$RAR3$*1* hash issue
#1
Hello, 
Newbie really needs help!)

My situation: I have a fairly old RAR archive (created in May 2013), the archive has a password, the file names are not encrypted.
I decided to use Hashcat, for which I got the hash from the archive via rar2john.

As a result, I got the following hash:

$RAR3$*1*2597b58e3fafb7d9*99875cb5*816*2036*1*45b3052be82d37f6f9ce6500f1771c9d1e7f7f59a6c19664439c16e75a0e8d7785031d6be46e3f86dd17e47fedb3b04154c404dcdf435a28316c40c94bbc09781ddb233e5e3771f6513e05bc32e5b626c98f6bc68a136554a75a4c591cc531728972037ae744c3af6753051f46e9ed03d7020170cfdffc54bc3a5fef10f53fce65f8348faeb2d4fc803c1a0825a4e0ebfdd085b84de9953b46a75c5d6320a96f2cb56be1836185416255399ba8da027f1ad2e078ed2ec5ac251e02e94b1f454ac72dc07d84b5d3efd8ee50e1a345274983f330bb4a5442144d13262ff41fa3d5eafcfb335c6657c28e50d9f38ef48faa5a43cfdd798f77c93d634f13aa6b62c7646fd79e3f6959766ebb57df5c84786027701ec877b5c137bb8082826e97bbdcc9b935bcf38958ad73e4d2c742431a4e2ccf6f896106d538466b42eb880074c0b66adf607634be03e6a2902a81041c62aadc8683af69845a6c36fd5ba40d9974a63e5917b51d32ec3b119939aa57e5f6bf70903fea93e9ecbb6bdf96feef4de427958fdac732ca661da112bb3686b0e840cd67f6d171ed2fb358acd92ff9f19895b9a16afeed9d6c15337f51a2270c9231d47292a44a5c5942e90c165ced4239118c11a299f04c68a3c157e489f472b353b79ebb50ca97fb6a84ec74a8267da5f239bd3b32a68f5df1fc882d0a5718ffe466c9423cdb8b26a7f49e5e014eb0e6cd3556098651403a5cb24a31f96e19458a5c70151bcca94faa21460cbc9bb12b15fbf432422685918a2082fd0d154a448a5ae29a78bbdc722fd5b49daa6ad907cb24c6a24f69ea74775383c45b7b768bdfcb87fdef569609dd7ebbaa6bd147073b2f4959f6f4ee045b73f5e00c50780dd38b046ef4f2249f910055b18f383d699125cadb12f5ac747803e4f869478fe9cccdd744a8e67c6e3e5caa5c0e4ce4051d8229c68dee601ae118ee4207ef1915a701bc3bd0e51c7a2f664d57ef3037cafeaa6e6e0093a0bcb6d0115adf979b1f03c70247df684e412d432fc31d625b29d2d3a33f4814cfdc23e485358996a468f570ce1e97541f1405a096049c29b580385c99f9dd7efc16e36a1a41f0d3454bdeae737a9a0746de0b7b214c25f7d6bebe2b1940f2cc28b32e83c93c4d6236a3*33

I want to note that this hash turned out to be much longer than the hashes I had previously trained on, all of them looked something like this:
$RAR3$*1*e974534839e88add*0c7e7fd8*16*4*1*ba0f81335e80f89518d8e5c4cd5a2f81*30

However, after studying the documentation and forums, I realized that hashes can be of this size and that the hash I received corresponds to the required format.

This hash ends with *33, which according to the list of "hash examples" on the hashcat website corresponds to RAR3-p (Compressed) and has a Hash-Mode of 23800

Next, when I try to get Hashcat to work with this hash, I get an error:

Started: Mon Jan 20 13:11:49 2025
Stopped: Mon Jan 20 13:11:49 2025
1@1-Mac-mini desktop % hashcat -m 23800 -a 3 hash.txt '?d?d?d?d?d'
hashcat (v6.2.6) starting

Either the specified hash mode does not exist in the official repository,
or the file(s) could not be found. Please check that the hash mode number is
correct and that the files are in the correct place.

dlopen(/opt/homebrew/Cellar/hashcat/6.2.6_1/share/hashcat/modules/module_23800.so, 0x0002): tried: '/opt/homebrew/Cellar/hashcat/6.2.6_1/share/hashcat/modules/module_23800.so' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/hashcat/6.2.6_1/share/hashcat/modules/module_23800.so' (no such file), '/opt/homebrew/Cellar/hashcat/6.2.6_1/share/hashcat/modules/module_23800.so' (no such file)


After that I thought that maybe I hadn't defined the hash type correctly and tried to change the Hash-Mode parameter to 23700 RAR3-p (Uncompressed), but as I understood it is not correct (below is the error with the 23700 parameter)

Started: Mon Jan 20 13:30:33 2025
Stopped: Mon Jan 20 13:30:33 2025
1@1-Mac-mini desktop % hashcat -m 23700 -a 3 hash.txt '?d?d?d?d?d'
hashcat (v6.2.6) starting

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 367.6)
=======================
* Device #1: Apple M1, 2688/5461 MB, 8MCU

OpenCL API (OpenCL 1.2 (Nov  9 2024 22:11:50)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 128

Hashfile 'hash.txt' on line 1 ($RAR3$...b1940f2cc28b32e83c93c4d6236a3*33): Salt-value exception
No hashes loaded.


The installed version of Hashcat is working, I have previously successfully used it for training and found passwords.

When trying to insert this hash into rar2John, it accepts it, defines it as (rar, RAR3 [SHA1 128/128 ASIMD 4x AES]) and starts working (without any positive results so far)

Please, I really need your advice. 

Did I identify the hash type correctly?
What exactly am I doing wrong? 
How can I get Hashcat to work with my hash?
Reply
#2
> This hash ends with *33, which according to the list of "hash examples" on the hashcat website corresponds to RAR3-p (Compressed) and has a Hash-Mode of 23800
This is correct but you used -m 23700 in your command, hence why it's throwing an error Smile

> I realized that hashes can be of this size and that the hash I received corresponds to the required format.
Correct, yeah. The larger the rar, the larger the hash (generally)

> hash
Posting full hashes isn't allowed btw, see: https://hashcat.net/forum/announcement-2.html

EDIT: Ah sorry, I just re-read and realised I was wrong in the first point. I think this is to do with whatever package manager you got Hashcat from being incomplete, it's pretty common. Try building Hashcat from the github, there are instructions for MacOS, specifically:
https://github.com/hashcat/hashcat/blob/...D_macOS.md
https://github.com/hashcat/hashcat
Reply