Not finding my own set password
#1
Hi, I'm working on a  Office 2013 file and I'm pretty sure I have the correct password in my dictionary, but after hours spent cracking I get no results. So I did a pretty simple test: I created a Word document, applied the procedure to encrypt it with passpass as password, extracted the hash with office2hashcat (or office2john is the same) and tried:
- a simple wordlist of 10 password, containing also passpass
- a bruteforce session for passpas?l
Both end with no success, even if the password is there for sure.
Using 5.10 on Win as:
hashcat64.exe -a 0 -m 9600  \Work\test.hsh  \Work\test.txt
or
hashcat64.exe -a 3 -m 9600   \Work\test.hsh  passpas?l

The hash was obtained as:
$office$*2013*100000*256*16*8b35c1c9d47628bcd8e6fd3225c7a816*56f7f0f311080fe61fef145f14072971*221e2a3a0957a92021da211700d3ea44ca7759f9f1b1e56c2acc7ea308ea52f4

I think I'm doing somethign horribly wrong, but can't find what it is. Anyone who can help me?
Thanks
#2
(12-14-2018, 04:17 PM)LoZio Wrote: Using 5.10 on Win as:
hashcat64.exe -a 3 -m 9600  \Work\test.hsh  \Work\test.txt
or
hashcat64.exe -a 0 -m 9600   \Work\test.hsh  passpas?l

I think I'm doing somethign horribly wrong, but can't find what it is. Anyone who can help me?
Thanks

a 3 = mask, but you give wordlist?
a 0 = wordlist, but you give mask?

If I try "hashcat -a 3 -m 9600 lozio.txt passpas?l" I get $office$*2013*100000*256*16*8b35c1c9d47628bcd8e6fd3225c7a816*56f7f0f311080fe61fef145f14072971*221e2a3a0957a92021da211700d3ea44ca7759f9f1b1e56c2acc7ea308ea52f4:passpass
#3
Well, use -a 3 for mask attack and -a 0 for wordlist not the other way around Wink

edit: 1 minute late
#4
I just typed them wrong, I was using the correct syntax (it does not even start using the wrong one).
I corrected the first post to avoid unuseful answers.

You get the right result, I end up with 0/1 found...
This is the GPU in use:
Platform ID #2
Vendor : Advanced Micro Devices, Inc.
Name : AMD Accelerated Parallel Processing
Version : OpenCL 2.1 AMD-APP (2580.6)

Device ID #3
Type : GPU
Vendor ID : 1
Vendor : Advanced Micro Devices, Inc.
Name : Hainan
Version : OpenCL 1.2 AMD-APP (2580.6)
Processor(s) : 5
Clock : 1070
Memory : 3072/3072 MB allocatable
OpenCL Version : OpenCL C 1.2
Driver Version : 2580.6
#5
Just found a possible clue. Using benchmark mode with -m 9400 I get the test done. With -m 9600 I get:
Device #3: ATTENTION! OpenCL kernel self-test failed.
If I force the device to the Intel GPU (that is normally discarded saying the OpenCL runtime is broken) I found the password.
So basically using the AMD GPU (latest driver as of today) seems to work, but finds no password.
Weird tihng is that the problem is with that specific algo (9600) and not with others (9400).
#6
okay, so you typed them instead of copy/paste from your commandline, are you sure you aren't forgetting something else? like perhaps you are using --force? or other options? And hashcat does not show any errors in the beginning when running "hashcat64.exe -a 3 -m 9600 \Work\test.hsh passpas?l"?

Just making sure because otherwise you will get more unuseful answers.

//edit: this is in response to your post #4
#7
I was using a remoted shell from my mobile, not so easy to cut & paste.
BTW I used another machine with a proper console and a Quadro GPU on it, used the same hash and here is the complete session, again password was not found:
---------------------
C:\h>hashcat64.exe -m 9600 -a 3 test.hsh passpas?l
hashcat (v5.1.0) starting...

* Device #2: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #2: Quadro K2200, 1024/4096 MB allocatable, 5MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Temperature abort trigger set to 90c

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Cracking performance lower than expected?

* Append -w 3 to the commandline.
This can cause your screen to lag.

* Update your OpenCL runtime / driver the right way:
https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: MS Office 2013
Hash.Target......: $office$*2013*100000*256*16*8b35c1c9d47628bcd8e6fd3...ea52f4
Time.Started.....: Fri Dec 14 18:13:59 2018 (8 secs)
Time.Estimated...: Fri Dec 14 18:14:07 2018 (0 secs)
Guess.Mask.......: passpas?l [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 3 H/s (0.17ms) @ Accel:32 Loops:8 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 26/26 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:99992-100000
Candidates.#2....: passpass -> passpasq
Hardware.Mon.#2..: Temp: 60c Fan: 47% Util: 1% Core:1124MHz Mem:2505MHz Bus:16

Started: Fri Dec 14 18:13:03 2018
Stopped: Fri Dec 14 18:14:09 2018
---------------------

Info is:
C:\h>hashcat64.exe -I
hashcat (v5.1.0) starting...

OpenCL Info:

Platform ID #1
Vendor : Intel(R) Corporation
Name : Intel(R) OpenCL
Version : OpenCL 1.2

Device ID #1
Type : CPU
Vendor ID : 8
Vendor : Intel(R) Corporation
Name : Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
Version : OpenCL 1.2 (Build 99)
Processor(s) : 4
Clock : 3300
Memory : 3010/12040 MB allocatable
OpenCL Version : OpenCL C 1.2
Driver Version : 4.2.0.99

Platform ID #2
Vendor : NVIDIA Corporation
Name : NVIDIA CUDA
Version : OpenCL 1.2 CUDA 9.1.84

Device ID #2
Type : GPU
Vendor ID : 32
Vendor : NVIDIA Corporation
Name : Quadro K2200
Version : OpenCL 1.2 CUDA
Processor(s) : 5
Clock : 1124
Memory : 1024/4096 MB allocatable
OpenCL Version : OpenCL C 1.2
Driver Version : 391.74
#8
cannot reproduce with my hardware

Code:
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: AMD Ryzen 5 1600 Six-Core Processor.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #2: GeForce GTX 1060 6GB, 1519/6077 MB allocatable, 10MCU
#9
(12-14-2018, 07:22 PM)LoZio Wrote: [...]
Guess.Mask.......: passpas?l [9]

I am guessing the issue relates to the mask, somehow. That mask is only 8 char long, yet you have as 9 chars
#10
(12-16-2018, 01:03 AM)illyria Wrote:
(12-14-2018, 07:22 PM)LoZio Wrote: [...]
Guess.Mask.......: passpas?l [9]

I am guessing the issue relates to the mask, somehow. That mask is only 8 char long, yet you have as 9 chars

Sharp eye. You're right, should be 8. Eventually the "?" is not the real 7 bit "?" character but something that looks similar.