File left in will... unable to open...not a technical expert - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: File left in will... unable to open...not a technical expert (/thread-10920.html) |
File left in will... unable to open...not a technical expert - CrushedSon - 08-02-2022 I have a small amount of knowledge in IT and I thought I could muddle my way through figuring out hashcat, but it is supremely complicated, and I am now starting my plead for help. I have spent about three weeks trying to guess the password to a Word file that my father left me in his Will, but there is no indication of what the password is. My father spoke several languages, so the password might not be in English or just in English. I don't know if it's a single word or a longer phrase, but I'm betting it's a word - but I don't know what language, so am not sure how a word list will help. I have (I think) successfully gotten as far as getting the hash from the file. I've read the rules of this site and it says to not post the hash unless it is requested. But for you to help me figure out the password, I think I have to give you the hash. I do not have a powerful laptop or any option of using one. In fact, I am doing this on a VirtualBox Linux Mint virtual machine (although I've had the same lack of results on a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) virtual machine). The Word version that was used was either Word 97 or at most 2003. I've tried various parameters, but I basically out of my depth and guessing without fully understanding if I should or should not be adding certain parameters to the hashcat command. Below is the output as far as I've gotten. If you're able to help me, please let me know and I can provide you the hash. Thanks. --------- output ---------- de@SpectreVM:~/Desktop/Untitled Folder$ hashcat --force -m 9700 -a 0 -w 3 --potfile-path ./outputhashes.txt hash.txt -r /usr/share/hashcat/rules/best64.rule nmap.lst hashcat (v5.1.0) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, 1024/2948 MB allocatable, 1MCU /usr/share/hashcat/OpenCL/m09700_a0-optimized.cl: Pure OpenCL kernel not found, falling back to optimized OpenCL kernel Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 77 Applicable optimizers: * Optimized-Kernel * Zero-Byte * Precompute-Init * Not-Iterated * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 15 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=9700 -D _unroll' Dictionary cache hit: * Filename..: nmap.lst * Passwords.: 5041 * Bytes.....: 39980 * Keyspace..: 388157 Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Type........: MS Office <= 2003 $0/$1, MD5 + RC4 Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6 Time.Started.....: Tue Aug 2 08:08:28 2022 (2 secs) Time.Estimated...: Tue Aug 2 08:08:30 2022 (0 secs) Guess.Base.......: File (nmap.lst) Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 205.0 kH/s (47.66ms) @ Accel:32 Loops:9 Thr:64 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 388157/388157 (100.00%) Rejected.........: 231/388157 (0.06%) Restore.Point....: 5041/5041 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:72-77 Iteration:0-9 Candidates.#1....: dog -> Started: Tue Aug 2 08:08:23 2022 Stopped: Tue Aug 2 08:08:32 2022 RE: File left in will... unable to open...not a technical expert - Snoopy - 08-02-2022 what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os hashcat 5.1 is old, very old, actual 6.2.5 dont use --force !!! your wordlist is small, just 5041 pw multiplied with your rules, so hashcat tried every given password+rules and didnt find the pass try open the docx with 7zip and take a look at the filecontent, or just make a copy of your file and change the ending docx to zip and see whether your file opens or not (depends on encrypted or not) next approach would be using another dictionary or switch to bruteforce RE: File left in will... unable to open...not a technical expert - nick8606 - 08-02-2022 (08-02-2022, 03:13 PM)CrushedSon Wrote: The Word version that was used was either Word 97 or at most 2003. Old office files can be decrypted without exact password. There are special tools. For example, see this article. RE: File left in will... unable to open...not a technical expert - CrushedSon - 08-02-2022 Thanks @Snoopy for responding. My laptop is System Model HP Spectre x360 Convertible 13 64 bit Windows Version 10.0.19043 Build 19043 Processor: Intel Core i7-5500U CPU@2.40GHz, 2401 Mhz, 2 Core(s), 4 Logical Processors 8GB ram Video Adapter Intel(R) HD Graphics 5500 The file is a .DOC not a .DOCX so the 7zip method did not give any useful information. It just showed these files (with fn.doc being the document in question): 1Table Data fn.doc hash.txt office2john.py [1]CompObj [5]DocumentSummaryInformation [5]SummaryInformation WordDocument If you could provide a link to a current and large word list, I would appreciate it. Even on github, I keep finding dead links. Thanks. (08-02-2022, 03:32 PM)Snoopy Wrote: what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os RE: File left in will... unable to open...not a technical expert - walterlacka - 08-02-2022 Perhaps this will help... https://hashcat.net/forum/thread-3665-post-20935.html RE: File left in will... unable to open...not a technical expert - CrushedSon - 08-02-2022 Thanks, walterlacka, but that is sooo far above my level of understanding. I've never done any of this cracking or forensic stuff before and I'm diving into this absolutely from near zero knowledge. (08-02-2022, 08:43 PM)walterlacka Wrote: Perhaps this will help... RE: File left in will... unable to open...not a technical expert - CrushedSon - 08-03-2022 So, I've switched to using Hashcat on my host Windows 10 OS directly, and I've downloaded the latest Hashcat. I've also stopped using the --force parameter and switched to the brute force method, and ... I think that's it. I ran the program twice. The first time I ran the line below, I got the path wrong to the wordlist (yes, still the small one), but it actually produced a candidate (whatever that actually means) which kind of sort of resembles a word or two in our mother tongue. The second attempt seemed to provide yet another candidate but it just makes no sense to me. Neither candidate opened the file, but I added a whole bunch of variations of passwords to the nmap.lst file based on the first candidate. I'm not sure if that helps. So, if you or anyone can help me over this hurdle, I will be forever grateful. ------------------- Result 1 --------------------- hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule nmap.lst hashcat (v6.2.5) starting nmap.lst: No such file or directory Started: Tue Aug 02 14:04:33 2022 Stopped: Tue Aug 02 14:04:33 2022 C:\Users\deuge\Desktop\file\hc625>hashcat -m 9700 -a 0 -w 3 hash.txt -r .\rules\best64.rule ..\nmap.lst hashcat (v6.2.5) starting OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation] ============================================================= * Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU * Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped ./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 15 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 77 Optimizers applied: * Optimized-Kernel * Zero-Byte * Precompute-Init * Not-Iterated * Single-Hash * Single-Salt Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 19 MB Dictionary cache builts [c]heckpoint [f]inish [q]uit => Finished self-test * Filename..: ..\nmap.lst * Passwords.: 5043 * Bytes.....: 45045 * Keyspace..: 388311 * Runtime...: 0 secs Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4) Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6 Time.Started.....: Tue Aug 02 14:05:53 2022 (0 secs) Time.Estimated...: Tue Aug 02 14:05:53 2022 (0 secs) Kernel.Feature...: Optimized Kernel Guess.Base.......: File (..\nmap.lst) Guess.Mod........: Rules (.\rules\best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2447.6 kH/s (74.49ms) @ Accel:16 Loops:77 Thr:8 Vec:1 Recovered........: 0/1 (0.00%) Digests Progress.........: 388311/388311 (100.00%) Rejected.........: 231/388311 (0.06%) Restore.Point....: 5043/5043 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-77 Iteration:0-77 Candidate.Engine.: Device Generator Candidates.#1....: robin -> v─âmea Started: Tue Aug 02 14:04:59 2022 Stopped: Tue Aug 02 14:05:54 2022 ------------------------------------------------------------------- ------------------- Result 2 --------------------- hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule ..\nmap.lst hashcat (v6.2.5) starting OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation] ============================================================= * Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU * Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped ./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 15 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 77 Optimizers applied: * Optimized-Kernel * Zero-Byte * Precompute-Init * Not-Iterated * Single-Hash * Single-Salt Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 19 MB Dictionary cache hit: * Filename..: ..\nmap.lst * Passwords.: 5059 * Bytes.....: 45216 * Keyspace..: 389543 The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4) Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6 Time.Started.....: Tue Aug 02 18:17:38 2022 (0 secs) Time.Estimated...: Tue Aug 02 18:17:38 2022 (0 secs) Kernel.Feature...: Optimized Kernel Guess.Base.......: File (..\nmap.lst) Guess.Mod........: Rules (.\rules\best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2560.3 kH/s (49.25ms) @ Accel:32 Loops:38 Thr:8 Vec:1 Recovered........: 0/1 (0.00%) Digests Progress.........: 389543/389543 (100.00%) Rejected.........: 231/389543 (0.06%) Restore.Point....: 5059/5059 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38 Candidate.Engine.: Device Generator Candidates.#1....: 161616 -> VMVMVM Started: Tue Aug 02 18:17:33 2022 Stopped: Tue Aug 02 18:17:39 2 ------------------------------------------------------------------- (08-02-2022, 04:42 PM)CrushedSon Wrote: Thanks @Snoopy for responding. RE: File left in will... unable to open...not a technical expert - b8vr - 08-03-2022 The candidates are just the different words that is created by wordlist+rules which hashcat tries against your hash. You seem to be using nmap.lst from The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), but you have several other wordlists in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and there are several wordlists offered for download on fx https://hashmob.net/ https://www.weakpass.com/ https://github.com/danielmiessler/SecLists/tree/master/Passwords https://wordlists.capsop.com/ You simply need to supply other wordlists and rules. RE: File left in will... unable to open...not a technical expert - wallacebw - 08-04-2022 First: I am sorry for your loss. I lost my father a few years back, wasn't easy. Second: I have a machine that can hash Mode 9700 at a rate of 1302.6 MH/s (approx 500x the rate of your output above). Assuming you are more interested in recovering the data than learning hashcat, I would be willing to let my machine attempt to recover this hash for you for a day or so using my wordlists and rulesets collected over time. If you are interested, PM me. Also: as a bit of a pet-project, I have been creating a wordlist from the haveibeenpwned (https://haveibeenpwned.com/) hashlist. If you put your father's email(s) in the search box, does it show that he was compromised at some point in the past? If so, I have decoded ~670million of those passwords (~90 million to go), and could provide you a wordlist of those 670M cantidates Thanks, Wallacebw RE: File left in will... unable to open...not a technical expert - wallacebw - 08-07-2022 This request has been fulfilled. |