06-30-2019, 06:52 PM
Some of the non-ascii characters cannot be cracked for office algorithms. Characters like 'ß' in German language cannot be cracked by hashcat but can be cracked by JTR.
How to reproduce:
1- use the following hash which is the hash of a Word2013 file with a single letter password 'ß'
$office$*2013*100000*256*16*23aef9881a73987bc2522ee38a7a4254*163f450664fbf4a40b32edbc75049dd3*5878d4a8ad67b2107b13c087a39b79252bf439e3fae32e465ed3c71ff790397b
2- Hashcat attack:
hashcat -a3 -m9600 doc.hash ?b?b
---> No result!
3- JTR attack
john --mask=?b?b doc.hash
---> Correctly cracked as 'ß' (UTF-8 0xc397)
The problem is valid for all office versions 2003/2007/2010/2013
How to reproduce:
1- use the following hash which is the hash of a Word2013 file with a single letter password 'ß'
$office$*2013*100000*256*16*23aef9881a73987bc2522ee38a7a4254*163f450664fbf4a40b32edbc75049dd3*5878d4a8ad67b2107b13c087a39b79252bf439e3fae32e465ed3c71ff790397b
2- Hashcat attack:
hashcat -a3 -m9600 doc.hash ?b?b
---> No result!
3- JTR attack
john --mask=?b?b doc.hash
---> Correctly cracked as 'ß' (UTF-8 0xc397)
The problem is valid for all office versions 2003/2007/2010/2013