Posts: 803
Threads: 135
Joined: Feb 2011
Hello,
I am trying to crack an old-office hash following the steps given at https://hashcat.net/forum/thread-3665-po...l#pid20935 :
Thanks to mode 9710 I found : 'deebd8f416' as output.
Quote:Append 4 byte zeros to result
-> deebd8f41600000000
Quote:MD5 the 9 bytes
md5("deebd8f41600000000") = CF205B696DC9CB05FB008C2B90BFD2AC
Then I'm lost :
Quote:Use 16 byte result as 128 bit RC4 Key
Decrypt encryptedVerifier with RC4 to decryptedVerifier
Decrypt encryptedVerifierHash with RC4 to decryptedVerifierHash
MD5 the decrypted encryptedVerifier
Compare 16 byte result with decrypted encryptedVerifierHash
Could you please provide deeper explanation ?
Posts: 2,301
Threads: 11
Joined: Jul 2010
what exact information are you looking for/what is unclear?
Posts: 803
Threads: 135
Joined: Feb 2011
I don't know what to do with the last MD5 I've computed.
Posts: 2,301
Threads: 11
Joined: Jul 2010
Are you unclear about how to do RC4 decryption, don't you know what encryptedVerifier is, don't you know what encryptedVerifierHash is, or something else?
Posts: 803
Threads: 135
Joined: Feb 2011
All. I don't see where hashcat can help me to do these steps, so I guess I need to code in python or C++ to deal with RC4 decryption and encryptedVerifier?
If yes, are you aware of an existing code that does it?
Thanks.
Posts: 5,185
Threads: 230
Joined: Apr 2010
You need to use 9720 if you collided with 9710 to get the password. Or you just use 9700. Using collider makes sense only if you want to find as many collisions as possible.
Posts: 803
Threads: 135
Joined: Feb 2011
Hum, I'm confused as philsmd wrote:
(09-12-2017, 05:00 PM)philsmd Wrote: If you read this carefully https://hashcat.net/forum/thread-3665.html, you will see that you only need -m 9710 to access the data.
Have a look at the list of steps under the "KDF" section https://hashcat.net/forum/thread-3665-po...l#pid20935.
9710 is used to get the 5 bytes which are the main source of the overall encryption key of the document. Just look at step 6-9. You only have to append 4 bytes zero, MD5 the result and use the 16 bytes as the 128 bit encryption key to decrypt the document.
atom already explained in the post that you do not need to use -m 9720 (and therefore steps 1-5) just to decrypt the data
So.. Do I need 9720 or not ? I just want to access the data, I don't matter having the original password.
Thanks.
Posts: 5,185
Threads: 230
Joined: Apr 2010
Just use -m 9700 then and crack as normal
Posts: 803
Threads: 135
Joined: Feb 2011
(01-24-2018, 11:02 AM)atom Wrote: Just use -m 9700 then and crack as normal
Do you mean bruteforce or wordlist attack ? But if the password is more than 30 characters I won't be able to recover it.
Posts: 5,185
Threads: 230
Joined: Apr 2010
Just use ?a?a?a?a?a?a?a?a?a it will crack one pretty soon. This might not be the correct one, but it will be good enough to open the document.