Colliding password protected MS office 97-2003 documents
#31
Tongue 
Where is the initial hash being used coming from? Do I have to run this through another process, or can I just pull the values from a hex viewer?
Reply
#32
Hi guys, I have a problem.

When using mode 9810, there is no RC4 recovered. I ran the session on Nvidia K80, Windows 2008 R2 64, cudaHashcat-2.01, ForceWare 348.40, cuda 7.0.28.
 
Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?b?b?b?b?b) [5]
Hash.Target....: $oldoffice$3*1fd80fb32756c57c979aff19f503...
Hash.Type......: MS Office <= 2003 SHA1 + RC4, collision-mode #1
Time.Started...: Tue Apr 12 11:03:44 2016 (42 mins, 6 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 54166.7 kH/s
Speed.GPU.#2...: 54358.7 kH/s
Speed.GPU.#3...: 54439.6 kH/s
Speed.GPU.#4...: 54877.3 kH/s
Speed.GPU.#5...: 54384.6 kH/s
Speed.GPU.#6...: 54191.4 kH/s
Speed.GPU.#7...: 54850.1 kH/s
Speed.GPU.#8...: 54891.1 kH/s
Speed.GPU.#*...:   436.2 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 1099511627776/1099511627776 (100.00%)
Rejected.......: 0/1099511627776 (0.00%)
TOP570cdc3b     proc_start      1460430224
TOP570cdc3b     proc_stop       1460432759
TOP570cdc3b     STOP
Started: Tue Apr 12 11:03:44 2016
Stopped: Tue Apr 12 11:45:59 2016
Reply
#33
Are you able to reproduce this with any other hash?
Reply
#34
(04-12-2016, 04:13 PM)stepMode Wrote: Are you able to reproduce this with any other hash?

I try to make a test file, and cudahashcat worked to it.

But for the orginal file, it can not get the RC4.

I found that when I open the orginal file in passware, passware show that the file is "Microsoft Base Cryptographic Prider v 1.0. 128 bits", and test file is 40 bits.

When using office2hashcat.py to analyze these two files, the output hash are all start with $oldoffice$3.
Reply