Posts: 165
Threads: 5
Joined: Mar 2018
I have a file containing two Office2013 hashes. The pwd for the two is
1920.
Code:
$ cat office2013.hash
$office$*2013*100000*256*16*e166509e5a4e05670dc5f3a57c4f30ff*636ae6f842a8f6b2939eb611b5912903*a4471efa793e407aae675b1601527215ac6ba179f18e5e4c9b1d29eec4bc04ef
$office$*2013*100000*256*16*e166509e5a4e05670dc5f3a57c4f30ff*f2e4fe453c2451d9070a485ffae7e1e8*48dce31f17ce6b1c4fe59d450cd7cf28c0041b435dbd1e29caade645318c5a76
When I try to crack the two hashes, Hashcat only finds the first one.
Code:
$ hashcat -m9600 office2013.hash -w3 -a3 ?d?d?d?d --quiet
$office$*2013*100000*256*16*e166509e5a4e05670dc5f3a57c4f30ff*636ae6f842a8f6b2939eb611b5912903*a4471efa793e407aae675b1601527215ac6ba179f18e5e4c9b1d29eec4bc04ef:1920
When I run one hash at the time, Hashcat is able to find the pwd for both
Am I missing a detail here?
Thanks!
Posts: 2,267
Threads: 16
Joined: Feb 2013
12-11-2018, 10:55 PM
(This post was last modified: 12-11-2018, 10:57 PM by philsmd.)
how did you get / generate these hashes ? They don't look very random for instance e166509e5a4e05670dc5f3a57c4f30ff is the same which is kind of weird because it shouldn't happen at all that this part (kind of salt) is identical for 2 different documents.
My guess is that these hashes are manually constructed and not real-world hashes, but I could be wrong.
I'm pretty sure it's a problem of "not-unique-salt" and hashcat assumes that these long sequences of bytes can be sorted and uniqued (while your example can not because it's strangely identical).
BTW: according to the forum rules you are not allowed to post hashes: you will get banned if you do this.
Posts: 165
Threads: 5
Joined: Mar 2018
those two hashes are real-world hashes; I got them with the office2john.py script
I posted the hashes - with known pwd - for reproduction purposes
Posts: 2,267
Threads: 16
Joined: Feb 2013
Which software (and version) did create these documents ?
Are you able to create 2 new documents (with the microsoft office software etc) that also fails to crack ? I guess it's not really possible to generate 2 documents with the same salt, but I could be wrong (this needs to be tested).
Maybe the documents are somehow related ? an older version of the same file ?
Posts: 165
Threads: 5
Joined: Mar 2018
The two xlsx were created by Office2007
xlsx A is related to xlsx B, because a identical template is used (invoice); B is created 6 months later;
the content inside that invoice template is ofcourse different
I can reproduce this also with Office365: I copy xlsx B, and name it xlsx C, change the content a bit, and save it. The encryption pwd stays the same.
I run office2john on A, B and C, and I get now three different hashes. As you precised correctly, the salt-value is for the three files the same.
Hashcat finds only the first one, when put together in one file. Seperatly, it finds all three.
Posts: 5,185
Threads: 230
Joined: Apr 2010
12-16-2018, 11:19 PM
(This post was last modified: 12-16-2018, 11:19 PM by atom.)
I can reproduce this. It's a bug. Please create a github issue.
