09-11-2022, 02:54 PM
(This post was last modified: 09-11-2022, 02:56 PM by lionbladerunner.)
(09-11-2022, 12:57 PM)walterlacka Wrote: This should help...
https://hashcat.net/forum/thread-3665-post-20935.html
Using this method, you don't even have to use the actual password to open the file.
Thanks for the suggestion ! Unfortunately I tried the first step and it didn't work :
Quote:hashcat -m 9800 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
hashcat (v6.2.6) starting
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce RTX 2070 with Max-Q Design, 7173/8191 MB, 36MCU
OpenCL API (OpenCL 3.0 CUDA 11.7.101) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2070 with Max-Q Design, skipped
OpenCL API (OpenCL 2.1 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) UHD Graphics, 3200/6466 MB (1616 MB allocatable), 24MCU
OpenCL API (OpenCL 2.1 WINDOWS) - Platform #3 [Intel(R) Corporation]
====================================================================
* Device #4: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz, skipped
./OpenCL/m09800_a3-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 368 MB
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9800 (MS Office <= 2003 $3/$4, SHA1 + RC4)
Hash.Target......: $oldoffice$4*cdb996d69ab55b698d9733d7ad79efbe*6390e...656486
Time.Started.....: Sun Sep 11 15:49:12 2022 (50 mins, 29 secs)
Time.Estimated...: Sun Sep 11 16:39:41 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?b?b?b?b?b [5]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 355.8 MH/s (100.44ms) @ Accel:256 Loops:128 Thr:32 Vec:1
Speed.#3.........: 5239.5 kH/s (73.51ms) @ Accel:16 Loops:128 Thr:8 Vec:4
Speed.#*.........: 361.0 MH/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1099511627776/1099511627776 (100.00%)
Rejected.........: 0/1099511627776 (0.00%)
Restore.Point....: 4294861824/4294967296 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:128-256 Iteration:0-128
Restore.Sub.#3...: Salt:0 Amplifier:128-256 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[cd22cfffff] -> $HEX[ffffffffff]
Candidates.#3....: $HEX[cd6e58feff] -> $HEX[ffff63feff]
Hardware.Mon.#1..: Temp: 85c Util:100% Core:1349MHz Mem:5495MHz Bus:8
Hardware.Mon.#3..: N/A
Started: Sun Sep 11 15:49:09 2022
Stopped: Sun Sep 11 16:39:42 2022
I first tried to crack the file with Advanced Office Password Recovery from ElcomSoft since they say they can crack a Word 2003 file in seconds no matter the password, but it doesn't work on my file.
AOPR says "This file is encrypted by a Cryptographic Service Provider (CSP).", so it seems that a stronger encryption than the standard of Word 2003 was used on this file.
(The file was created in 2005 and used a European version of Word 2003).
So I guess I can't use this option, and that I need to recover the original password.
So I'm back to my original question : does someone have an idea on what rule I can create ?
