Posts: 2,936
Threads: 12
Joined: May 2012
?b?b?b?b?b is not for the collision, but for cracking the RC4 key. Once you know the RC4 key, you have the first five bytes of the MD5|SHA1 hash. You then collide that hash to find a password that works.
Note the last step is not strictly necessary. You could simply use the RC4 key to decrypt the document without the password.
Posts: 1
Threads: 0
Joined: Nov 2014
Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
Posts: 7
Threads: 1
Joined: Nov 2014
(11-02-2014, 04:10 PM)injector Wrote: Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded
What did I do wrong?
Thanks
When referencing hashes they should be in a file in the correct format.
http://hashcat.net/wiki/doku.php?id=example_hashes
So your file (lets say "hashFile.txt") should contain something like this:
$oldoffice$1*04477077758555626246182730342136*b1b72ff351e41a7c68f6b45c4e938bd6*0d95331895e99f73ef8b6fbc4a78ac1a
Make sure to follow the instructions as per this post (not the post which started the thread):
http://hashcat.net/forum/thread-3665-pos...l#pid20945
and you will address it in the syntax as such if attempting to recover the HEX value (Mode 9710 as per the referenced post, and not mode 9700):
oclHashcat64.exe -m 9710 hashFile.txt -a 3 ?b?b?b?b?b -w 3
However if you run into the same AMD Catalyst 14.9 issue that I'm having you may not be able to retrieve the value needed for collisions.
Posts: 2
Threads: 0
Joined: Dec 2014
Excuse my ignorance, gentlemen, but how do I obtain the hash value from an office doc?
Posts: 2,936
Threads: 12
Joined: May 2012
Posts: 2
Threads: 0
Joined: Dec 2014
Thanks!
Is it the same mechanism as in office2john.py ?
Posts: 2,936
Threads: 12
Joined: May 2012
yes. it's a slightly modified version of office2john.py
Posts: 5
Threads: 1
Joined: Mar 2015
Hi,
I do have a Office 2007 document with an write protected area - so the document itself is not encrypted. The python script doesn't work so, but I can extract the salt and password hash of the file.
Do you if this password is encrypted the same way as the regular encryption routine of a file? If so, how can I merge the hash for hashcat manually?
Thanks for your help!
Posts: 12
Threads: 1
Joined: Jan 2014
Hi, I have a quick question on colliding.
I see that it has been successfully implemented for $oldoffice $1 $2 and $3. Do you know if this will also work for $4? I know that oclhashcat (-m 9810) currently only matches hashes for $3. Is this because it is not possible to collide in $4 or it was accidentally omitted in the hash matching code?
Posts: 143
Threads: 9
Joined: Dec 2012
The collider modes work due to the fact Microsoft truncated the RC4 key to 40 bits in types $1, $2 and $3. The $4 type does not have that (intended) flaw so it's not beneficial to attack the RC4 key directly.