hashcat Forum Deprecated; Previous versions Old oclHashcat Support v
Proper method to extract the hash from a PDF file?

Linear Mode
Proper method to extract the hash from a PDF file?
SopalajoArrierez Offline
Junior Member
**
Posts: 45
Threads: 14
Joined: Jan 2013
#1
02-20-2015, 05:52 PM (This post was last modified: 02-21-2015, 02:51 AM by SopalajoArrierez.)
Quote:METHOD COMPLETED at post #6.

In order to test the PDF attack feature of OCLHashCat, I am using these sample hashes files:

+ Sample non-hashes (to be) supported by JtR
http://openwall.info/wiki/john/sample-non-hashes
For example, this one:
http://openwall.info/wiki/_media/john/pdf_samples.tar
And this file from there in:
test-3-RC4-40-open-testpassword.pdf

So I extract it (from Linux shell) by using PDF2John from John the Ripper suite:

Code:
$ ./pdf2john test-3-RC4-40-open-testpassword.pdf test-3-RC4-40-open-testpassword.pdf:$pdf$Standard*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*16*c015cff8dbf99345ac91c84a45667784*1*1*0*1*6*40*-4*2*1
$ ./pdf2john test-3-RC4-40-open-testpassword.pdf > test3.txt
n$ cat test3.txt
test-3-RC4-40-open-testpassword.pdf:$pdf$Standard*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*16*c015cff8dbf99345ac91c84a45667784*1*1*0*1*6*40*-4*2*1

And now I try to crack it (from PowerShell at Windows 7 SP1):

Code:
PS C:\Users\Luis> oclhashcat64 "test3.txt" -m 10400 -a 3 anypassword
oclHashcat v1.33 starting...

WARNING: Hashfile 'test3.txt' in line 1 (test-3-RC4-40-open-testpassword.pdf:$pdf$Standard*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*16*c015cff8dbf99345ac91c84a45667784*1*1*0*1*6*40*-4*2*1): Line-length exception
Parsed Hashes: 1/1 (100.00%)

ERROR: No hashes loaded

Any hash type (10400, 10410, 10420, 10500, 10600, 10700) fail.
If I modify the "test3.pdf" file and remove the "test-3-RC4-40-open-testpassword.pdf:" part, the attacks keep failing.

I think the problem comes, acording to this thread, from the PDF hash file format, that should rather be something like (supposed example for RC4-40 cyphering):

Code:
$pdf$1*2*40*-4*1*16*c015cff8dbf99345ac91c84a45667784*32*1f300cd939dd5cf0920c787f12d16be22205e​55a5bec5c9c6d563ab4fd0770d7*32*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cd​a9bc9a4eedeb170:$HEX[db34433720]

If this is the kind of hash file that must be generated, what is the method to achieve it?

Thanks you.
Find


Messages In This Thread
Proper method to extract the hash from a PDF file? - by SopalajoArrierez - 02-20-2015, 05:52 PM