+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Colliding password protected MS office 97-2003 documents (/thread-3665.html)
RE: Colliding password protected MS office 97-2003 documents - epixoip - 10-31-2014
?b?b?b?b?b is not for the collision, but for cracking the RC4 key. Once you know the RC4 key, you have the first five bytes of the MD5|SHA1 hash. You then collide that hash to find a password that works.
Note the last step is not strictly necessary. You could simply use the RC4 key to decrypt the document without the password.
RE: Colliding password protected MS office 97-2003 documents - injector - 11-02-2014
Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
RE: Colliding password protected MS office 97-2003 documents - Arlaine - 11-12-2014
(11-02-2014, 04:10 PM)injector Wrote: Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
When referencing hashes they should be in a file in the correct format.
http://hashcat.net/wiki/doku.php?id=example_hashes
So your file (lets say "hashFile.txt") should contain something like this:
$oldoffice$1*04477077758555626246182730342136*b1b72ff351e41a7c68f6b45c4e938bd6*0d95331895e99f73ef8b6fbc4a78ac1a
Make sure to follow the instructions as per this post (not the post which started the thread):
http://hashcat.net/forum/thread-3665-post-20945.html#pid20945
and you will address it in the syntax as such if attempting to recover the HEX value (Mode 9710 as per the referenced post, and not mode 9700):
oclHashcat64.exe -m 9710 hashFile.txt -a 3 ?b?b?b?b?b -w 3
However if you run into the same AMD Catalyst 14.9 issue that I'm having you may not be able to retrieve the value needed for collisions.
RE: Colliding password protected MS office 97-2003 documents - 2alert@gmail.com - 12-05-2014
Excuse my ignorance, gentlemen, but how do I obtain the hash value from an office doc?
RE: Colliding password protected MS office 97-2003 documents - epixoip - 12-05-2014
https://github.com/stricture/hashstack-server-plugin-oclhashcat/blob/master/scrapers/office2hashcat.py
RE: Colliding password protected MS office 97-2003 documents - 2alert@gmail.com - 12-08-2014
Thanks!
Is it the same mechanism as in office2john.py ?
RE: Colliding password protected MS office 97-2003 documents - epixoip - 12-08-2014
yes. it's a slightly modified version of office2john.py
RE: Colliding password protected MS office 97-2003 documents - radiac - 03-11-2015
Hi,
I do have a Office 2007 document with an write protected area - so the document itself is not encrypted. The python script doesn't work so, but I can extract the salt and password hash of the file.
Do you if this password is encrypted the same way as the regular encryption routine of a file? If so, how can I merge the hash for hashcat manually?
Thanks for your help!
RE: Colliding password protected MS office 97-2003 documents - shuckitup - 11-20-2015
Hi, I have a quick question on colliding.
I see that it has been successfully implemented for $oldoffice $1 $2 and $3. Do you know if this will also work for $4? I know that oclhashcat (-m 9810) currently only matches hashes for $3. Is this because it is not possible to collide in $4 or it was accidentally omitted in the hash matching code?
RE: Colliding password protected MS office 97-2003 documents - magnum - 11-22-2015
The collider modes work due to the fact Microsoft truncated the RC4 key to 40 bits in types $1, $2 and $3. The $4 type does not have that (intended) flaw so it's not beneficial to attack the RC4 key directly.