Help with 7Z Hash
#1
Hello, I am new to using hashcat so please forgive me if I am missing something stupid. 

Anyway, I am trying to access a .7Z file to which I've forgotten the password. I'm pretty sure it's a combination of other various passwords I have used, so plan to add them all to a dictionary file and configure Hashcat to try every possible combmination of them. 

However, before I get to that stage - I understand I need to obtain the hash from the .7Z file so have downloaded and used "7z2hashcat64-1.2" I then used the following command: "7z2hashcat64-1.2.exe file.7z >temphash" and a file was saved called "temphash" 

I then run: 

hashcat64.exe -a 3 -m 11600 temphash

It returns: 

Hashfile 'temphash' on line 1 
*hash text omitted*

No hashes loaded.

I then change the temphash file to unicode and resave, running the same command again, only to receive: 

Hashfile 'temphash' on line 1 ( ■$): Signature unmatched
Hashfile 'temphash' on line 2 (): Line-length exception
No hashes loaded.



Does anyone have any input? Am I missing something? 

Thanks!
Reply
#2
Check to see if your Hash matches the same context of the example. Appears there is something wrong with your hash would be my first assumption.

https://hashcat.net/wiki/doku.php?id=example_hashes



Otherwise, if you're just running a bruteforce with no parameters it could be the other reason for throwing an error. 

Quote:hashcat64.exe -a 3 -m 11600 temphash

This won't do anything. You need to add a length to the attack if you haven't already.

hashcat64.exe -a 3 -m 11600 temphash password?d?d?d?d for example.
Reply
#3
Thank you for the input!

Unfortunately, I just tried "hashcat64.exe -a 3 -m 11600 temphash password?d?d?d?d" and had the same issue. 

I took a look at the link you posted, and aside from my hash being much much longer - the basic formatting appears to be the same. 

What might cause a problem with the hash itself - a corrupt file, or might I have done something incorrectly during the 7z to hash extraction process? 

Edit: 
The hash I collected is around 29,000 characters and starts like this: 
$7z$1$19$0$$8$7f8cc98364a4d2ad0000000000000000$1700138637$14672$14660$e22b5a.........

Reply
#4
(12-17-2017, 07:03 AM)highamperage Wrote: What might cause a problem with the hash itself - a corrupt file, or might I have done something incorrectly during the 7z to hash extraction process? 

I just tried to create a 7z with a password and use 7z2hashcat with no success. 

7z2hashcat64-1.2.exe testzip.7z
WARNING: the file 'testzip.7z' unfortunately can't be used with hashcat since the data length
in this particular case is too long (361488 of the maximum allowed 327528 bytes).
pause
Press any key to continue . . .

Will try another one here in a couple. Maybe someone else can share some light in the mean time.
Reply
#5
Do you use powershell? or just cmd (without powershell)?

I noticed that for some reasons the default output format for powershell is utf16le (not ascii). Even if 7z2hashcat only outputs ascii the out-file command (which is responsible to write the output within powershell) converts it to the default output format (which in my case was utf16le with powershell).

Maybe something like this helps in powershell
Code:
7z2hashcat64-1.2.exe file.7z | out-file -encoding ascii temphash

Again, this is not a problem with 7z2hashcat, it is just the powershell that rewrites the correct ascii output to utf16le (default encoding under powershell?)


update: it seems that you can set the default encoding of the out-file command also with an environment variable like this:
Code:
$PSDefaultParameterValues['Out-File:Encoding'] = "ascii"
Reply
#6
Unfortunately, this did not work either. (I tried in powershell) - the results are the same.

I've tried getting the data to match that of the example, meaning determining the number of data sets between the "$" and removing the extra data from my hash file - some of which I was thinking may be a turnicated part of the encrypted data and not part of the actual hash. However, when I attempt this and remove the data after the 11th "$" I get a " Separator unmatched" error regardless of which combination of data I remove.  If I remove it after the 12th "$" I get the typical "hashes not loaded" error.
Reply
#7
So, I've been examining the output of this process. The hash that is generated for the actual two files I want to crack is 29,000 characters long. 

I've created a few test files 7Z files and run it against them. For each test file, the hash output is a much shorter 418 characters and does not generate errors once used in Hashcat. 

Any ideas anyone?
Reply