Office and --show option
#1
Hi,

Still testing MS office crack, and had some issues while looking for collisions :
Code:
cat hash.txt
user:$oldoffice$3*xxx
hashcat -m 9810 -a 3 -w 3 --username -o res_1.txt hash.txt ?b?b?b?b?b
gives:
res_1.txt Wrote:$oldoffice$3*xxx:17ddb2271d
I need the username, so I "show" it :
Code:
hashcat -m 9800 --show --username  hash.txt > res_2.txt
gives:

res_2.txt Wrote:user:$oldoffice$3*xxx:$HEX[17ddb2271d]

BUT, this hash is rejected by the mode 9820 :
Quote:Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:$HEX[17ddb2271d]): Line-length exception

I guess the issue is with "--show" which convert 17ddb2271d in $HEX[17ddb2271d]
So I try "--outfile-autohex-disable" but got the error :
Quote:hashcat  -m 9800 --show --username --outfile-autohex-disable hash.txt
Mixing --outfile-autohex-disable is not allowed with --show.

How can I keep the username during mode 9810 and 9820 ? Thank you of your help.
#2
You forgot to also include the command you execute for -m 9820.
It also must contaiin the --username switch.

It probably should be without "$HEX[" and "]''. could be indeed a bug but from your output above I do not understand why this
$oldoffice$3*xxx:17ddb2271d

was converted in

$oldoffice$3*xxx:$HEX[17ddb2271d]


You also should use -m 9810 --show (and not -m 9800 --show). This might be the real problem. I am not sure why you are mixing 9800 and 9810 like this. You shouldn't crack the hashes with one mode and use --show with a different hash mode.
#3
(08-25-2017, 07:12 AM)philsmd Wrote: You forgot to also include the command you execute for -m 9820. It also must contaiin the --username switch.
Yes it did contain username switch:
Code:
hashcat -m 9820 --username -a 3 -w 3 res_2.txt ?a?a?a?a?a?a?a -o res_3.txt
Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:$HEX[17ddb2271d]): Line-length exception

(08-25-2017, 07:12 AM)philsmd Wrote: I do not understand why this
$oldoffice$3*xxx:17ddb2271d
was converted in
$oldoffice$3*xxx:$HEX[17ddb2271d]
Me too!

(08-25-2017, 07:12 AM)philsmd Wrote: You also should use -m 9810 --show (and not -m 9800 --show).
Indeed, but same issue :
Code:
hashcat -m 9810 --show --username  hash.txt
user:$oldoffice$3*xxx:244845585b313764646232323731645d

244845585b313764646232323731645d is hexadecimal for $HEX[17ddb2271d]

And this hash is rejected by mode 9820 (even with username)
Code:
hashcat -m 9820 --username -a 3 -w 3 res_2.txt ?a?a?a?a?a?a?a -o res_3.txt
Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:244845585b313764646232323731645d): Line-length exception

I guess mode 9820 only allow $oldoffice$3*xxx:17ddb2271d but not $HEX[17ddb2271d] nor 244845585b313764646232323731645d
#4
The problem should be fixed with newest beta version: https://hashcat.net/beta/

The output of --show should now be correct (remember: you need to use the correct -m modes i.e. 9810 and not 9800, otherwise the output won't be as expected).

BTW: do not hesitate to report bugs on github directly. because it sometimes happens that not all bugs reported in the forum (especially if "hidden" within a long serious of posts, not the case here but sometimes this happens) will be seen by the admin/moderators (or other people that copy it to github or fix the source code).
Thx
#5
I took the beta 433, but still having issues. Don't know if it's a bug or a misunderstanding!

I got one collision thanks to your fix:

Code:
hashcat m 9820 --username -a 3 -w 3 res2.txt ?a?a?a?a?a?a?a -o off_col.txt
result is:
$oldoffice$3*xxx:17ddb2271d:SJ|4+er
Good.
Now I would like to have:
Code:
user:$oldoffice$3*xxx:17ddb2271d:SJ|4+er

But no luck, I tried all the possible modes:
Code:
hashcat -m 9800 --show --username  hash.txt
user:$oldoffice$3*xxx:$HEX[244845585b313764646232323731645d]
-> Bad
Code:
hashcat -m 9810 --show --username hash.txt
user:$oldoffice$3*xxx:17ddb2271d
-> Bad
Code:
hashcat -m 9820 --show --username  hash.txt
Hashfile 'hash.txt' on line 1 (user:$oldoffice$3*xxx): Line-length exception
-> Bad

Thanks for your help!
#6
If you want to output the cracked hashes with -m 9820 you need to use the orginal hash file that you use to crack with -m 9820 (this is not only true for -m 9820, but for all hash types).

So if you did use this command:
Code:
hashcat -m 9820 --username -a 3 -w 3 res2.txt ?a?a?a?a?a?a?a -o off_col.txt

to crack the hashes

you need to use this command:
Code:
hashcat -m 9820 --username --show res2.txt

to show the hashes cracked with -m 9820
#7
Works perfect. THanks for your help.
Next time I will report it on github (I didn't know if it was a bug or a misunderstanding).