Is sha1 irreversible? Let's take a look at how hashcat works against the sky@@ 
This article introduces the related application of hashcat and an example of cracking hash.  


Here I use the self-compiled version on MacOS, but at the end of the article, I will teach you to run the new version hashcat with Docker

hashcat -V
v5.1.0-1497-g8932c71a

Let’s take a look at the grammar first. Execute php in the command line to generate the hash for the sha1 test as follows:

php -r "echo sha1('test');"
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

Next, use the hashcat command to crack the hash of the sha1 of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3, is it irreversible??? But it can collide: p 
About what -m 100 is and what -a 3 is, don't be nervous and break it down below.

hashcat -m 100 -a 3 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

The execution screen is as follows: (Did you see the word Cracked? It took less than four seconds from the beginning to the end)

a94a8fe5ccb19ba61c4c0873d391e987982fbbd3:test
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Time.Started.....: Sat Apr  4 14:14:12 2020 (0 secs)
Time.Estimated...: Sat Apr  4 14:14:12 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2 [4]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 4/15 (26.67%)
Speed.#2.........: 80526.5 kH/s (1.68ms) @ Accel:32 Loops:31 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1446336/2892672 (50.00%)
Rejected.........: 0/1446336 (0.00%)
Restore.Point....: 0/46656 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-31 Iteration:0-31
Candidates.#2....: sari -> 7qxv
Started: Sat Apr  4 14:14:10 2020
Stopped: Sat Apr  4 14:14:13 2020

The cracked information is basically stored in ~/.hashcat/hashcat.potfile in the home directory.  
So we can use --show to display the cracked data immediately.

hashcat -m 100 -a 3 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 --show
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3:test

Then let's take a look at the -m parameter, which stands for Hash mode, so 100 means that the hash I want to crack is SHA1.  
There are too many hash modes, so I won’t list them one by one. Please check by yourself with hashcat --help. I obtained the relevant numbers I want to introduce through the grep command as follows: (100 and 16500)

hashcat --help|grep -E '\| JWT|\| SHA1'

- [ Hash modes ] -
      # | Name                                             | Category
  ======+==================================================+======================================
    100 | SHA1                                             | Raw Hash
  16500 | JWT (JSON Web Token)                             | Network Protocols

Then in the second command, -a 3 represents the attack mode, here I use 3 Brute-force

- [ Attack Modes ] -
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

Let's look at another example, this time using pattern 6, maybe you will be more impressed. :) 

Assuming that there is a JWT key with a length of 11 codes, the command to perform explosive cracking is as follows.

hashcat -a 3 -m 16500 -i --increment-min 11 --increment-max 11 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.略.ZXnx70PSKvHR8dEu3e1C3Fs7tS0nUQIJZMMX6zRodYo

As a result, the estimated time is 495 years, and all changes of 11 yards must be hashed to produce a collision.

Session..........: hashcat
Status...........: Running
Hash.Name........: JWT (JSON Web Token)
Hash.Target......: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OD...zRodYo
Time.Started.....: Fri Apr  3 00:38:25 2020 (1 sec)
Time.Estimated...: Sun Jul 14 08:51:40 2515 (495 years, 100 days)
Guess.Mask.......: ?1?2?2?2?2?2?2?3?3?3?3 [11]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 24400.5 kH/s (7.58ms) @ Accel:2 Loops:16 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 35651584/381366131094577152 (0.00%)
Rejected.........: 0/35651584 (0.00%)
Restore.Point....: 0/4746193387776 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:2176-2192 Iteration:0-16
Candidates.#2....: 0queranerer -> wzanptanere

However, if we guess that the key uses a word in the dictionary and is followed by a special symbol and text, the situation may be different.  
Because there is a dictionary file here, the length cannot be specified.

hashcat -a 6 -m 16500 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.略.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Passwords/probable-v2-top12000.txt ?s?l?l?l

I changed the attack mode to -a 6, dictionary+mask. And added the dictionary file and mask(?s?l?l?l) at the back.  
The meaning of the mask is as follows, so my mask is a special service number plus a lowercase English 3 code.

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

I found the dictionary files here by random Google. It can be downloaded through git if necessary.

git clone https://github.com/danielmiessler/SecLists.git

Let's take a look at the picture in progress again, Hanmi, originally 495 years old, can be deciphered within 12 minutes, true or false.

Session..........: hashcat
Status...........: Running
Hash.Name........: JWT (JSON Web Token)
Hash.Target......: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OD...zRodYo
Time.Started.....: Fri Apr  3 00:22:27 2020 (2 mins, 13 secs)
Time.Estimated...: Fri Apr  3 00:37:36 2020 (12 mins, 56 secs)
Guess.Base.......: File (Passwords/probable-v2-top12000.txt), Left Side
Guess.Mod........: Mask (?s?l?l?l) [4], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#2.........:  8041.8 kH/s (10.46ms) @ Accel:2 Loops:16 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 1088279280/7334201160 (14.84%)
Rejected.........: 0/1088279280 (0.00%)
Restore.Point....: 0/12645 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:86064-86080 Iteration:0-16
Candidates.#2....: 123456*tko -> 00001111;pvo
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

We can see that the word selected after hashcat, for example, here, 123456 is the word in the dictionary, and the following *tko is the mask I defined (?s?l?l?l).  

The final result, it took 8 minutes, and the key I designed was cracked. It was supposed to be 495 years... ah, we can see the stauts written below Cracked.  
This tells us how dangerous it is to use dictionary words for passwords or keys@@.

Session..........: hashcat
Status...........: Cracked
Hash.Name........: JWT (JSON Web Token)
Hash.Target......: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OD...zRodYo
Time.Started.....: Fri Apr  3 00:22:27 2020 (8 mins, 47 secs)
Time.Estimated...: Fri Apr  3 00:31:14 2020 (0 secs)
Guess.Base.......: File (Passwords/probable-v2-top12000.txt), Left Side
Guess.Mod........: Mask (?s?l?l?l) [4], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#2.........:  8113.3 kH/s (10.39ms) @ Accel:2 Loops:16 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4268547360/7334201160 (58.20%)
Rejected.........: 0/4268547360 (0.00%)
Restore.Point....: 0/12645 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:337552-337568 Iteration:0-16
Candidates.#2....: 123456'toh -> 00001111~jml
Started: Fri Apr  3 00:22:25 2020
Stopped: Fri Apr  3 00:31:15 2020

If one computer is too slow to crack, the new version of hashcat also supports distributed cracking, and multiple computers (Client) can crack 

First start a brain server command example:  I think this instruction is very straightforward, so I won't explain it further.

hashcat --brain-server --brain-host=0.0.0.0 --brain-port=12345 --brain-password=devin

Client connects to the brain server: 
Here I use php to randomly generate an md5 to crack.  
 

For example, two computers run together... Client command: (Refer to command, we can add mask or dictionary). Here -m 0 means that I want to crack md5.

hashcat -O --brain-client --brain-client-features=3 --brain-host=192.168.0.150 --brain-port=12345 --brain-password=devin -m 0 -a 3 '098f6bcd4621d373cade4e832627b4f6'

The description of brain-client-featuers is as follows:

- [ Brain Client Features ] -
  # | Features
 ===+========
  1 | Send hashed passwords /**發送哈希密碼*/
  2 | Send attack positions /**發送攻擊位置*/
  3 | Send hashed passwords and attack positions /**發送哈希密碼和攻擊位置*/

Let's take a look at the screen in execution: (schematic diagram) 
 
The server screen is as follows: 
 

When multiple computers are broken at the same time, as the speed of the computer becomes faster and faster, it may take hundreds of years in the near future 
The hash that can only be cracked can be cracked in just a few hours, right?  

Computers don’t have hashcat to compile lazily, right? 
It doesn’t matter, as long as you have Docker, you can help us get it done.  

I Googled it, the top five Linux for hackers, Kali Linux seems to be good, and there is an official image of Docker, let's try it immediately.  

1. Download and execute bash directly

docker run --rm  -ti kalilinux/kali-rolling bash

2. Update package

apt-get update

3. Install hashcat

 apt-get install -y hashcat

4. Check the hashcat version, use hashcat -V to check, cool v5.1.0 is very new. :)

root@53a72e2be235:/# hashcat -V
v5.1.0

You can commit by yourself and write it as an alias alias to execute on the host side. I will not explain this part further.