Posts: 3
Threads: 1
Joined: Aug 2015
08-11-2015, 02:14 PM
(This post was last modified: 08-13-2015, 10:05 AM by merc.)
Hey guys,
I got a problem with this Office 2003 hash:
<removed by philsmd>
Running hashcat:
./cudaHashcat64.bin -m 9700 ~/hash_to_crack.txt -a 3 ?b?b?b?b?b -w 3 --outfile ~/cracked_hash.txt
It completes 100% but no collisions is found.
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
I'm using cudaHashcat 1.36 and NVIDIA 346.82 driver.
Reading through the forum I found a similar problem with AMD's catalyst driver. Do you think this problem is similar?
Thanks,
--merc
Posts: 2,268
Threads: 16
Joined: Feb 2013
08-11-2015, 08:47 PM
(This post was last modified: 08-11-2015, 08:51 PM by philsmd.)
The problems with this forum post/thread are:
1. the general forum user is *not* allowed to post hashes (see
https://hashcat.net/forum/announcement-2.html ) without explicit permission from a moderator/the admin
2. you fake a problem that is not a problem at all (bug with 9700), because -m 9700 according to the --help and many,many other forum threads (for instance this one:
https://hashcat.net/forum/thread-3665-po...l#pid20945) is not meant to find collisions for office hashes
3. the hash you posted works without problems here and cracks very quickly, of course by specifying the correct hash type on command line, i.e. -m 9710
The selection from --help:
9710 = MS Office <= 2003 MD5 + RC4, collider-mode #1
it even contains the words "collider" to make it very clear for everyone that this is the mode you need to use for office <= 2003 documents to collide the hash.
I will remove the hash from your previous post (and in theory you should be banned already for not respecting the forum rules).
Posts: 3
Threads: 1
Joined: Aug 2015
Sorry about that, you're right. I'm posting for the first time but it does not excuse me for not reading the rules.
I've got 10 Office 2003 hashes. All were cracked with -m 9700 option, except for that one (like I said, reached 100% and no result). Searched the forum and saw a similar problem, that's why I posted it.
Anyways, I'm currently trying -m 9710 to find a collision, done ~74%, but still no result. Will post the result once the status is exhausted.
Thanks,
--merc
Posts: 3
Threads: 1
Joined: Aug 2015
Cracked successfully. Somewhere around 97%. I'm still not sure why it worked with -m 9710 and not with -m 9700 (the other 9 hashes were successfully cracked with -m 9700).
Anyways, keep up the good work.
Thanks,
--merc
Posts: 2,268
Threads: 16
Joined: Feb 2013
08-13-2015, 10:53 AM
(This post was last modified: 08-13-2015, 10:54 AM by philsmd.)
the reason is that -m 9710 is used to collide the RC4 hash, while -m 9700 should be *only* used when you are looking for the correct password - and don't want to use the collision mode - (again: this is also mentioned on the --help section and in several forum threads).
The reason why you did crack something with -m 9700 and that 5 character long mask is that all of the other 9 hashes have a corresponding plain text password of exactly 5 letters. This is a very, very rare case and you were very lucky to crack some hashes with -m 9700.
BTW: don't forget that with -m 9710 you "just" found the RC4 "hash", this can be enough for you to "open" the file, but to find a corresponding password you need to do all steps (e.g. continue with -m 9720).
