7z password recovery
#1
Hey guys, this is my first post on this forum. I've been reading up on how to use hashcat but I need some guidance, so I wanted to ask a couple of questions here relating 7zip files.

Recently I locked a 7zip file with bunch of pictures and videos, and sadly for the life of me I cannot remember the password. I tried using the tool from this thread: https://hashcat.net/forum/thread-4328.html ,but the issue I have is that the zip file 1.4gb and it exceeds the memory limit, so I can't retrieve the hash in order to use HashCat as described in the GitHub article.

The good thing is that I know that the password length is between 5 and 12 symbols and I do not have any spaces in it. I have used letters and numbers or possibly some special characters like a "$" or "!". Since I have a Nvidia 1080 I think brute-force would be able to do within reasonable time, when I narrow down the password length. There are definetly no Cyrillic or weird symbols so that can be excluded too.

Any help would be greatly appreciated.

Thank you in advance!
Reply
#2
What are the sizes of the hashes we are talking about here? How large is the resulting hash size given/displayed by 7z2hashcat ?

Furthermore, if the password is completely random you will really have a hard time cracking it (could be infeasible if long and really random!). random passwords are always difficult to crack. Are you sure you can't restrict your search space to a much smaller set of password candidates ? maybe a list of words with some rules (see https://hashcat.net/wiki/doku.php?id=rule_based_attack) applied to it, or combined words (see https://hashcat.net/wiki/doku.php?id=combinator_attack) etc.

I know it sometimes sounds very doable for some new users, but a really random word between "5 and 12 symbols" could be very difficult to crack even with a large and fast rig. I would recommend thinking about more clever ways to attack it, like rule-based attacks etc.

The problem with the supported length within hashcat should be somehow solveable (but you need to do some modifications to the source code at your own risk, it could use much more resources, most of all much more RAM etc): see https://hashcat.net/forum/thread-4328-po...l#pid33714 (I even remember helping a user recently with a patch to the latest code which worked, I think he got in touch with me over PMs, the patch is very straight-forward/easy... similar to the changes mentioned within the above post)
Reply
#3
Here's the message I received when I run 7z2hashcat64-1.2.exe, but I get the exact same when I run the run the PERL script:

F:\test>7z2hashcat64-1.2.exe PicsAndVids.7z
WARNING: the file 'PicsAndVids.7z' unfortunately can't be used with hashcat since the data length
in this particular case is too long (1361480144 of the maximum allowed 327528 bytes).

So in this case it doesn't even spit out a hash for me to decrypt. I looked into the rules and I do believe I can exclude an array of special symbols, to narrow it down even further.
Reply
#4
easy answer: you can't crack it with hashcat.

Your keyspace is way too large anyway.
Reply
#5
Is there any way I can get the hash at all then?
Reply
#6
yeah, you can get the hash by increasing the limit to about 4 GB hex data !!!
https://github.com/philsmd/7z2hashcat/bl...at.pl#L102

... but the problem remains that hashcat will reject loading it without the modifications to hashcat's source code (similar to the ones mentioned in this link: https://hashcat.net/forum/thread-4328-po...l#pid33714). Loading a hash that is about 2 GB (raw) per hash is a little bit insane.

Do you know what type of files are compressed & encrypted within the 7-Zip file? Seems to be a huge file which was not really compressed a lot. Is there only 1 single file within the archive?
Reply
#7
The content is a whole bunch of pictures and a couple of videos I made, which as you said have some minimal compression on then. The file types are mostly .jpg, a few .mp4 and .MOV .When I open the zip it says on the right side it says:
Encrypted: + Method: LZMA2:26 7zAES:19

I can show a picture if necessary, also when I change the value of the line of code that you linked to, to double or quadruple that of the PASSWORD_RECOVERY_TOOL_DATA_LIMIT the program spits out "Out of memory!"
Reply
#8
Do you see the list of files or was the file list also encrypted?

I think the "Out of memory!" message comes because the 7z2hashcat requires a little bit of RAM to fit the whole encrypted data within memory. How large is your RAM and do you think you can try it with a computer with more RAM ?

If you want to troubleshoot this together it might be easier to PM me or contact me via IRC (philsmd @ freenode) etc... I'm not sure if I can help much because it seems that the data size is really huge in your case .... and the problem is that the 7-Zip algorithm requires us to decrypt, decompress and checksum each and every input byte.
Reply