Problem with cracking Office password that contains custom character
#1
Hello there,

I have an Excel file which I encrypted with a password that contains a letter from my native language (language: Croatian, letter 'č'). The letter 'č' is \xC4\x8D in UTF-8.
I pulled out the hash from the file with John the Ripper and saved it in the file that I named hash.txt. I moved the file hash.txt in my hashcat folder and entered this command:
Code:
hashcat.exe -a 3 -m 9600 -1 C4 -2 8D --hex-charset -o crack.txt hash.txt ?1?2 --session=name1 -D 1,2
The cracking finishes with the status Exhausted and it cannot find the password.
However, if I encrypt the same Excel file with a password that contains a letter from the English alphabet (e.g. letter 'c'), the password is cracked without problems with the next command.
Code:
hashcat.exe -a 3 -m 9600 -o crack.txt hash.txt ?l --session=name1 -D 1,2

If I generate MD5 hash for the same letter 'č', save it in the hash.txt file, place that file in my hashcat folder and enter this command:
Code:
hashcat.exe -a 3 -m 0 -1 C4 -2 8D --hex-charset -o crack.txt hash.txt ?1?2 --session=name1 -D 1,2 -O
The cracking finishes with the status cracked and the password is found.

Does anybody have any idea why the first command does not work for me?
Reply
#2
this question has already been answered dozens of times:

https://hashcat.net/forum/thread-8456.html
https://github.com/hashcat/hashcat/blob/...xt#L25-L35

just use the forum search function
Reply
#3
So if I understood correctly, I need to do this:
"...create a clean directory with the hashcat download/binaries...make sure that the "kernels/" directory does not exist...Modify the file OpenCL/m09600-pure.cl and change
sha512_update_global_utf16le_swap to sha512_update_global_swap..."
I did that, entered the same command and still got the status Exhausted. What am I doing wrong?
Reply
#4
Code:
--encoding-to utf16le

and this of course only works in a dictionary attack (-a 0), if you want to use -a 3 you would need to use the correct bytes with --hex-charset

if you want that all attack modes work, you need to change all the kernel files optimized/pure, -a 0, -a 1, -a 3

btw: it's also worth noting that encoding isn't actually that easy to understand and unfortunately one might easily come to very wrong conclusion, for instance, just look at this page here: https://graphemica.com/%C4%8D , it clearly says that while in utf8 you encode it with c48d , in utf16le it's 0d01 . so this could really look confusing and wrong, but the conversion from c48d -> 0d01 is correct (you could also use tools like iconv or hashcat with --stdout -a 0 --encoding-from and --encoding-to etc)
Reply
#5
Okay, so I have another problem/set of problems.
I have two hashcat folders, one which I just extracted cleanly and another where I modified the file OpenCL/m09600-pure.cl and changed "sha512_update_global_utf16le_swap to sha512_update_global_swap...".
The first hash.exe works as I described in the main post. The second hash.exe works perfectly while cracking MD5 hashes, but crashes when cracking Excel hashes (which use -m 9600) and reports next error:

"* Device #1: ATTENTION! OpenCL kernel self-test failed.

Your device driver installation is probably broken.
See also: https://hashcat.net/faq/wrongdriver

Aborting session due to kernel self-test failure.

You can use --self-test-disable to override this, but do not report related errors."


I followed the instructions on "https://hashcat.net/faq/wrongdriver" and reinstalled my drivers three times until I got "hashcat --benchmark" to finish without errors on both hash.exe-s (I extracted them cleanly every time after reinstallation of drivers). I realized in the process that I cannot install drivers for my Intel(R) HD Graphics 630 because when installed the benchmark finishes with errors. I downloaded and installed "intel_sdk_for_opencl_applications_2020.2.487.zip" and "opencl_runtime_16.1.2_x64_setup.msi".

The situation is the same after reinstallation. I know that this has nothing to do with my original question, but if you have any advice on what to do next, I would be very grateful.
Reply
#6
if you modify the kernel code such that it's not doing the same thing as it is supposed to do (among others, convert the passwords to utf16le within the kernel), then and only then you need to use this advanced flag that should be only used by advanced users (developers mainly)
ATTENTION do NOT use this in general:
Code:
--self-test-disable
ATTENTION do NOT use this
Reply
#7
Tried it, but then it never cracks a single Excel hash, be it letter 'c' or letter 'č' and always finishes with the status Exhausted.
Reply
#8
encoding is difficult

and without understanding it, you probably shouldn't make these source code changes and do such advanced attacks. We have several confirmations of users that moved the encoding out of the kernel and did the encoding externally and it worked for them (for instance, just read the linked forum thread from above again).
Reply
#9
The problem you are having with the self test is because you have modified the kernel file (.cl file) and you have not corrected the hash used by hashcat to selftest the kernel which is located on the module file.

To make it easier you can use the --self-test-disable switch to ignore the error message (but only just for this modified module)
The driver is not the source of your problem and you don't need to reinstall it.

If you use the modified kernel file you must also use the encoding-to switch to convert the passwords to utf16le or use a dictionary file encoded to utf16le.

If you want to use the hex-encoding switch in a mask attack you have to use the modified kernel file and the --self-test-disable switch too. Also it can be useful to read the following articles (besides the ones recommended previously by philsmd):

https://miloserdov.org/?p=4016

https://blog.bitcrack.net/2013/09/cracki...e.html?m=1

https://www.nixu.com/blog/cracking-non-e...ng-hashcat
Reply
#10
I have not succeeded in making it work. Nevertheless, thank you very much philsmd and TheAleph for your help and for your input and time. I will continue to try to make it work for me. If this thread needs to be closed, it can be closed and considered as solved. If I manage to make it work before this thread is closed, I will write what I have done here. Cheers!
Reply