hashcat Forum
Problem with rar2john hash - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Problem with rar2john hash (/thread-5614.html)



Problem with rar2john hash - Said The Liar - 07-07-2016

Hi everybody. I am working towards cracking a rar archive password. I was able to use rar2john to generate a hash and then plugged it into to hashcat but hashcat kept returning a line-length exception. 

Here is the character type and count of the hash: $rar3$*1*16 nums and letters*8 nums and letters*-large number*-same large number*path of rar file*two numbers

Example: $rar3$*1*1234567890abcdef*12abd678*-297795584*-297795584*C:\file.rar*94

Does this look correct? Thanks!


RE: Problem with rar2john hash - poly2k - 07-07-2016

I'm not a power user, but i have 2 remarks:

$rar3$ should be $RAR3$ (at least it was case-sensitive on my windows machine)
the second bigger nums/letters should be more than just 8 chars according to the example hash (and my hash i tried)

Just a thought: Only header-encrypted rar3 works for now. I think you can test it by opening the rar file. Does it directly ask for a password (supported , rar3-hp) or do you see the files and upon accessing them, it asks for a password? (not supported yet, rar3-p)


RE: Problem with rar2john hash - Said The Liar - 07-07-2016

That didn't seem to make a change. I have been working with both hashCat and John the Ripper. Hashcat doesn't seem to like the hash that rar2john spits out and John the Ripper apparently has the same problem. The rar file is indeed the newer one, rar3-p. Is that why both programs are having problems? Thanks!


RE: Problem with rar2john hash - philsmd - 07-07-2016

It should be very easy to see that hashcat does not expect any filename within the "hash". So remove all this substring containing the filename, like "*C:\file.rar*94" in your example (without quotes).

if the output starts with "$RAR3$*0*" (without quotes) it will be supported by mode -m 12500, otherwise it is not currently supported by hashcat.