expandtabs',\n 'find', 'format', 'format_map', 'index', 'isalnum', 'isalpha', 'isascii', 'isdecimal',\n 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle',\n 'isupper', 'join', 'ljust', 'lower', 'lstrip', 'maketrans', 'partition', 'replace',\n 'rfind', 'rindex', 'rjust', 'rpartition', 'rsplit', 'rstrip', 'split', 'splitlines',\n 'startswith', 'strip', 'swapcase', 'title', 'translate', 'upper', 'zfill']<\/code><\/pre>\n\n\n\n<p>Estos son los <em>HASH<\/em> de la credencial:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">&gt;&gt;&gt; hashlib.md5(clave).hexdigest()\n'42d8aa7cde9c78c4757862d84620c335'\n&gt;&gt;&gt; len(hashlib.md5(clave).hexdigest()) \n32\n\n&gt;&gt;&gt; hashlib.sha1(clave).hexdigest() \n'5d70c3d101efd9cc0a69f4df2ddf33b21e641f6a'\n&gt;&gt;&gt; len(hashlib.sha1(clave).hexdigest()) \n40\n\n&gt;&gt;&gt; hashlib.sha224(clave).hexdigest() \n'b05843cf74926ed0dfb6af2b2c6494eeb947203bac2ce5ff1d26f617'\n&gt;&gt;&gt; len(hashlib.sha224(clave).hexdigest()) \n56\n\n&gt;&gt;&gt; hashlib.sha256(clave).hexdigest() \n'23b5ed29a1e8409f70644e44faebae79ae687318efd719d9af29f8496b016a81'\n&gt;&gt;&gt; len(hashlib.sha256(clave).hexdigest()) \n64\n\n&gt;&gt;&gt; hashlib.sha384(clave).hexdigest() \n'2b998455bbe8636fc17547414259c1b3a643e4d01f9da1d08c37ce89dfaa66b77faf532337c336e200ffd9f517a23f19'\n&gt;&gt;&gt; len(hashlib.sha384(clave).hexdigest()) \n96\n\n&gt;&gt;&gt; hashlib.sha512(clave).hexdigest() \n'8f225ddd400f8a0d6b36b85c6ccecc0436cea6a8e32f203fc5cef7932ffe5a0788eef1a1faf4acb307c5f831292574d6d05d3cad23f2468577b41c4c31ffc37a'\n&gt;&gt;&gt; len(hashlib.sha512(clave).hexdigest()) \n128<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Programa\"><\/span>Programa<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>El programa a partir del cual obtenemos el <em>HASH<\/em> de una contrase\u00f1a introducida en texto plano podr\u00eda ser el siguiente:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">import hashlib\n\ndef main():\n    clave = str(input(\"Introduce la contrase\u00f1a a cifrar: \")).encode('utf-8')\n\n    md5 = hashlib.md5(clave).hexdigest()\n    print(\"Hash MD5: %s\" % str(md5))\n\n    sha1 = hashlib.sha1(clave).hexdigest()\n    print(\"Hash SHA1: %s\" % str(sha1))\n\n    sha224 = hashlib.sha224(clave).hexdigest()\n    print(\"Hash SHA224: %s\" % str(sha224))\n\n    sha256 = hashlib.sha256(clave).hexdigest()\n    print(\"Hash SHA256: %s\" % str(sha256))\n\n    sha384 = hashlib.sha384(clave).hexdigest()\n    print(\"Hash SHA384: %s\" % str(sha384))\n\n    sha512 = hashlib.sha512(clave).hexdigest()\n    print(\"Hash SHA512: %s\" % str(sha512))\n\nif __name__ == '__main__':\n    main()<\/code><\/pre>\n\n\n\n<p>Esta ser\u00eda la salida:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">&gt; python cifrarClave.py\nIntroduce la contrase\u00f1a a cifrar: q1w2e3r4t5\nHash: q1w2e3r4t5\nHash MD5: 42d8aa7cde9c78c4757862d84620c335\nHash SHA1: 5d70c3d101efd9cc0a69f4df2ddf33b21e641f6a\nHash SHA224: b05843cf74926ed0dfb6af2b2c6494eeb947203bac2ce5ff1d26f617\nHash SHA256: 23b5ed29a1e8409f70644e44faebae79ae687318efd719d9af29f8496b016a81\nHash SHA384: 2b998455bbe8636fc17547414259c1b3a643e4d01f9da1d08c37ce89dfaa66b77faf532337c336e200ffd9f517a23f19\nHash SHA512: 8f225ddd400f8a0d6b36b85c6ccecc0436cea6a8e32f203fc5cef7932ffe5a0788eef1a1faf4acb307c5f831292574d6d05d3cad23f2468577b41c4c31ffc37a<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Descifrar_la_contrasena\"><\/span>Descifrar la contrase\u00f1a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Para descifrar la contrase\u00f1a lo que haremos es recorrer el archivo de texto descargado de <strong>SecList<\/strong> e iremos una a una cifr\u00e1ndola y comparando su <em>HASH<\/em> con el obtenido a partir de nuestra contrase\u00f1a. Para ello indicaremos el tipo de encriptaci\u00f3n que vamos a utilizar para hacer la comparaci\u00f3n.<\/p>\n\n\n\n<p>Este ser\u00eda el programa:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">import hashlib\n\ndef main():\n    try:\n        resolverhash = str(input(\"Hash a resolver: \"))\n        type = input(\"Indica el tipo de encriptaci\u00f3n: \")\n\n        resolvedor = open(\"10-million-password-list-top-1000000.txt\", 'r')\n        for x in resolvedor.readlines():\n            a = x.strip(\"\\n\").encode('utf-8')\n            if type == 'md5':\n                a = hashlib.md5(a).hexdigest()\n            elif type == 'sha1':\n                a = hashlib.sha1(a).hexdigest()\n            elif type == 'sha224':\n                a = hashlib.sha224(a).hexdigest()\n            elif type == 'sha256':\n                a = hashlib.sha256(a).hexdigest()\n            elif type == 'sha384':\n                a = hashlib.sha384(a).hexdigest()\n            elif type == 'sha512':\n                a = hashlib.sha512(a).hexdigest()\n            else:\n                raise Exception('El tipo de encriptaci\u00f3n %s no es v\u00e1lido.' %str(type))\n\n            if a == resolverhash:\n                print(\"Contrase\u00f1a: %s - Has resuelto: %s - Encriptado con: %s\" %(str(x.rstrip()),str(a),str(type)))\n                break\n\n    except Exception as e:\n        print(\"Error: {}\".format(e))\n\nif __name__ == '__main__':\n    main()<\/code><\/pre>\n\n\n\n<p>El resultado sar\u00eda el siguiente:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">&gt;python descifrarClave.py\nHash a resolver: 42d8aa7cde9c78c4757862d84620c335\nIndica el tipo de encriptaci\u00f3n: md5\nContrase\u00f1a: q1w2e3r4t5 - Has resuelto: 42d8aa7cde9c78c4757862d84620c335 - Encriptado con: md5<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusiones\"><\/span>Conclusiones<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Si dispones de un archivo de credenciales y quieres comprobar si tus contrase\u00f1as son robustas y no corren riesgo de ser obtenidas por fuerza bruta, puedes usar este m\u00e9todo sencillo y r\u00e1pido, en el que en pocos segundos comparamos entre un mill\u00f3n de posibles contrase\u00f1as.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Enlaces\"><\/span>Enlaces<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Proyecto <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">SecList<\/a>.<\/p>\n\n\n\n<p>Lista de credenciales comunes <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\/tree\/master\/Passwords\/Common-Credentials\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">SecList-Common-Credentials<\/a>.<\/p>\n\n\n\n<p><strong>SecList<\/strong> como herramienta de <a href=\"https:\/\/tools.kali.org\/password-attacks\/seclists\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">Kali Linux<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Como descifrar contrase\u00f1as por fuerza bruta con Python.<\/p>\n","protected":false},"author":1,"featured_media":1042,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,6],"tags":[84,114,27,115],"class_list":["post-1041","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ciberseguridad","category-programacion","tag-brute-force","tag-passwd","tag-python","tag-security"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/1041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1041"}],"version-history":[{"count":0,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/1041\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/media\/1042"}],"wp:attachment":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}