Using for Axcrypt
#1
Hi,

A friend of mine has lost her password for axcrypted files, though she is pretty certain of what could be inside so I made up a quick dictionary with what she told me.
When I tried to run it through Hashcat it seems like it does not want the file...


[Image: 43205315300517]

Anyone can help me please ?
#2
You need to extract the Axcrypt hash, rather than feeding hashcat the entire file.

https://github.com/Fist0urs/AxSuite
~
#3
Did you use the AxSuite by FistOurs (or axcrypt2john.py) to extract the "hashes" as explained here https://hashcat.net/wiki/example_hashes ?
#4
(05-30-2017, 08:59 PM)royce Wrote: You need to extract the Axcrypt hash, rather than feeding hashcat the entire file.

https://github.com/Fist0urs/AxSuite

philsmd Wrote:Did you use the AxSuite by FistOurs (or axcrypt2john.py) to extract the "hashes" as explained here https://hashcat.net/wiki/example_hashes ?


Thanks, I did not found these pages. AxSuite seems to be for retreiving them from memory while the file is open, not when I don't have access to it, isn't it ?
Author tells that you just have to run it and it dumps everything to TEMP, though if I don't specify the file how can it do ?


EDIT: I tried with axcrypt2john and here's what I got...
[Image: 45214543300517]



EDIT2: It looks like it's for Axcrypt 1 and she probably used Axcrypt 2 so ... I am doomed ?
#5
Oh, thats actually interesting about the Axcrypt version difference.

I would suggest that you contact Fist0urs directly either here on forum (name "Fist0urs") or on twitter (https://twitter.com/Fist0urs/with_replies) / IRC (Fist0urs on freenode).

He will be happy to help you with troubeshooting the problem here (since both scripts and suit + code for hashcat was contributed by him and I/we are not that much familiar with the inner workings of axcrypt).
#6
Okai, thanks you I'll ask him
#7
Hi there,

sorry for the delay, I've been quite busy lately Smile

Indeed, looking at the error, it seems that your friend is using AxCrypt version 2.

Bad news is that I still haven't implemented it yet, either in JtR and hashcat
Bad news², a quick look at the new software seems to show that an unique password is used to protect all your files with the free version and you need to register on the Internet. I hope I'm wrong, but this would be very bad in terms of good practices of security for the end-users Sad

Good news is that after taking a quick look, it appears that the file structure of encrypted files is not far from version 1 (same GUID for example), so maybe it will not be that long to understand how it works and implement an update version of axcrypt2john and corresponding algorithms in JtR and hashcat.

I'll try to find some time to implement it, stay tuned.

Concerning AxSuite, there are 2 tools. The first one is to be used in a context of the tool already launched, while the other is used to carve filesystem for any "saved" key.

Cheers!
#8
Wow I really hope that's false. It would really be garbage Sad
#9
Hello

I am French and I have read your discussion. I do not know anything about it, but I have encrypted files with Axcrypt and forgot my password. It's been a long time since I'm looking for a solution on the internet.
I have downloaded Axsuite, but I do not know what to do with these files, I do not know these extensions, with what and how to use them to try to find my password? With Hashcat I do not know
I have encrypted with version 1.7 of Axcrypt....

If you could help me !!!
#10
As already explained above, for axcrypt 1.x (every version of ax less than 2.0) you could just use axcrypt2john.py (https://raw.githubusercontent.com/magnum...pt2john.py) to extract the hashes.

Of course you need to have python installed for it.

The axsuite is used for in-memory hash extraction (this doesn't help in your situation).

After you extracted the "hash" into a file, you must make sure that it follows the hash format mentioned here: https://hashcat.net/wiki/doku.php?id=example_hashes, look for 13200 (you need to remove all file names etc or use --username, but best is to just convert it to the same format as mentioned on the example wiki page).

After you have the hash stored within a file with the correct hash format, you could just run hashcat with -m 13200.