File left in will... unable to open...not a technical expert
#1
I have a small amount of knowledge in IT and I thought I could muddle my way through figuring out hashcat, but it is supremely complicated, and I am now starting my plead for help.

I have spent about three weeks trying to guess the password to a Word file that my father left me in his Will, but there is no indication of what the password is.

My father spoke several languages, so the password might not be in English or just in English.  I don't know if it's a single word or a longer phrase, but I'm betting it's a word - but I don't know what language, so am not sure how a word list will help.

I have (I think) successfully gotten as far as getting the hash from the file.  I've read the rules of this site and it says to not post the hash unless it is requested.  But for you to help me figure out the password, I think I have to give you the hash.  I do not have a powerful laptop or any option of using one.  In fact, I am doing this on a VirtualBox Linux Mint virtual machine (although I've had the same lack of results on a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) virtual machine).

The Word version that was used was either Word 97 or at most 2003.

I've tried various parameters, but I basically out of my depth and guessing without fully understanding if I should or should not be adding certain parameters to the hashcat command.  Below is the output as far as I've gotten.

If you're able to help me, please let me know and I can provide you the hash.
Thanks.

--------- output ----------

de@SpectreVM:~/Desktop/Untitled Folder$ hashcat --force -m 9700 -a 0 -w 3 --potfile-path ./outputhashes.txt hash.txt -r /usr/share/hashcat/rules/best64.rule  nmap.lst
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, 1024/2948 MB allocatable, 1MCU

/usr/share/hashcat/OpenCL/m09700_a0-optimized.cl: Pure OpenCL kernel not found, falling back to optimized OpenCL kernel
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=9700 -D _unroll'
Dictionary cache hit:
* Filename..: nmap.lst
* Passwords.: 5041
* Bytes.....: 39980
* Keyspace..: 388157

Approaching final keyspace - workload adjusted. 

Session..........: hashcat                     
Status...........: Exhausted
Hash.Type........: MS Office <= 2003 $0/$1, MD5 + RC4
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug  2 08:08:28 2022 (2 secs)
Time.Estimated...: Tue Aug  2 08:08:30 2022 (0 secs)
Guess.Base.......: File (nmap.lst)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  205.0 kH/s (47.66ms) @ Accel:32 Loops:9 Thr:64 Vec:8
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 388157/388157 (100.00%)
Rejected.........: 231/388157 (0.06%)
Restore.Point....: 5041/5041 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:72-77 Iteration:0-9
Candidates.#1....: dog ->

Started: Tue Aug  2 08:08:23 2022
Stopped: Tue Aug  2 08:08:32 2022
Reply
#2
what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os

hashcat 5.1 is old, very old, actual 6.2.5

dont use --force !!!

your wordlist is small, just 5041 pw multiplied with your rules, so hashcat tried every given password+rules and didnt find the pass

try open the docx with 7zip and take a look at the filecontent, or just make a copy of your file and change the ending docx to zip and see whether your file opens or not (depends on encrypted or not)

next approach would be using another dictionary or switch to bruteforce
Reply
#3
(08-02-2022, 03:13 PM)CrushedSon Wrote: The Word version that was used was either Word 97 or at most 2003.

Old office files can be decrypted without exact password.
There are special tools. For example, see this article.
Reply
#4
Thanks @Snoopy for responding.
My laptop is
System Model HP Spectre x360 Convertible 13
64 bit Windows Version 10.0.19043 Build 19043
Processor: Intel Core i7-5500U CPU@2.40GHz, 2401 Mhz, 2 Core(s), 4 Logical Processors
8GB ram
Video Adapter Intel(R) HD Graphics 5500

The file is a .DOC not a .DOCX so the 7zip method did not give any useful information.  It just showed these files (with fn.doc being the document in question):
1Table
Data
fn.doc
hash.txt
office2john.py
[1]CompObj
[5]DocumentSummaryInformation
[5]SummaryInformation
WordDocument

If you could provide a link to a current and large word list, I would appreciate it.  Even on github, I keep finding dead links.

Thanks.


(08-02-2022, 03:32 PM)Snoopy Wrote: what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os

hashcat 5.1 is old, very old, actual 6.2.5

dont use --force !!!

your wordlist is small, just 5041 pw multiplied with your rules, so hashcat tried every given password+rules and didnt find the pass

try open the docx with 7zip and take a look at the filecontent, or just make a copy of your file and change the ending docx to zip and see whether your file opens or not (depends on encrypted or not)

next approach would be using another dictionary or switch to bruteforce
Reply
#5
Perhaps this will help...

https://hashcat.net/forum/thread-3665-post-20935.html
Reply
#6
Thanks, walterlacka, but that is sooo far above my level of understanding.  I've never done any of this cracking or forensic stuff before and I'm diving into this absolutely from near zero knowledge.


(08-02-2022, 08:43 PM)walterlacka Wrote: Perhaps this will help...

https://hashcat.net/forum/thread-3665-post-20935.html
Reply
#7
So, I've switched to using Hashcat on my host Windows 10 OS directly, and I've downloaded the latest Hashcat.  I've also stopped using the --force parameter and switched to the brute force method, and ... I think that's it. 
I ran the program twice.  The first time I ran the line below, I got the path wrong to the wordlist (yes, still the small one), but it actually produced a candidate (whatever that actually means) which kind of sort of resembles a word or two in our mother tongue.  The second attempt seemed to provide yet another candidate but it just makes no sense to me.  Neither candidate opened the file, but I added a whole bunch of variations of passwords to the nmap.lst file based on the first candidate.  I'm not sure if that helps.  

So, if you or anyone can help me over this hurdle, I will be forever grateful. 

------------------- Result 1 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule nmap.lst
hashcat (v6.2.5) starting

nmap.lst: No such file or directory

Started: Tue Aug 02 14:04:33 2022
Stopped: Tue Aug 02 14:04:33 2022

C:\Users\deuge\Desktop\file\hc625>hashcat -m 9700 -a 0 -w 3 hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped

./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 19 MB


Dictionary cache builtConfuseds [c]heckpoint [f]inish [q]uit => Finished self-test
* Filename..: ..\nmap.lst
* Passwords.: 5043
* Bytes.....: 45045
* Keyspace..: 388311
* Runtime...: 0 secs

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 14:05:53 2022 (0 secs)
Time.Estimated...: Tue Aug 02 14:05:53 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2447.6 kH/s (74.49ms) @ Accel:16 Loops:77 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 388311/388311 (100.00%)
Rejected.........: 231/388311 (0.06%)
Restore.Point....: 5043/5043 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#1....: robin -> v─âmea

Started: Tue Aug 02 14:04:59 2022
Stopped: Tue Aug 02 14:05:54 2022

-------------------------------------------------------------------

------------------- Result 2 ---------------------
hashcat -m 9700 -a 0 -w 3 --potfile-path ..\outputhashes.txt hash.txt -r .\rules\best64.rule ..\nmap.lst
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 5500, 1568/3231 MB (403 MB allocatable), 24MCU
* Device #2: Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz, skipped

./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 19 MB

Dictionary cache hit:
* Filename..: ..\nmap.lst
* Passwords.: 5059
* Bytes.....: 45216
* Keyspace..: 389543

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 9700 (MS Office <= 2003 $0/$1, MD5 + RC4)
Hash.Target......: $oldoffice$1*c5cc7447aaf68025539517d91cf75ff8*6c5f3...bdc0b6
Time.Started.....: Tue Aug 02 18:17:38 2022 (0 secs)
Time.Estimated...: Tue Aug 02 18:17:38 2022 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (..\nmap.lst)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2560.3 kH/s (49.25ms) @ Accel:32 Loops:38 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 389543/389543 (100.00%)
Rejected.........: 231/389543 (0.06%)
Restore.Point....: 5059/5059 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38
Candidate.Engine.: Device Generator
Candidates.#1....: 161616 -> VMVMVM

Started: Tue Aug 02 18:17:33 2022
Stopped: Tue Aug 02 18:17:39 2

-------------------------------------------------------------------








(08-02-2022, 04:42 PM)CrushedSon Wrote: Thanks @Snoopy for responding.
My laptop is
System Model HP Spectre x360 Convertible 13
64 bit Windows Version 10.0.19043 Build 19043
Processor: Intel Core i7-5500U CPU@2.40GHz, 2401 Mhz, 2 Core(s), 4 Logical Processors
8GB ram
Video Adapter Intel(R) HD Graphics 5500

The file is a .DOC not a .DOCX so the 7zip method did not give any useful information.  It just showed these files (with fn.doc being the document in question):
1Table
Data
fn.doc
hash.txt
office2john.py
[1]CompObj
[5]DocumentSummaryInformation
[5]SummaryInformation
WordDocument

If you could provide a link to a current and large word list, I would appreciate it.  Even on github, I keep finding dead links.

Thanks.


(08-02-2022, 03:32 PM)Snoopy Wrote: what kind of laptop do you have, using plain windows + hashcat will most likely work smoother and faster than using any kind of virtual machine on top of your running os

hashcat 5.1 is old, very old, actual 6.2.5

dont use --force !!!

your wordlist is small, just 5041 pw multiplied with your rules, so hashcat tried every given password+rules and didnt find the pass

try open the docx with 7zip and take a look at the filecontent, or just make a copy of your file and change the ending docx to zip and see whether your file opens or not (depends on encrypted or not)

next approach would be using another dictionary or switch to bruteforce
Reply
#8
The candidates are just the different words that is created by wordlist+rules which hashcat tries against your hash. You seem to be using nmap.lst from The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), but you have several other wordlists in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and there are several wordlists offered for download on fx

https://hashmob.net/
https://www.weakpass.com/
https://github.com/danielmiessler/SecLis.../Passwords
https://wordlists.capsop.com/

You simply need to supply other wordlists and rules.
Reply
#9
First: I am sorry for your loss.  I lost my father a few years back, wasn't easy.

Second:

I have a machine that can hash Mode 9700 at a rate of 1302.6 MH/s (approx 500x the rate of your output above). 
Assuming you are more interested in recovering the data than learning hashcat, I would be willing to let my machine attempt to recover this hash for you for a day or so using my wordlists and rulesets collected over time. 

If you are interested, PM me.

Also: as a bit of a pet-project, I have been creating a wordlist from the haveibeenpwned (https://haveibeenpwned.com/) hashlist.   If you put your father's email(s) in the search box, does it show that he was compromised at some point in the past? If so, I have decoded ~670million of those passwords (~90 million to go), and could provide you a wordlist of those 670M cantidates

Thanks,
Wallacebw
Reply
#10
This request has been fulfilled.
Reply