Cannot load module ./modules/module_17030.dll
#1
I am using Windows 11, I know, I know.

I have a gpg file that is encrypted using:

Code:
gpg -c --force-mdc --cipher-algo AES256

I have used John to get a hash:

Code:
.\gpg2john.exe S:\scratch\foobar.txt.gpg > S:\scratch\john-foobar-gpg-hash.txt

I have read that this hash is probably not in the correct format for hashcat to use, but I cannot figure out how to build the correct hash string for hashcat.

If I do try to run .\hashcat.exe -a3 -m17010 S:\scratch\foobar-gpg-hash.txt ?a?a?a?a?a?a, get:

Code:
hashcat (v6.2.6) starting

S:\scratch\hashcat-foobar-gpg-hash.txt: Byte Order Mark (BOM) was detected
CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 4080, 15048/16375 MB, 76MCU

OpenCL API (OpenCL 3.0 CUDA 12.4.99) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4080, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) UHD Graphics 770, 6432/12967 MB (2047 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'S:\scratch\hashcat-foobar-gpg-hash.txt' on line 1 ($): Separator unmatched
No hashes loaded.

Started: Sun Mar 24 11:44:07 2024
Stopped: Sun Mar 24 11:44:09 2024

Using hashcat --help, I only see this listed for gpg:

Code:
17010 | GPG (AES-128/AES-256 (SHA-1($pass)))                      | Raw Hash

However from here https://hashcat.net/wiki/doku.php?id=example_hashes, I see:

Code:
17010 GPG (AES-128/AES-256 (SHA-1($pass))) * | $gpg$*1*348*1024*8833fa3812b5500aa9eb7e46febfa31a0584b7e4a5b13c198f5c9b0814243895cce45ac3714e79692fb5a130a1c943b9130315ce303cb7e6831be68ce427892858f313fc29f533434dbe0ef26573f2071bbcc1499dc49bda90648221ef3823757e2fba6099a18c0c83386b21d8c9b522ec935ecd540210dbf0f21c859429fd4d35fa056415d8087f27b3e66b16081ea18c544d8b2ea414484f17097bc83b773d92743f76eb2ccb4df8ba5f5ff84a5474a5e8a8e5179a5b0908503c55e428de04b40628325739874e1b4aa004c4cbdf09b0b620990a8479f1c9b4187e33e63fe48a565bc1264bbf4062559631bef9e346a7217f1cabe101a38ac4be9fa94f6dafe6b0301e67792ed51bca04140cddd5cb6e80ac6e95e9a09378c9651588fe360954b622c258a3897f11246c944a588822cc6daf1cb81ccc95098c3bea8432f1ee0c663b193a7c7f1cdfeb91eee0195296bf4783025655cbebd7c70236*3*254*2*7*16*a47ef38987beab0a0b9bfe74b72822e8*65536*1f5c90d9820997db

17020 GPG (AES-128/AES-256 (SHA-512($pass))) * | $gpg$*1*668*2048*57e1f19c69a86038e23d7e5af5d810f4f86d32e9aaaf04b54281cda2194dcca99ee1f23f4aa3a011d5d2dc9e47689c449f398d315f91a03f4765742d20a7046e986a9696f0e07380a73fdd61e7ab2caa463a049a5869e008e16bb30d22f93f9aa8b0fdd41d2b19e669d58ca462498905e79944bff578c24139a88ef44582aef93f94fe22406a3ae32dcc0f0602e2f4345db2bd9d775eaeb14a8d7aff963e1ca8c29bab2fc3d459941587f4242af6e100e2e668a6c9247c19969ba294f6f2ab60ef84d42aab2e3512153a283d321442840189733dc6024dab0ea5d10d2e07fee914fc2e7177b310e8835bf8a5ffe1bde5ce0a74d3dd570c1b2652672873d3c520364acc0af35f5f7d0e0e95df8c2db3855936e0a4a24cc463bf277b0c5ea37d4ac1ddae6ef9da18852620de15ab648306f3d7acbb918e79f3ab7a3eaf4f59416560c4d31d8a0220c3301c95db4b8fe6b69348657aed52d5e15aefb17fedd15a50630a4edbad362ba9b79a048b4966a70643d8fa31fb397a531db85e8ad5bb169f5188449dbcc1bbaf42440d1794a34296c2407092c76e59544133959309ce42a05899162c55a865018085a4c57068294a5389cf6fbf1c93b5ab7732625fb6a465bd7ec51a128c2f9b0cf3fd0367f92667098b3a8af40f9f434a2a727b09bddbad1762127cc785eda419ac3ff24c8724e04ea2d330b0b441f34623955efd383f20578cdc527f3076ee068b727cd399ce17ff9d5233409b2d16d55c5c80cb8ca01019cd068c6e803217d6f2b7124e354b89de0eb0dfd241384026a1cdca529b6fed37aa0ececb0d6c26de06407d75a6e3108b0d25621db418206291a67216306e1a18c992736e45ef7f87373c0a3f28ddc1b4543604cd154f6b79265a6d8c13550078c3bcf55063263e5bc5cae6b925c1dbb67f972e234006867849e653*3*254*10*9*16*d1547688c9cc944482d16dff17df0858*20971520*1fef4e57e302d34e

17030 GPG (AES-128/AES-256 (SHA-256($pass))) * | $gpg$*1*668*2048*e75985b4e7d0bce9e38925a5cf69494ae9a2ccfe2973f077d9423642fffec8bee0e327178a4a3431875ca1f377b9f89269e7c42b94150859d9e5bf5c4504d63076b270118183dda75d253492be8b680c0061e7f130010a00a09a0456710051f2483052ad209fcb9f194f78ecd04fd04953fa1cd6f7ce9babca8b2ee6432730de069648460b2822fe355ed19e0055c69251097681901d7183626019d938727399df47f5249f25b1c73e8654bf935014533845f278e6dd94b8c2964ad6a87c718967686f39a88b21a0e5a93321d4733c81d9310955db6990d8cd02bcf73159b1f48f5615def601aa3e12bf30384da41b558b1eef1111cfc85c8772c123a7b977e2ba399f65679c35b9a2abfde0230a5706fe99f5460c700b1498b1661353ec30eab25defb9af2e7e744fd050d2e7c87542d8bc49e728a7734accf2801dc5972192670858f2004308f3afdd94acd44e1161c44dd372296ca7fe40cbb541c21d640a10df34460c4f5c7cd1bf3b3282668d7edb53be4d843aef4b6f0357526d9c4432aa2a45e113a73e75bfec98cb4cc020ab6cca35336fd188140fd16183dbe288707421e698b6e4801508ae903de3e5d600bd613ea612af92780e53be37722897edb8a588193e7d28819c2f0cbb4e97c3e830113ce14ab05ddb82552fc5e82c386ec2fe9b2d86fc7ade39e341e3dd828502cc3dd038cb21cb0512e79dca9f5a9eae78b2e91aa0732ac77fbc3bc5575c210f519c178669ea99bef62eb6761dfa76407d0d501b07a696a0214dafde7b0bfb48e8ba445b6b42a859a63cb91c9d991ed030ef9e6c63f53b395e14821d7039e4455e0e3712f77f64b7abaa04467bd5b9be26c5e098430187676d0aa7206e2e4fa2e5b7bd486d18b0f3859e94319ccac587574a7bae6ccb3e9414cc769761cf6a0fa1b33cccd1a4b0b04c0d52cd*3*254*8*9*16*343d26cf2c10a8f8a161874fbb218c12*65536*666ae8d1c98404b0

Based on the gpg command used to encrypt the file, I was thinking I really need the 17030 mode.

When running .\hashcat.exe -m17010 --example-hashes --mach, it successfully returns the example.

When running .\hashcat.exe -m17030 --example-hashes --mach, I get:

Code:
hashcat (v6.2.6) starting in hash-info mode

Either the specified hash mode does not exist in the official repository,
or the file(s) could not be found. Please check that the hash mode number is
correct and that the files are in the correct place.

Cannot load module ./modules/module_17030.dll

So, assuming I am actually using the right mode, how do I get the correct module?

Thanks.
Reply
#2
Firstly, encode as UTF8 without symbols or Hashcat will be confused:

Code:
S:\scratch\hashcat-foobar-gpg-hash.txt: Byte Order Mark (BOM) was detected

Secondly, the asterisks in the examples table mean that they're not in release Hashcat and you will have to use the beta to have access to them. https://www.hashcat.net/beta
Reply
#3
Thanks for pointing the BOM.

I was able to get around that with:

Code:
bash
   
file /mnt/s/scratch/hashcat-foobar-gpg-hash.txt

iconv -f UTF-16 -t UTF-8 /mnt/s/scratch/hashcat-foobar-gpg-hash.txt -o /mnt/s/scratch/hashcat-foobar-gpg-hash.txt

Also, thanks for pointing out that asterisk.  I feel pretty silly not catching that and then scrolling down to the legend where is calls out that it's in beta or not yet released.

I will go pull down a beta release and see if I have better luck.
Reply
#4
Alright stupid question, where do you find the beta releases?
Reply
#5
Seems like there isn't a newer beta version?

Index of /beta/ (hashcat.net)

Code:
hashcat-6.2.6+813.7z                              26-Oct-2023 12:28            21736133

kwprocessor-1.00+6.7z                              09-Sep-2016 15:33              87474

Oh, maybe that is newer:

https://hashcat.net/hashcat/

Code:
hashcat binaries    v6.2.6    2022.09.02
Reply
#6
Alright, the beta works, but I now get:

Code:
 Hashfile 'S:\scratch\hashcat-foobar-gpg-hash.txt' on line 1 ($gpg$*...18*8*9*65011712*4b9b39f440ed3ec5): Token length exception

 * Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

I would assume the problem stems from how gpg2john.exe is creating the hash.

If I take the example hash, that is generated from, .\hashcat.exe -m17030 --example-hashes --mach, and break it out like this:

Code:
$gpg$
1
668
2048
e75985b4e7d0bce9e38925a5cf69494ae9a2ccfe2973f077d9423642fffec8bee0e327178a4a3431875ca1f377b9f89269e7c42b94150859d9e5bf5c4504d63076b270118183dda75d253492be8b680c0061e7f130010a00a09a0456710051f2483052ad209fcb9f194f78ecd04fd04953fa1cd6f7ce9babca8b2ee6432730de069648460b2822fe355ed19e0055c69251097681901d7183626019d938727399df47f5249f25b1c73e8654bf935014533845f278e6dd94b8c2964ad6a87c718967686f39a88b21a0e5a93321d4733c81d9310955db6990d8cd02bcf73159b1f48f5615def601aa3e12bf30384da41b558b1eef1111cfc85c8772c123a7b977e2ba399f65679c35b9a2abfde0230a5706fe99f5460c700b1498b1661353ec30eab25defb9af2e7e744fd050d2e7c87542d8bc49e728a7734accf2801dc5972192670858f2004308f3afdd94acd44e1161c44dd372296ca7fe40cbb541c21d640a10df34460c4f5c7cd1bf3b3282668d7edb53be4d843aef4b6f0357526d9c4432aa2a45e113a73e75bfec98cb4cc020ab6cca35336fd188140fd16183dbe288707421e698b6e4801508ae903de3e5d600bd613ea612af92780e53be37722897edb8a588193e7d28819c2f0cbb4e97c3e830113ce14ab05ddb82552fc5e82c386ec2fe9b2d86fc7ade39e341e3dd828502cc3dd038cb21cb0512e79dca9f5a9eae78b2e91aa0732ac77fbc3bc5575c210f519c178669ea99bef62eb6761dfa76407d0d501b07a696a0214dafde7b0bfb48e8ba445b6b42a859a63cb91c9d991ed030ef9e6c63f53b395e14821d7039e4455e0e3712f77f64b7abaa04467bd5b9be26c5e098430187676d0aa7206e2e4fa2e5b7bd486d18b0f3859e94319ccac587574a7bae6ccb3e9414cc769761cf6a0fa1b33cccd1a4b0b04c0d52cd
3
254
8
9
16
343d26cf2c10a8f8a161874fbb218c12
65536
666ae8d1c98404b0

I can see that my hash that was created from gpg2john.exe is 3 lines shorter.

From the example, it looks like I am missing the values for:

Code:
2048
16
65536

I have also noticed that very long string value is much shorter for my hash, which might also be a problem?

Is there any documentation on what each section of the hash file is, that is each section separated by the asterisk?
Reply