Hashcating 7z passw
#1
Hi all,

I've been pointed to this tool and forum on reddit. As way of short background story, I got myself in a bit of a predicament. Namely, I managed to mistype something in a 45 letter password I usually use when creating my .7z data backups. After making the archive I deleted the original files and can no longer recover them.

Now, this is not the first time I typed the password wrong when doing it fast, but this is the first time I checked fast and didn't see the error in the typed password when creating the archive, so it is possible that:
  1. I missed one or two of the letters in this password (omission)
  2. I typed 1 or two of the same letters (accidental repetition)
  3. I typed 1 or two of the letters located on the keyboard near the letters of the usual password (the curse of big fingers)
  4. Some combination of the above 3
It will be pretty easy to try the repetition and omission combinations, but the third one or combination of two would be quite a job.

I am absolutely sure in first 15 and last 10 letters of the password. I never get those wrong. That means I have to guess where I made the mistake in the middle part of typed password (20 lowercase letters) so I can unlock the archive.

As I know only the very basics of this area, I'm currently needing assistance with:

1. When I extract hash of the 7z archive with 7z2hashcat64-1.3 utility (89752 characters long), Hashcat gives me a  "Token length exception" error. What am I doing wrong here? Do I need another utility to extract the password hash?

2. From what I gather I would need to run a mask attack with a file where I would put all the possible combinations. To simplify, the text mask file would contain something like this:
123?56789
1234?6789
12345?789
123??6789
1234??789
123?5?789
123???789
Off course, it would be more complex (have more combinations).

In connection with this I have two questions:

a) Is there some tool where I can input the 123???789, and that this utility creates all the combinations for the mask file, (in the above case, the first 6 combinations)? Is https://github.com/hashcat/maskprocessor used for this?

b) Could you help me with coming up with the exact command line that would run this mask txt (combinations.hcmask) with the password hash txt (lost.hash)? All the letters I'm trying to find are lower case (?l)

So far, I got this:
Code:
-m 11600 -a 3 -o lost.hash combinations.hcmask
Reply
#2
-o is wrong in your command line. --outfile (or short -o) is only used for redirecting the output to a file (the results).

you need to specify the hash like this:
Code:
hashcat -m 11600 -a 3 -w 3 extracted.hash combinations.hcmask

for the other part it's difficult to say if mask attack is much faster compared to other approaches.... it could even turn out that a simple perl/python script with pipe/stdin -a 0 will be fast enough and easier to use:
Code:
python my_perfect_special_password_generator.py | hashcat -m 11600 -a 0 -w 3 lost.hash

you could even use stdin/pipe together with rules for hashcat (add "-r my.rules" at the right).


yeah, you could use maskprocessor to generate a huge list of masks (using ?l), or use any other scripting language to generate hcmask files that fit your specific use case (e.g. a new python/perl script that adds ?l at some positions in the string and outputs a list of masks, i.e. a hcmask file).

The problem is that your situation is very specific and there isn't a perfect off-the-shelf solution, I would say.


Since 7-Zip is a very slow hash type, it probably doesn't matter too much if you use -a 0 (maybe with rules) or -a 3 with hcmask files.... but in general you shouldn't use mask attacks with a very long static/hard-coded beginning (since it can't be accelerated a lot).


I think your approach is okay using hcmask files (but you still could consider if rule based attacks, maybe by even using the multi rule feature: -r first.rule -r second.rule, would also work for you)... the problem is however how many different masks it would require and if it's still feasible with that huge length (fortunately you only have 1 "password candidate" and not more passwords to choose from).

in general, for the hcmask approach I would recommend starting with a smaller length and add some ?l and afterwards increase the length. You could put the list of masks down by hand or generate them by a script (with increasing length and additional ?l as the mask length increases).
Reply
#3
Thank you for your feedback . As I'm still new at this, I need some time to get into the subject matter and process the information. Thank God I dont need the data right now.

The password in question "composed" of 4-6 letter words and numbers in a fixed order (think of it as a long sentence without spaces), so essentially I mistyped one of these words.

Let us say the password is composed of: LEFTPARTOFTHEPASSWORD street random root bunny RIGHTPARTOFTHEPASSWORD (without spaced between words). And let us say e.g. that "random" always goes after street" and before "root".

The error is somewhere in the "streetrandomrootbunny" part.

Assuming that street is the mistyped word in password being it could be:
LEFTPART?treetRIGHTPART
LEFTPARTs?reetRIGHTPART
LEFTPARTst?leetRIGHTPART
LEFTPARTstr?letRIGHTPART
LEFTPARTstre?tRIGHTPART
LEFTPARTstree?RIGHTPART
LEFTPARTtreetRIGHTPART
LEFTPARTsreetRIGHTPART
LEFTPARTsteetRIGHTPART
LEFTPARTstretRIGHTPART
LEFTPARTstreetRIGHTPART
LEFTPARTstreeRIGHTPART
LEFTPART?streetRIGHTPART
LEFTPARTs?treetRIGHTPART
LEFTPARTst?reetRIGHTPART
LEFTPARTstr?eetRIGHTPART
LEFTPARTstre?etRIGHTPART
LEFTPARTstree?tRIGHTPART
LEFTPARTstreet?RIGHTPART

where ? is a lowercase letter, assuming there is only one typo in the word.

What I was thinking of doing is running the above combinations for 4 potential words that are at issue. However, if that doesnt work (assuming I made more than 1 mistake in one of these 4 words OR that there are two potential mistakes in two separate words), I was thinking of using a tool to make more complex masks involving combinations of two words at the time.

Could you also help me with a hash extraction? Is there some tool that correctly extracts hash of a 7z password protected archive?  I'm still getting the "Token length exception" error.
Reply
#4
For what you want to do I would recommend rules instead of a mask attack.

If you get the "Token length exception" I have bad news for you however. hashcat can only support 7z archives up to a certain size and that error usually means your archive is too big.
Reply
#5
7z2hashcat from https://github.com/philsmd/7z2hashcat (you would need to either have perl installed or use the windows binary from https://github.com/philsmd/7z2hashcat/releases).

The .7z file must first be converted to a hash file. The output of 7z2hashcat can be written or copied to a file that you use with hashcat -m 11600

I would say that you always need to start with the original password and remove some chars and try to add some ?l

Code:
LEFTPARTOFTHEPASSWORDstreetrandomrootbunnyRIGHTPARTOFTHEPASSWORD
# remove one char
LEFTPARTOFTHEPASSWORDstreetrandomrootbunnRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootbunyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootbnnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomroobunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrotbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandorootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandmrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetranomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetradomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrndomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreerandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDtreetrandomrootbunnyRIGHTPARTOFTHEPASSWORD
# remove two chars
...
# remove x chars

# replace one char with one ?l
LEFTPARTOFTHEPASSWORDstreetrandomrootbunn?lRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootbun?lyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootbu?lnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomrootb?lnnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomroot?lunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomroo?lbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomro?ltbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandomr?lotbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrandom?lootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrando?lrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetrand?lmrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetran?lomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetra?ldomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreetr?lndomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstreet?landomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstree?lrandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstre?ltrandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDstr?letrandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDst?leetrandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORDs?lreetrandomrootbunnyRIGHTPARTOFTHEPASSWORD
LEFTPARTOFTHEPASSWORD?ltreetrandomrootbunnyRIGHTPARTOFTHEPASSWORD

# replace two chars with two ?l
...
# replace x chars with x ?l

# remove chars AND add replace with ?l (combination)


As you can see, it could get quite complex very fast... that's why I suggested to also consider creating a fast password generating script or use a rule based attack as an alternative (see https://hashcat.net/wiki/doku.php?id=rule_based_attack)



Note: you could/should also try with the latest beta version of hashcat from https://hashcat.net/beta/ since I'm pretty sure we made some changes and also increased some limits etc for -m 11600 hashes
Reply