Posts: 803
Threads: 135
Joined: Feb 2011
08-24-2017, 10:19 PM
(This post was last modified: 08-24-2017, 10:23 PM by Mem5.)
Hi,
Still testing MS office crack, and had some issues while looking for collisions :
Code:
cat hash.txt
user:$oldoffice$3*xxx
hashcat -m 9810 -a 3 -w 3 --username -o res_1.txt hash.txt ?b?b?b?b?b
gives:
res_1.txt Wrote:$oldoffice$3*xxx:17ddb2271d
I need the username, so I "show" it :
Code:
hashcat -m 9800 --show --username hash.txt > res_2.txt
gives:
res_2.txt Wrote:user:$oldoffice$3*xxx:$HEX[17ddb2271d]
BUT, this hash is rejected by the mode 9820 :
Quote:Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:$HEX[17ddb2271d]): Line-length exception
I guess the issue is with "--show" which convert 17ddb2271d in $HEX[17ddb2271d]
So I try "--outfile-autohex-disable" but got the error :
Quote:hashcat -m 9800 --show --username --outfile-autohex-disable hash.txt
Mixing --outfile-autohex-disable is not allowed with --show.
How can I keep the username during mode 9810 and 9820 ? Thank you of your help.
Posts: 2,267
Threads: 16
Joined: Feb 2013
08-25-2017, 07:12 AM
(This post was last modified: 08-25-2017, 07:19 AM by philsmd.)
You forgot to also include the command you execute for -m 9820.
It also must contaiin the --username switch.
It probably should be without "$HEX[" and "]''. could be indeed a bug but from your output above I do not understand why this
$oldoffice$3*xxx:17ddb2271d
was converted in
$oldoffice$3*xxx:$HEX[17ddb2271d]
You also should use -m 9810 --show (and not -m 9800 --show). This might be the real problem. I am not sure why you are mixing 9800 and 9810 like this. You shouldn't crack the hashes with one mode and use --show with a different hash mode.
Posts: 803
Threads: 135
Joined: Feb 2011
08-25-2017, 08:32 AM
(This post was last modified: 08-25-2017, 08:35 AM by Mem5.)
(08-25-2017, 07:12 AM)philsmd Wrote: You forgot to also include the command you execute for -m 9820. It also must contaiin the --username switch.
Yes it did contain username switch:
Code:
hashcat -m 9820 --username -a 3 -w 3 res_2.txt ?a?a?a?a?a?a?a -o res_3.txt
Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:$HEX[17ddb2271d]): Line-length exception
(08-25-2017, 07:12 AM)philsmd Wrote: I do not understand why this
$oldoffice$3*xxx:17ddb2271d
was converted in
$oldoffice$3*xxx:$HEX[17ddb2271d]
Me too!
(08-25-2017, 07:12 AM)philsmd Wrote: You also should use -m 9810 --show (and not -m 9800 --show).
Indeed, but same issue :
Code:
hashcat -m 9810 --show --username hash.txt
user:$oldoffice$3*xxx:244845585b313764646232323731645d
244845585b313764646232323731645d is hexadecimal for $HEX[17ddb2271d]
And this hash is rejected by mode 9820 (even with username)
Code:
hashcat -m 9820 --username -a 3 -w 3 res_2.txt ?a?a?a?a?a?a?a -o res_3.txt
Hashfile 'res_2.txt' on line 1 (user:$oldoffice$3*xxx:244845585b313764646232323731645d): Line-length exception
I guess mode 9820 only allow $oldoffice$3*xxx:
17ddb2271d but not $HEX[17ddb2271d] nor 244845585b313764646232323731645d
Posts: 2,267
Threads: 16
Joined: Feb 2013
The problem should be fixed with newest beta version:
https://hashcat.net/beta/
The output of --show should now be correct (remember: you need to use the correct -m modes i.e. 9810 and not 9800, otherwise the output won't be as expected).
BTW: do not hesitate to report bugs on github directly. because it sometimes happens that not all bugs reported in the forum (especially if "hidden" within a long serious of posts, not the case here but sometimes this happens) will be seen by the admin/moderators (or other people that copy it to github or fix the source code).
Thx
Posts: 803
Threads: 135
Joined: Feb 2011
08-27-2017, 11:03 PM
(This post was last modified: 08-27-2017, 11:05 PM by Mem5.)
I took the beta 433, but still having issues. Don't know if it's a bug or a misunderstanding!
I got one collision thanks to your fix:
Code:
hashcat m 9820 --username -a 3 -w 3 res2.txt ?a?a?a?a?a?a?a -o off_col.txt
result is:
$oldoffice$3*xxx:17ddb2271d:SJ|4+er
Good.
Now I would like to have:
Code:
user:$oldoffice$3*xxx:17ddb2271d:SJ|4+er
But no luck, I tried all the possible modes:
Code:
hashcat -m 9800 --show --username hash.txt
user:$oldoffice$3*xxx:$HEX[244845585b313764646232323731645d]
-> Bad
Code:
hashcat -m 9810 --show --username hash.txt
user:$oldoffice$3*xxx:17ddb2271d
-> Bad
Code:
hashcat -m 9820 --show --username hash.txt
Hashfile 'hash.txt' on line 1 (user:$oldoffice$3*xxx): Line-length exception
-> Bad
Thanks for your help!
Posts: 2,267
Threads: 16
Joined: Feb 2013
If you want to output the cracked hashes with -m 9820 you need to use the orginal hash file that you use to crack with -m 9820 (this is not only true for -m 9820, but for all hash types).
So if you did use this command:
Code:
hashcat -m 9820 --username -a 3 -w 3 res2.txt ?a?a?a?a?a?a?a -o off_col.txt
to crack the hashes
you need to use this command:
Code:
hashcat -m 9820 --username --show res2.txt
to show the hashes cracked with -m 9820
Posts: 803
Threads: 135
Joined: Feb 2011
Works perfect. THanks for your help.
Next time I will report it on github (I didn't know if it was a bug or a misunderstanding).