Posts: 7
Threads: 2
Joined: Jan 2020
Hey folks,
I got a PDF 1.7 file encrypted with a password I know. Tried to crack it with hashcat 6.2.6 on windows and also tried with hashcat 6.2.3 on Linux. Here's the deal:
Code:
$pdf$1*2*40*4294967292*1*16*f19cc2b4e729de85b9c33cb258e423fe*32*15557096e00d63d5f76e49581ed3b0dd66cb10f7a1a16db30ed10a448d9dde5a*32*241c404b974ea18d385d637c27512c142c0d0671da6bbecbae0a30f3d8695a3f
Adobe Reader says this file is version 1.7 encrypted with RC4 (40bit) but according to hashcat example hashes, this should be PDF 1.1 - 1.3 which is odd...
However hashcat nor john can't detect the hashtype. The hash has been generated using pdf2john utility.
I've tried all available to PDF hashcat modes and none of them worked.
I'd appreciate a nudge.
Posts: 36
Threads: 12
Joined: Jan 2015
I think there is a bug in the hash parsing module, parameter P - Length is more than 6 characters
Posts: 887
Threads: 15
Joined: Sep 2017
first: don't post complete hashes, mask them with some XXXX on the data part as this is against forum rules
i would assume that the used encryption and/or pdf is not supported or the output is malformed, dunno, but i remember something right now, see that part "4294967292", given the examples this should be "-1", i think there was an issue with signed and unsigned values or output from JtR, im not quite sure about if that was fixed later (Git-Version) but im pretty sure it isn't fixed in the download version, i would give this a shot and use -1 instead of this 4294967292
Posts: 49
Threads: 0
Joined: Oct 2021
(10-14-2024, 02:38 PM)Nism0 Wrote: I got a PDF 1.7 file encrypted
PDF 1.7 can use encryption of older versions.
What hashcat algorithm did you use?
Posts: 7
Threads: 2
Joined: Jan 2020
10-14-2024, 05:12 PM
(This post was last modified: 10-14-2024, 05:12 PM by Nism0.)
I've already saw this thread
https://hashcat.net/forum/thread-11875-page-2.html and also this one which seems to be similar to mine:
https://hashcat.net/forum/archive/index....12065.html
The latter suggest replacing the 4294967292 value with -1852 which didn't help in my case. I've also tried beta version of hashcat from
https://hashcat.net/beta/ and it's still the same.
I used all available hashcat modes also in beta version. All gave separator unmatched error.
Posts: 36
Threads: 12
Joined: Jan 2015
for this hash in hashcat - bug, use john the ripper
Posts: 7
Threads: 2
Joined: Jan 2020
(10-15-2024, 12:24 PM)zamgold Wrote: for this hash in hashcat - bug, use john the ripper
As I wrote in first post, jtr also does not recognize this hash format -.-
Posts: 108
Threads: 1
Joined: Apr 2023
Replace 4294967292 with -4 and use mode 10400.
Posts: 7
Threads: 2
Joined: Jan 2020
10-15-2024, 12:46 PM
(This post was last modified: 10-15-2024, 12:52 PM by Nism0.)
(10-15-2024, 12:39 PM)lapsikmees Wrote: Replace 4294967292 with -4 and use mode 10400.
You nailed it! It worked. Thanks a lot man. Could you elaborate a bit on why it actually worked and what this issue is actually related to (pdf2john, hashcat bug)? I'd appreciate.
Edit: Hashcat recognizes the hash even if I replace 4294967292 with -1 but can't crack it (exhausts).
Posts: 108
Threads: 1
Joined: Apr 2023
