Weird behaviour when cracking RAR?
#1
Hello,

First of all, thanks for this wonderfull piece of software. Ive been playing with it a bit and I am impressed.

However, I ran into some weird behaviour and was wondering if someone might have some insight.

I am cracking a rar file. To do this, I first generated some test files of which I know of course the password.
I noticed some of those were being cracked, some not. So I ran some tests and I noticed that rar files with longer passwords were not being cracked, even though the correct password was in the dictionary file?

I created for now several rar files (I tried attaching them, but is not allowed). The filename is the same as the password:

test.rar --> cracked
longertest.rar --> cracked
evenlongertest.rar --> cracked
evenevenlongertest.rar --> cracked
evenevenevenlongertest.rar --> exhausted
evenevenevenevenlongertest.rar --> exhausted

the process is the same everytime: extract hash with rar2john, than hashcat on extracted hash (I understand hashes need to be removed, so I did):

hashcat -a 0 -m 12500 '$RAR3$*0* REST OF HASH' password.txt

Same password file, which has the passwords (= filenames) of the above test files.

Am I missing something? Is there a maximum password length (if so, why no error is thrown, just exhausted?)?
Can anybody reproduce this maybe?

Many thanks,
Reply
#2
Do you use --optimized-kernel-enable (or short -O) in your command ?

The maximum password length with -O is 20:
Code:
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 20

it would make sense, because as far as I understand the password was "evenevenevenlongertest" that was first rejected.

In hashcat you should also see this rejection in the status prompt:
Code:
Rejected.........: 2/6 (33.33%)

you could also try to use the beta version (from https://hashcat.net/beta/ , but in my opinion it would change much here, because the pure kernel already existed with -m 12500 for a long time, i.e. also latest release version had support for pass > 20)
Reply
#3
No, Im not using -O or optimized-kernel, the hashcat -a 0 -m 12500 '$RAR3$*0* REST OF HASH' password.txt command is all I use.

And it says Rejected 0/9 (0%), Recoverd 0/1 (0%), Progress 9/9 (100%), so hashcat does not reject the passwords I suppose?

Your comment about "evenevenevenlongertest" that was first rejected, is correct btw.

EDIT: just checked and it says when starting that the maximum password length supported by kernel is 256.
Reply
#4
Just compiled the newest version from github and it works now...weird because I was using the 5.1.0 binary?

Anyway, this is solved. Thanks for your help!
Reply