Can't crack a hash w/ known password

[Dalvi]

Hi,

I got this from zip2john
$pkzip2$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*8083*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip2$

and this from zip2hashcat
$pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip$

The password is
12PLANTA

I'm running  
hashcat.exe -m 17225 key.hash -a 3 -1 12PLANTA 12PLANTA --hwmon-disable

also -m 17220, 17200

Doesn't crack. What gives?

I'm attaching the original zip. Thanks!

[ZerBea]

Both hash lines are valid and the PSK is recoverable.

First hash line via JtR (for this example CPU only):

Code:

$ echo '$pkzip2$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*8083*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip2$' > pkzip.john

$ echo 12PLANTA > wordlist

$ john -w:wordlist pkzip.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 1 candidate buffered, minimum 16 needed for performance.
12PLANTA         (?)    
1g 0:00:00:00 DONE (2024-07-14 07:13) 33.33g/s 33.33p/s 33.33c/s 33.33C/s 12PLANTA
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Second hash line via hashcat:

Code:

$ hashcat -m 17200 '*$pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip$*' -a 3 12PLANTA
hashcat (v6.2.6-848-gc1a10518f) starting
...
$pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip$:12PLANTA
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67d...pkzip$
Time.Started.....: Sun Jul 14 07:08:56 2024 (0 secs)
Time.Estimated...: Sun Jul 14 07:08:56 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12PLANTA [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1478 H/s (0.02ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12PLANTA -> 12PLANTA
Hardware.Mon.#1..: Temp: 27c Fan:  0% Util:  0% Core:2505MHz Mem:11201MHz Bus:16

Started: Sun Jul 14 07:08:31 2024
Stopped: Sun Jul 14 07:08:57 2024

Compare your command line with mine an you see the difference.

[Dalvi]

Thanks. I apreciate your answer.

John works, but rather not wait for resolving on CPU. I prefer GPU.

Syntax on Windows seems a bit different, no need for apostrofes and a mask is required.

It still does not work.

Funny thing is, it's this zip archive that's not working, made by someone else. If I create a new one with the same password on my Windows 11, it works.

[Dalvi]

Full cmd and output if needed

Code:

hashcat -m 17200 *$pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip$* -a 3 12PLANTA 12PLANTA --hwmon-disable
hashcat (v6.2.6) starting

CUDA API (CUDA 12.5)
====================
* Device #1: NVIDIA GeForce RTX 3060 Laptop GPU, 5122/6143 MB, 30MCU

OpenCL API (OpenCL 3.0 CUDA 12.5.51) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 3060 Laptop GPU, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) UHD Graphics, 7360/14828 MB (2047 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #3: Skipping (hash-mode 17200)
            This is due to a known OpenCL runtime and/or device driver issue (not a hashcat issue)
            You can use --force to override, but do not report related errors.

Host memory required for this attack: 263 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67d...pkzip$
Time.Started.....: Mon Jul 15 00:01:08 2024 (0 secs)
Time.Estimated...: Mon Jul 15 00:01:08 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12PLANTA [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    1720 H/s (0.02ms) @ Accel:256 Loops:1 Thr:32 Vec:1
Speed.#*.........:    1720 H/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12PLANTA -> 12PLANTA

Started: Mon Jul 15 00:01:05 2024
Stopped: Mon Jul 15 00:01:09 2024

[lapsikmees]

It dosen't work for latest official build for me eiter. Works on github build.

[Snoopy]

Please use the beta version from https://hashcat.net/beta/

put your hash into a file, i named it 17200.txt, start hashcat with

hashcat --status -a3 -m17200 -1 12PLANTA 17200.txt ?1?1?1?1?1?1?1?1

resulting in cracking your hash

Code:

$pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67df049e9ac22c813770b084a6218cfc6595ba061e1d50*$/pkzip$:12PLANTA
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 17200 (PKZIP (Compressed))
Hash.Target......: $pkzip$1*1*2*0*19*8*a01dfd5e*0*28*8*19*a01d*a1cf67d...pkzip$
Time.Started.....: Mon Jul 15 13:07:32 2024 (0 secs)
Time.Estimated...: Mon Jul 15 13:07:32 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 12PLANTA, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5980.6 kH/s (6.37ms) @ Accel:2 Loops:171 Thr:32 Vec:1
Speed.#2.........:  3745.5 kH/s (13.33ms) @ Accel:2 Loops:171 Thr:32 Vec:1
Speed.#*.........:  9726.0 kH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 658176/5764801 (11.42%)
Rejected.........: 0/658176 (0.00%)
Restore.Point....: 768/16807 (4.57%)
Restore.Sub.#1...: Salt:0 Amplifier:0-171 Iteration:0-171
Restore.Sub.#2...: Salt:0 Amplifier:171-342 Iteration:0-171
Candidate.Engine.: Device Generator
Candidates.#1....: 121ALTNA -> APL12TPA
Candidates.#2....: LPLLT1LL -> TPNA1NTA
Hardware.Mon.#1..: Temp: 30c Fan: 46% Util: 83% Core:1480MHz Mem:3504MHz Bus:16
Hardware.Mon.#2..: Temp: 37c Fan:  0% Util: 86% Core:1455MHz Mem:3504MHz Bus:16
Started: Mon Jul 15 13:05:37 2024
Stopped: Mon Jul 15 13:07:34 2024

[Dalvi]

Beta works!

Thanks.