PDF Hash
#1
Hi,
I generated the hash from a PDF by using the Perl verion of JohnTheRipper-bleeding-jumbo:

Code:
perl JohnTheRipper-bleeding-jumbo/run/pdf2john.pl test.pdf > hash.txt

Then I want to start hashcat:

Code:
C:\pdf\hashcat>hashcat64.exe -m 10400 -a 3 "hash.txt" ?a?a?a?a?a?a?a?a?a?a

but get the error:

Code:
C:\pdf\hashcat>hashcat64.exe -m 10400 -a 3 "hash.txt" ?a?a?a?a?a?a?a?a?a?a
hashcat (v4.2.1) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 970, 1024/4096 MB allocatable, 13MCU

./OpenCL/m10400_a3-optimized.cl: Pure OpenCL kernel not found, falling back to optimized OpenCL kernel
Hashfile 'hash.txt' on line 1 ($pdf$2...6a04f3baed07dd91afd5a13afe7ae130): Token length exception
No hashes loaded.

Started: Wed Aug 08 11:24:06 2018
Stopped: Wed Aug 08 11:24:06 2018

Thats the hash inside of hash.txt:

Code:
$pdf$2*3*128*-1028*1*16*1cbbfa9726072cab27c25203533e8f7c*32*b5161fe8b25afcbe69f1c9cdc8445d8c01000000000000000000000000000000*32*f7b4b890408713c4880d202ced4055186a04f3baed07dd91afd5a13afe7ae130

What do I wrong? Was following this tutorial: https://blog.didierstevens.com/2017/12/2...fs-part-1/

Thanks for any help and best regards,
Frank
Reply
#2
Wrong mode. For $pdf$2*3 use 10500
Reply
#3
you are using -m 10400, which on https://hashcat.net/wiki/doku.php?id=example_hashes starts with $pdf$1*
But your hash starts with $pdf$2* which looks like -m 10500
Reply
#4
On top of that, you may want to use the mask ?l?l?l?l?d?d?d?d and not ?a?a?a?a?a?a?a?a?a?a
Reply
#5
Oh yes, sorry my bad, it's PDF-1.6, so 10500 would be correct, have use it and get the output:

Code:
C:\pdf\hashcat>hashcat64.exe -m 10500 -a 3 "test.hash" ?a?a?a?a?a?a?a?a?a?a
hashcat (v4.2.1) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 970, 1024/4096 MB allocatable, 13MCU

Hash 'test.hash': Separator unmatched
No hashes loaded.

Started: Wed Aug 08 11:37:48 2018
Stopped: Wed Aug 08 11:37:49 2018

What filter I have to use? I know the password lenght is between 9 and 10 chars.
Maybe it can be filtered sharper: one "%" is used, one "9" is used and the letters m,v,e,j,s,u,p maybe also in capital letters.

Thanks for this ultra fast help.
Reply
#6
the file named test.hash must exist within your file system and the path to that file must be correct.

Hashcat can't find your file
Reply
#7
Sorry, to warm here in Germany (39 °C), now the correct file is working.
Is there a way that I can set a pool like a file with chars that are only be used and a lenght?
Reply
#8
(08-08-2018, 11:44 AM)digidax Wrote: What filter I have to use? I know the password lenght is between 9 and 10 chars.
Maybe it can be filtered sharper: one "%" is used, one "9" is used and the letters m,v,e,j,s,u,p maybe also in capital letters.

Check my mask, the password has the length 8
Reply
#9
it's working. Where have you know, that the password matches to the mask ?l?l?l?l?d?d?d?d and have a length of 8 chars?
Reply
#10
I cracked the hash accidentially. The password was reused in a hash in the linkedin dump.
Reply