?b?b?b?b?b is not for the collision, but for cracking the RC4 key. Once you know the RC4 key, you have the first five bytes of the MD5|SHA1 hash. You then collide that hash to find a password that works.
Note the last step is not strictly necessary. You could simply use the RC4 key to decrypt the document without the password.
Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
(11-02-2014, 04:10 PM)injector Wrote: [ -> ]Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
When referencing hashes they should be in a file in the correct format.
http://hashcat.net/wiki/doku.php?id=example_hashes
So your file (lets say "hashFile.txt") should contain something like this:
$oldoffice$1*04477077758555626246182730342136*b1b72ff351e41a7c68f6b45c4e938bd6*0d95331895e99f73ef8b6fbc4a78ac1a
Make sure to follow the instructions as per this post (not the post which started the thread):
http://hashcat.net/forum/thread-3665-pos...l#pid20945
and you will address it in the syntax as such if attempting to recover the HEX value (Mode 9710 as per the referenced post, and not mode 9700):
oclHashcat64.exe -m 9710 hashFile.txt -a 3 ?b?b?b?b?b -w 3
However if you run into the same AMD Catalyst 14.9 issue that I'm having you may not be able to retrieve the value needed for collisions.
Excuse my ignorance, gentlemen, but how do I obtain the hash value from an office doc?
Thanks!
Is it the same mechanism as in office2john.py ?
yes. it's a slightly modified version of office2john.py
Hi,
I do have a Office 2007 document with an write protected area - so the document itself is not encrypted. The python script doesn't work so, but I can extract the salt and password hash of the file.
Do you if this password is encrypted the same way as the regular encryption routine of a file? If so, how can I merge the hash for hashcat manually?
Thanks for your help!
Hi, I have a quick question on colliding.
I see that it has been successfully implemented for $oldoffice $1 $2 and $3. Do you know if this will also work for $4? I know that oclhashcat (-m 9810) currently only matches hashes for $3. Is this because it is not possible to collide in $4 or it was accidentally omitted in the hash matching code?
The collider modes work due to the fact Microsoft truncated the RC4 key to 40 bits in types $1, $2 and $3. The $4 type does not have that (intended) flaw so it's not beneficial to attack the RC4 key directly.