7z 11600 hash file
#1
Hello,


I am trying to crack a 7z archive so I generated a hash file from 7zhashcat64 and got it to processing using the latest hashcat v6.1.1



My first problem is that apparently that hash refuses to run. I used this simple command first to confirm that it works first of all:



hashcat -m 11600 -a 0 --force hash.txt -r rules/best64.rule



Stops after one second. Runing hashcat -11600 -b shows this, basically starts then stops immediately, md5 and other hashes are working:



Code:
hashcat -m 11600 -b

hashcat (v6.1.1) starting in benchmark mode...



Benchmarking uses hand-optimized kernel code by default.

You can use it in your cracking session by setting the -O option.

Note: Using optimized kernel code limits the maximum supported password length.

To disable the optimized kernel code in benchmark mode, use the -w option.



OpenCL API (OpenCL 2.1 AMD-APP (3110.7)) - Platform #1 [Advanced Micro Devices, Inc.]

=====================================================================================

* Device #1: Ellesmere, 4032/4096 MB (3264 MB allocatable), 32MCU



Benchmark relevant options:

===========================

* --optimized-kernel-enable



Hashmode: 11600 - 7-Zip (Iterations: 16384)



Speed.#1.........:  221.2 kH/s (69.94ms) @ Accel:32 Loops:4096 Thr:64 Vec:1



Started: Fri Jul 31 17:07:06 2020

Stopped: Fri Jul 31 17:07:11 2020



This is the result of hashcat -i. I already clean installed the drivers for the AMD video card (RX 570).

Code:
hashcat (v6.1.1) starting...



OpenCL Info:

============



OpenCL Platform ID #1

  Vendor..: Advanced Micro Devices, Inc.

  Name....: AMD Accelerated Parallel Processing

  Version.: OpenCL 2.1 AMD-APP (3110.7)



  Backend Device ID #1

    Type...........: GPU

    Vendor.ID......: 1

    Vendor.........: Advanced Micro Devices, Inc.

    Name...........: Ellesmere

    Version........: OpenCL 2.0 AMD-APP (3110.7)

    Processor(s)...: 32

    Clock..........: 1430

    Memory.Total...: 4096 MB (limited to 3264 MB allocatable in one block)

    Memory.Free....: 4032 MB

    OpenCL.Version.: OpenCL C 2.0

    Driver.Version.: 3110.7


Maybe the GPU can't support it and I need to run it CPU only?

My second problem is that I know part of that password, specifically the beginning, I have tried to follow the instructions here but the commands throw various errors. https://hashcat.net/forum/thread-9362-po...l#pid49458

I simply need to brute force a bunch of numbers after the beginning word. Is there a simpler command to do it?
Reply
#2
Why do you use --force in your command line ? That's probably the biggest problem here.

I didn't really understand what error you get. It's normal that a benchmark runs very quickly, it just tests the speed.

Did you use 7z2hashcat to extract the hash ? Did you try to run the example hash from https://hashcat.net/wiki/example_hashes (search for -m 11600)




Just noticed, that your -a 0 command also doesn't specify any word list file. You can't do a dictionary attack without a dictionary. You need to specify a file as a word list:

Code:
hashcat -m 11600 -a 0 -w 3 -r rules/best64.rule hash.txt dict.txt
Reply
#3
(07-31-2020, 04:42 PM)philsmd Wrote: Just noticed, that your -a 0 command also doesn't specify any word list file. You can't do a dictionary attack without a dictionary. You need to specify a file as a word list:
The --force argument here didn't change anything if added or not, I also tried -o, but it's not in hardware?

I think I'm doing it a little wrong. What does the dictionary file need to have, does it need to be generated? I was trying to specify a dictionary list with -a 1 to try to combine brute force with the part of the password I already know, but I put into that file, just that very word and numbers from 0 to 9.

Tried the demo hash from 11600 section with the simplest command without specifying a rule or dictionary file, but it still closes right away and doesn't solve it.

I know the beginning of that password. Can I somehow specify the beginning string and then brute force from there? Without a dictionary?

I have close to zero experience with this program so please excuse me in advance Smile

No matter what I run it says this: "hashcat -m 11600 hash2.txt" runs for a second and ends.
Code:
hashcat -m 11600 hash2.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3110.7)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Ellesmere, 4032/4096 MB (3264 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Initializing backend runtime for device #1...
C:\Users\hitman\Downloads\hashcat-6.1.1>
Reply
#4
there are two problems here, but the main problem is the driver setup problem.

We saw this problem a couple of times in the past where it seems that hashcat crashes on the "Initializing" line, but it was always the driver that had some problem.

I would highly suggest to use this: https://hashcat.net/faq/wrongdriver to cleanly re-install the AMD driver.

In theory, you could later (after cleanly re-installing the driver) test with independent tools like clinfo.exe (just google.it).
The output of clinfo (and error messages or crashes of it) would also proof that it's not really hashcat crashing, but the driver forces the whole process to segfault (without any chance to recover from this "problem" by the hashcat process).

The second problem, is your syntax problem... you can't really use -a 0 (which is the default attack type, so even without specifying -a 0, it defaults to -a 0) without specifying a dictionary file, because: a dictionary attack always works with dictionaries (you could just use example.dict as a dictionary as a test, specify the dictionary after the hash file)
Reply
#5
(07-31-2020, 06:28 PM)philsmd Wrote: We saw this problem a couple of times in the past where it seems that hashcat crashes on the "Initializing" line, but it was always the driver that had some problem.

I would highly suggest to use this: https://hashcat.net/faq/wrongdriver to cleanly re-install the AMD driver.

In theory, you could later (after cleanly re-installing the driver) test with independent tools like clinfo.exe (just google.it).

The output of clinfo (and error messages or crashes of it) would also proof that it's not really hashcat crashing, but the driver forces the whole process to segfault (without any chance to recover from this "problem" by the hashcat process).

I know, and heard about an earlier report of a similar error in an older version which has been apparently fixed in 6.1.0.

I reinstalled the drivers using DDU. Nothing changed using that particular 11600 hash. The test commands example0.cmd etc all work however, and load the GPU. Many other benchmarks load the GPU just fine, and take about a minute to finish, but the 11600 one takes one second.

The output from clinfo looks like this
Code:
Number of platforms                              1
  Platform Name                                  AMD Accelerated Parallel Processing
  Platform Vendor                                Advanced Micro Devices, Inc.
  Platform Version                                OpenCL 2.1 AMD-APP (3110.7)
  Platform Profile                                FULL_PROFILE
  Platform Extensions                            cl_khr_icd cl_khr_d3d10_sharing cl_khr_d3d11_sharing cl_khr_dx9_media_sharing cl_amd_event_callback cl_amd_offline_devices
  Platform Host timer resolution                  100ns
  Platform Extensions function suffix            AMD

  Platform Name                                  AMD Accelerated Parallel Processing
Number of devices                                1
  Device Name                                    Ellesmere
  Device Vendor                                  Advanced Micro Devices, Inc.
  Device Vendor ID                                0x1002
  Device Version                                  OpenCL 2.0 AMD-APP (3110.7)
  Driver Version                                  3110.7
  Device OpenCL C Version                        OpenCL C 2.0
  Device Type                                    GPU
  Device Board Name (AMD)                        Radeon RX 570 Series
  Device PCI-e ID (AMD)                          0x67df
  Device Topology (AMD)                          PCI-E, 07:00.0
  Device Profile                                  FULL_PROFILE
  Device Available                                Yes
  Compiler Available                              Yes
  Linker Available                                Yes
  Max compute units                              32
  SIMD per compute unit (AMD)                    4
  SIMD width (AMD)                                16
  SIMD instruction width (AMD)                    1
  Max clock frequency                            1430MHz
  Graphics IP (AMD)                              8.0
  Device Partition                                (core)
    Max number of sub-devices                    32
    Supported partition types                    None
    Supported affinity domains                    (n/a)
  Max work item dimensions                        3
  Max work item sizes                            1024x1024x1024
  Max work group size                            256
  Preferred work group size (AMD)                256
  Max work group size (AMD)                      1024
  Preferred work group size multiple              64
  Wavefront width (AMD)                          64
  Preferred / native vector sizes
    char                                                4 / 4
    short                                                2 / 2
    int                                                  1 / 1
    long                                                1 / 1
    half                                                1 / 1        (cl_khr_fp16)
    float                                                1 / 1
    double                                              1 / 1        (cl_khr_fp64)
  Half-precision Floating-point support          (cl_khr_fp16)
    Denormals                                    No
    Infinity and NANs                            No
    Round to nearest                              No
    Round to zero                                No
    Round to infinity                            No
    IEEE754-2008 fused multiply-add              No
    Support is emulated in software              No
  Single-precision Floating-point support        (core)
    Denormals                                    No
    Infinity and NANs                            Yes
    Round to nearest                              Yes
    Round to zero                                Yes
    Round to infinity                            Yes
    IEEE754-2008 fused multiply-add              Yes
    Support is emulated in software              No
    Correctly-rounded divide and sqrt operations  Yes
  Double-precision Floating-point support        (cl_khr_fp64)
    Denormals                                    Yes
    Infinity and NANs                            Yes
    Round to nearest                              Yes
    Round to zero                                Yes
    Round to infinity                            Yes
    IEEE754-2008 fused multiply-add              Yes
    Support is emulated in software              No
  Address bits                                    64, Little-Endian
  Global memory size                              4294967296 (4GiB)
  Global free memory (AMD)                        4143273 (3.951GiB) 3913128 (3.732GiB)
  Global memory channels (AMD)                    8
  Global memory banks per channel (AMD)          16
  Global memory bank width (AMD)                  256 bytes
  Error Correction support                        No
  Max memory allocation                          3422552064 (3.188GiB)
  Unified memory for Host and Device              No
  Shared Virtual Memory (SVM) capabilities        (core)
    Coarse-grained buffer sharing                Yes
    Fine-grained buffer sharing                  Yes
    Fine-grained system sharing                  No
    Atomics                                      No
  Minimum alignment for any data type            128 bytes
  Alignment of base address                      2048 bits (256 bytes)
  Preferred alignment for atomics
    SVM                                          0 bytes
    Global                                        0 bytes
    Local                                        0 bytes
  Max size for global variable                    3080296704 (2.869GiB)
  Preferred total size of global vars            4294967296 (4GiB)
  Global Memory cache type                        Read/Write
  Global Memory cache size                        16384 (16KiB)
  Global Memory cache line size                  64 bytes
  Image support                                  Yes
    Max number of samplers per kernel            16
    Max size for 1D images from buffer            134217728 pixels
    Max 1D or 2D image array size                2048 images
    Base address alignment for 2D image buffers  256 bytes
    Pitch alignment for 2D image buffers          256 pixels
    Max 2D image size                            16384x16384 pixels
    Max 3D image size                            2048x2048x2048 pixels
    Max number of read image args                128
    Max number of write image args                64
    Max number of read/write image args          64
  Max number of pipe args                        16
  Max active pipe reservations                    16
  Max pipe packet size                            3422552064 (3.188GiB)
  Local memory type                              Local
  Local memory size                              32768 (32KiB)
  Local memory syze per CU (AMD)                  65536 (64KiB)
  Local memory banks (AMD)                        32
  Max number of constant args                    8
  Max constant buffer size                        3422552064 (3.188GiB)
  Preferred constant buffer size (AMD)            16384 (16KiB)
  Max size of kernel argument                    1024
  Queue properties (on host)
    Out-of-order execution                        No
    Profiling                                    Yes
  Queue properties (on device)
    Out-of-order execution                        Yes
    Profiling                                    Yes
    Preferred size                                262144 (256KiB)
    Max size                                      8388608 (8MiB)
  Max queues on device                            1
  Max events on device                            1024
  Prefer user sync for interop                    Yes
  Profiling timer resolution                      1ns
  Profiling timer offset since Epoch (AMD)        1596215322214292400ns (Fri Jul 31 20:08:42 2020)
  Execution capabilities
    Run OpenCL kernels                            Yes
    Run native kernels                            No
    Thread trace supported (AMD)                  Yes
    Number of async queues (AMD)                  2
    Max real-time compute queues (AMD)            2
    Max real-time compute units (AMD)            8
    SPIR versions                                1.2
  printf() buffer size                            4194304 (4MiB)
  Built-in kernels                                (n/a)
  Device Extensions                              cl_khr_fp64 cl_amd_fp64 cl_khr_global_int32_base_atomics cl_khr_global_int32_extended_atomics cl_khr_local_int32_base_atomics cl_khr_local_int32_extended_atomics cl_khr_int64_base_atomics cl_khr_int64_extended_atomics cl_khr_3d_image_writes cl_khr_byte_addressable_store cl_khr_fp16 cl_khr_gl_sharing cl_khr_gl_depth_images cl_amd_device_attribute_query cl_amd_vec3 cl_amd_printf cl_amd_media_ops cl_amd_media_ops2 cl_amd_popcnt cl_khr_d3d10_sharing cl_khr_d3d11_sharing cl_khr_dx9_media_sharing cl_khr_image2d_from_buffer cl_khr_spir cl_khr_subgroups cl_khr_gl_event cl_khr_depth_images cl_khr_mipmap_image cl_khr_mipmap_image_writes cl_amd_liquid_flash cl_amd_planar_yuv

NULL platform behavior
  clGetPlatformInfo(NULL, CL_PLATFORM_NAME, ...)  No platform
  clGetDeviceIDs(NULL, CL_DEVICE_TYPE_ALL, ...)  No platform
  clCreateContext(NULL, ...) [default]            No platform
  clCreateContext(NULL, ...) [other]              Success [AMD]
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_DEFAULT)  Success (1)
    Platform Name                                AMD Accelerated Parallel Processing
    Device Name                                  Ellesmere
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_CPU)  No devices found in platform
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_GPU)  Success (1)
    Platform Name                                AMD Accelerated Parallel Processing
    Device Name                                  Ellesmere
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_ACCELERATOR)  No devices found in platform
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_CUSTOM)  No devices found in platform
  clCreateContextFromType(NULL, CL_DEVICE_TYPE_ALL)  Success (1)
    Platform Name                                AMD Accelerated Parallel Processing
    Device Name                                  Ellesmere





It could work however, but I need help formulating a correct command





(07-31-2020, 06:28 PM)philsmd Wrote: The second problem, is your syntax problem... you can't really use -a 0 (which is the default attack type, so even without specifying -a 0, it defaults to -a 0) without specifying a dictionary file, because: a dictionary attack always works with dictionaries (you could just use example.dict as a dictionary as a test, specify the dictionary after the hash file)


I am now trying to use this command: hashcat -a 6 -m 11600 hash.txt dict.txt ?d?d?d?d?d?d?d?d?d


Taken from here but with a mask of numbers instead of letters https://hashcat.net/forum/thread-6501-po...l#pid34633

The character mask is the maximum number of letters/numbers/symbols? Or it's the exact number?

Because the password I'm trying to crack has a known beginning (I know that it begins with "m******s") but i do not know how many numbers come after that

Can you help me formulate a proper command? As I might just try to run a Linux distro from an external drive to try it.
Reply
#6
either use:
Code:
hashcat -m 11600 -a 3 -w 3 --increment --increment-min 8 hash.txt myword?d?d?d?d?d?d

or

Code:
hashcat -m 11600 -a 6 -w 3 --increment --increment-min 2 hash.txt dict.txt ?d?d?d?d?d?d

where dict.txt contains the word(s), one per line.

Use the one method that is faster, either -a 3 or -a 6. There might be other ways to attack it (e.g. to use --slow-candidates or pipes or pre-computed dicts), but I think -a 3 and -a 6 are the most likely one that work fastest for this specific situation (a slow hash with a fixed prefix).
Reply
#7
(07-31-2020, 09:50 PM)philsmd Wrote: either use:
Code:
hashcat -m 11600 -a 3 -w 3 --increment --increment-min 8 hash.txt myword?d?d?d?d?d?d

or

Code:
hashcat -m 11600 -a 6 -w 3 --increment --increment-min 2 hash.txt dict.txt ?d?d?d?d?d?d

where dict.txt contains the word(s), one per line.

Use the one method that is faster, either -a 3 or -a 6. There might be other ways to attack it (e.g. to use --slow-candidates or pipes or pre-computed dicts), but I think -a 3 and -a 6 are the most likely one that work fastest for this specific situation (a slow hash with a fixed prefix).

Perfect, the first one with a higher minimum increment and beginning of pattern is exactly what I need. Thank you.

It started to work after adding the -O argument to the command. This is probably why it was crashing before, in the information file it talks about the -O being an optimized driver for these specific platforms.

I'll let it run for the time it will take.

If it will take more than 24 hours, I know that "the very first digit after the letter strings" is "Not 0,1,2 or 3". So from 4 to 9.

Can we add this into the command to further optimize it? As my video card is pretty mediocre. Again, thank you very much, this was very helpful.
Reply
#8
Code:
-O -a 3 -w 3 --increment --increment-min 10 --custom-charset2 456789 hash.txt myword?2?d?d?d?d?d
Reply
#9
(07-31-2020, 11:56 PM)philsmd Wrote:
Code:
-O -a 3 -w 3 --increment --increment-min 10 --custom-charset2 456789 hash.txt myword?2?d?d?d?d?d

This one gives me a "Token length exception No hashes loaded."

The previous command still runs. I paused the process after an hour with a checkpoint to test this.
Reply
#10
you of course need to specify the hash type too (I was only focusing on custom charset and increments):
Code:
hashcat -m 11600 -a 3 -O -w 3 --increment --increment-min 10 --custom-charset2 456789 hash.txt myword?2?d?d?d?d?d
Reply