64 bit pdf ID cannot be processed by 10500 nor 25400
#1
Context:

hashcat version: 6.2.6

hash produced from a pdf using pdf2john.pl from openwall's bleeding jumbo package (https://github.com/openwall/john), version 1.9.0-jumbo-1+bleeding-2f4b2dfee

OS: Debian Testing

Problem:
the hash is detected perfectly by john and by pdfcrack, but they go on forever over CPU. However, hashcat has problems with this hash:

"$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

I'm able to provide the password to john and gets an immediate hit, when doing this in hashcat I get the following:
Command:
hashcat -m CASES -a 3 '$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' '/path/mask.txt'
CASES:
  • 25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8):
    "$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx": Separator unmatched
  • 10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8):
    "$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx": Token length exception
  •   10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)
      10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1
  •   "$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx": Token length exception
  •   10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
      10600 | PDF 1.7 Level 3 (Acrobat 9)
      10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                   
    "$pdf$4*4*128*-3392*1*64*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*32*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx": Separator unmatched
The problem may be the hash after *64* which is 128 bits in length; in all the examples I have reviewed that *64* is usually *16*, and when reduced to 32 bits the code executes (via simple truncation), however, as the file ID is truncated it cannot process neither the mask nor the password within a list. Of course, with this mutilated ID, even John isn't able to "crack" the password (even when I provided it directly). The point is that the problem may rely on that 128 bit length file ID after *64*

1) Has anyone else encountered this problem?
2) Is there a tool that is better for hashcat (Yes, I've tried the pdf2hashcat.py script, but it does not even detect encryption in the file, which exiftool, pdfid, pdfinfo and pdf-parser detect)
3) is there any possible solution, or do the modules need to be modified to allow for this length?

many thanks to the devs and community that have made this program possible
Reply


Messages In This Thread
64 bit pdf ID cannot be processed by 10500 nor 25400 - by cybersecsysadmin - 02-27-2023, 05:18 AM