08-03-2022, 12:19 AM
So, I've switched to using Hashcat on my host Windows 10 OS directly, and I've downloaded the latest Hashcat. I've also stopped using the --force parameter and switched to the brute force method, and ... I think that's it.
I ran the program twice. The first time I ran the line below, I got the path wrong to the wordlist (yes, still the small one), but it actually produced a candidate (whatever that actually means) which kind of sort of resembles a word or two in our mother tongue. The second attempt seemed to provide yet another candidate but it just makes no sense to me. Neither candidate opened the file, but I added a whole bunch of variations of passwords to the nmap.lst file based on the first candidate. I'm not sure if that helps.
So, if you or anyone can help me over this hurdle, I will be forever grateful.
------------------- Result 1 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule nmap.lst
hashcat (v6.2.5) starting
nmap.lst: No such file or directory
Started: Tue Aug 02 14:04:33 2022
Stopped: Tue Aug 02 14:04:33 2022
C:\Users\deuge\Desktop\file\hc625>hashcat -m 9700 -a 0 -w 3 hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped
./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 19 MB
Dictionary cache builts [c]heckpoint [f]inish [q]uit => Finished self-test
* Filename..: ..\nmap.lst
* Passwords.: 5043
* Bytes.....: 45045
* Keyspace..: 388311
* Runtime...: 0 secs
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 14:05:53 2022 (0 secs)
Time.Estimated...: Tue Aug 02 14:05:53 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2447.6 kH/s (74.49ms) @ Accel:16 Loops:77 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 388311/388311 (100.00%)
Rejected.........: 231/388311 (0.06%)
Restore.Point....: 5043/5043 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#1....: robin -> v─âmea
Started: Tue Aug 02 14:04:59 2022
Stopped: Tue Aug 02 14:05:54 2022
-------------------------------------------------------------------
------------------- Result 2 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped
./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 19 MB
Dictionary cache hit:
* Filename..: ..\nmap.lst
* Passwords.: 5059
* Bytes.....: 45216
* Keyspace..: 389543
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 18:17:38 2022 (0 secs)
Time.Estimated...: Tue Aug 02 18:17:38 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2560.3 kH/s (49.25ms) @ Accel:32 Loops:38 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 389543/389543 (100.00%)
Rejected.........: 231/389543 (0.06%)
Restore.Point....: 5059/5059 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38
Candidate.Engine.: Device Generator
Candidates.#1....: 161616 -> VMVMVM
Started: Tue Aug 02 18:17:33 2022
Stopped: Tue Aug 02 18:17:39 2
-------------------------------------------------------------------
I ran the program twice. The first time I ran the line below, I got the path wrong to the wordlist (yes, still the small one), but it actually produced a candidate (whatever that actually means) which kind of sort of resembles a word or two in our mother tongue. The second attempt seemed to provide yet another candidate but it just makes no sense to me. Neither candidate opened the file, but I added a whole bunch of variations of passwords to the nmap.lst file based on the first candidate. I'm not sure if that helps.
So, if you or anyone can help me over this hurdle, I will be forever grateful.
------------------- Result 1 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule nmap.lst
hashcat (v6.2.5) starting
nmap.lst: No such file or directory
Started: Tue Aug 02 14:04:33 2022
Stopped: Tue Aug 02 14:04:33 2022
C:\Users\deuge\Desktop\file\hc625>hashcat -m 9700 -a 0 -w 3 hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped
./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 19 MB
Dictionary cache builts [c]heckpoint [f]inish [q]uit => Finished self-test
* Filename..: ..\nmap.lst
* Passwords.: 5043
* Bytes.....: 45045
* Keyspace..: 388311
* Runtime...: 0 secs
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 14:05:53 2022 (0 secs)
Time.Estimated...: Tue Aug 02 14:05:53 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2447.6 kH/s (74.49ms) @ Accel:16 Loops:77 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 388311/388311 (100.00%)
Rejected.........: 231/388311 (0.06%)
Restore.Point....: 5043/5043 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#1....: robin -> v─âmea
Started: Tue Aug 02 14:04:59 2022
Stopped: Tue Aug 02 14:05:54 2022
-------------------------------------------------------------------
------------------- Result 2 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped
./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 19 MB
Dictionary cache hit:
* Filename..: ..\nmap.lst
* Passwords.: 5059
* Bytes.....: 45216
* Keyspace..: 389543
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 18:17:38 2022 (0 secs)
Time.Estimated...: Tue Aug 02 18:17:38 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2560.3 kH/s (49.25ms) @ Accel:32 Loops:38 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 389543/389543 (100.00%)
Rejected.........: 231/389543 (0.06%)
Restore.Point....: 5059/5059 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38
Candidate.Engine.: Device Generator
Candidates.#1....: 161616 -> VMVMVM
Started: Tue Aug 02 18:17:33 2022
Stopped: Tue Aug 02 18:17:39 2
-------------------------------------------------------------------
(08-02-2022, 04:42 PM)CrushedSon Wrote: Thanks @Snoopy for responding.
My laptop is
System Model HP Spectre x360 Convertible 13
64 bit Windows Version 10.0.19043 Build 19043
Processor: Intel Core i7-5500U CPU@2.40GHz, 2401 Mhz, 2 Core(s), 4 Logical Processors
8GB ram
Video Adapter Intel(R) HD Graphics 5500
The file is a .DOC not a .DOCX so the 7zip method did not give any useful information. It just showed these files (with fn.doc being the document in question):
1Table
Data
fn.doc
hash.txt
office2john.py
[1]CompObj
[5]DocumentSummaryInformation
[5]SummaryInformation
WordDocument
If you could provide a link to a current and large word list, I would appreciate it. Even on github, I keep finding dead links.
Thanks.
(08-02-2022, 03:32 PM)Snoopy Wrote: what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os
hashcat 5.1 is old, very old, actual 6.2.5
dont use --force !!!
your wordlist is small, just 5041 pw multiplied with your rules, so hashcat tried every given password+rules and didnt find the pass
try open the docx with 7zip and take a look at the filecontent, or just make a copy of your file and change the ending docx to zip and see whether your file opens or not (depends on encrypted or not)
next approach would be using another dictionary or switch to bruteforce