Russians and Attack Strategies
#1
I have a rar archive originating from the russian internet that is relevant to a carpentry project of mine, and hashcat seems to be my only hope of busting it open and I'm not terribly knowlegable about the details of how encryption and encoding work.

Right now I have the file in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) with john ready to go but I have two questions to formulate a battle plan:

1) Is there a way to tell what version of rar an archive is?

2) Is it possible to solve the hash using hashcat's hex option and then translate what hashcat spits out into different encodings to try as passwords?

Sorry for the blunt intro, and appreciate any help I can get learning how to open this thing, I have a feeling it's going to be an adventure.
#2
There are "versions" at various levels but for our purposes there's just RAR3 and RAR5 and you'll see it in the tags of rar2hashcat/rar2john output hashes.

In case of RAR3, hashcat only supports cracking archives with header encryption (-hp option to rar). Also, RAR3 uses a UTF-16 encoded password for hashing and because of limited support for that, hashcat can't handle any character outside "Latin-1". This means that eg. Russian letters can't be cracked and there is simply NO workaround, not even ?b?b masks in this case. One day or the other I intend to fix this shortcoming and submit a PR, but it's not a trivial task.

In case of RAR5, a UTF-8 encoded password is used instead so hashcat can handle that. And I believe hashcat can attack any RAR5 archive (not just header encrypted ones).

JtR can handle any RAR3 or RAR5 archive AFAIK and it also supports any Unicode characters.
#3
(05-04-2017, 06:48 PM)magnum Wrote: JtR can handle any RAR3 or RAR5 archive AFAIK and it also supports any Unicode characters.

Alright so I extracted the hashes earlier today and the file I dumped them to gives the archives as RAR3 which means hashcat is outside the scope of useful tools and if what you say is true, john is my new hope, so I'll hop over to a more appropriate forum to continue the task. Thank you so much for the information you posted!
#4
Alright I'm back, I didn't get any further. It looks like john can't do UTF-16 either as it isn't in the --list=encodings so maybe I'm still SOL for now...