hashcat Forum Support hashcat v
Hashcat returning multiple incorrect answers for a PDF hash

Threaded Mode
Hashcat returning multiple incorrect answers for a PDF hash
ox1d Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Dec 2024
#1
Bug  12-30-2024, 06:20 PM
Hashcat returning multiple incorrect answers for a PDF hash hashcat.exe -m 25400 -a 3 hashfile ?a?a?a?a --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[723263652020202028757365722070617373776f72643d61411a256a667555261c543f437b6d4f29]

hex decode > r2ce    (user password=aA%jfuU&T?C{mO)

command > hashcat.exe -m 25400 h.hash -a 3  --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[6d6433612020202028757365722070617373776f72643d7c6c703a377c2b5f76244120761b393829]

hex decode > md3a    (user password=|lp:7|+_v$A v98)

What am I doing wrong?
Find
Reply
DanielG Offline
Pentester
***
Posts: 200
Threads: 0
Joined: Nov 2017
#2
12-31-2024, 10:12 AM
you are using --force, that can cause a lot of problems, including finding incorrect passwords.
Find
Reply
b8vr Offline
Member
***
Posts: 124
Threads: 1
Joined: Apr 2022
#3
12-31-2024, 11:52 PM (This post was last modified: 12-31-2024, 11:52 PM by b8vr.)
(12-30-2024, 06:20 PM)ox1d Wrote: Hashcat returning multiple incorrect answers for a PDF hash hashcat.exe -m 25400 -a 3 hashfile ?a?a?a?a --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[723263652020202028757365722070617373776f72643d61411a256a667555261c543f437b6d4f29]

hex decode > r2ce    (user password=aA%jfuU&T?C{mO)

command > hashcat.exe -m 25400 h.hash -a 3  --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[6d6433612020202028757365722070617373776f72643d7c6c703a377c2b5f76244120761b393829]

hex decode > md3a    (user password=|lp:7|+_v$A v98)

What am I doing wrong?

It does look weird. But I'm not sure if the (user password) part is intended. I haven't  cracked pdf's for ages.
But some hashing algos - and pdf could be one of them I think - have a lot of false positives. You should run hashcat with
--keep-guessing
Find
Reply
ox1d Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Dec 2024
#4
01-01-2025, 06:10 AM
(12-31-2024, 10:12 AM)DanielG Wrote: you are using --force, that can cause a lot of problems, including finding incorrect passwords.

--force using for ignore warnings
Find
Reply
ox1d Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Dec 2024
#5
01-01-2025, 06:39 AM
(12-31-2024, 11:52 PM)b8vr Wrote:
(12-30-2024, 06:20 PM)ox1d Wrote: Hashcat returning multiple incorrect answers for a PDF hash hashcat.exe -m 25400 -a 3 hashfile ?a?a?a?a --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[723263652020202028757365722070617373776f72643d61411a256a667555261c543f437b6d4f29]

hex decode > r2ce    (user password=aA%jfuU&T?C{mO)

command > hashcat.exe -m 25400 h.hash -a 3  --force --potfile-disable
i get: $pdf$4*4*128*-4*1*16*35851ee76af82bbcxxxx40cf9e5de8c3*32*1fd3a5cc45cfd678673c09f9e8ee791828bf4e5e4e758a4164004e56fffa0108*32*b15c9e6311acf6d9ec6398f07f613bf4710e91e57b9e11887d6c3f2b6a410f16:$HEX[6d6433612020202028757365722070617373776f72643d7c6c703a377c2b5f76244120761b393829]

hex decode > md3a    (user password=|lp:7|+_v$A v98)

What am I doing wrong?

It does look weird. But I'm not sure if the (user password) part is intended. I haven't  cracked pdf's for ages.
But some hashing algos - and pdf could be one of them I think - have a lot of false positives. You should run hashcat with
--keep-guessing

"I tried running it, but I ended up with a lot of hex values. After decoding, I got outputs like:
  • md3a
    (user password =
    |lp:7|+_v$A v98
    )
  • 061028
    (user password =
    gg2DN#nT%Nx5;Mp
    )
  • lollie02
    (user password =
    C7%9X>t!W{?;5
    )
Not sure if these are false positives or if I'm missing something here."
Find
Reply
slyexe Offline
Senior Member
****
Posts: 379
Threads: 0
Joined: Nov 2017
#6
01-02-2025, 12:25 AM
(01-01-2025, 06:10 AM)ox1d Wrote: --force using for ignore warnings

lol ignoring warnings about issues with your setup is most likely the cause. When using --force we cannot troubleshoot your issues because you already have underlying issues which you just decided to bypass.
Find
Reply