PDF Hash type

[xJiiKo]

Hey guys
When I try to figure out the hash type with -identify, I get this output:

No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.

My hash starts like this: $pdf$1*2*40*2147422012*1*16*

I've already tested every hash mode, always the same error:


Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception

* Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

[b8vr]

Hey guys
When I try to figure out the hash type with -identify, I get this output:

No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.

My hash starts like this: $pdf$1*2*40*2147422012*1*16*

I've already tested every hash mode, always the same error:


Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception

* Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

Is the end part of the hash 64 bytes long? If not, try and pad it with 0 until it is. Or trim it if necessary. 
There also exists pdf2hashcat (google it), maybe that will format the hash string a bit different....

[xJiiKo]

Hey guys
When I try to figure out the hash type with -identify, I get this output:

No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.

My hash starts like this: $pdf$1*2*40*2147422012*1*16*

I've already tested every hash mode, always the same error:


Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception

* Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

Is the end part of the hash 64 bytes long? If not, try and pad it with 0 until it is. Or trim it if necessary. 
There also exists pdf2hashcat (google it), maybe that will format the hash string a bit different....

The end part of the hash is 168 character long. Idk how many bytes that is...

[JDLH]

Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .

In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.

I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have. 

I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.

[xJiiKo]

Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .

In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.

I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have. 

I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.

I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*

[b8vr]

Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .

In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.

I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have. 

I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.

I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*

Would you mind sharing the hash?

[Chick3nman]

No need to share, I'm pretty sure the problem is the 2147422012. This value is incredibly high, either it's an error or a new value that the modules/kernels aren't ready to support. Changing it to be a smaller number would probably allow the hash to load but, depending on the version, it may impact the ability to crack it. I believe in some cases it won't though, so it's worth a shot.

[xJiiKo]

1711522518[/url]']

1711501148[/url]']

1711500614[/url]']
Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .

In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.

I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have. 

I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.

I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*

Would you mind sharing the hash?

No I’m completely fine with sharing the hash, but am I allowed to? I thought I read somewhere that I’m not allowed to post the full hash.

[xJiiKo]

1711523712[/url]']
No need to share, I'm pretty sure the problem is the 2147422012. This value is incredibly high, either it's an error or a new value that the modules/kernels aren't ready to support. Changing it to be a smaller number would probably allow the hash to load but, depending on the version, it may impact the ability to crack it. I believe in some cases it won't though, so it's worth a shot.

How do I change it to a smaller number? Just shorten it? Can you give me an example?

[xJiiKo]

1711522518[/url]']

1711501148[/url]']

1711500614[/url]']
Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .

In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.

I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have. 

I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.

I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*

Would you mind sharing the hash?

I wrote u a pm