Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: Colliding password protected MS office 97-2003 documents
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4
?b?b?b?b?b is not for the collision, but for cracking the RC4 key. Once you know the RC4 key, you have the first five bytes of the MD5|SHA1 hash. You then collide that hash to find a password that works.

Note the last step is not strictly necessary. You could simply use the RC4 key to decrypt the document without the password.
Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)

ERROR: No hashes loaded

What did I do wrong?
Thanks
(11-02-2014, 04:10 PM)injector Wrote: [ -> ]Sorry, my question, I'm starter... I write a string exactly like you write it:
oclHashcat64.exe -m 9700 hash -a 3 ?b?b?b?b?b -w 3 --potfile-disable
and instead the word "hash" I tried to put the hash from 3 char string with separator '*'. I used both with quotes ' and without quotes and even give the text file with the hash. A and always I got the same result:
: Line-length exception
Parsed Hashes: 1/1 (100.00%)

ERROR: No hashes loaded

What did I do wrong?
Thanks

When referencing hashes they should be in a file in the correct format.
https://hashcat.net/wiki/doku.php?id=example_hashes

So your file (lets say "hashFile.txt") should contain something like this:
$oldoffice$1*04477077758555626246182730342136*b1b72ff351e41a7c68f6b45c4e938bd6*0d95331895e99f73ef8b6fbc4a78ac1a

Make sure to follow the instructions as per this post (not the post which started the thread):
https://hashcat.net/forum/thread-3665-pos...l#pid20945

and you will address it in the syntax as such if attempting to recover the HEX value (Mode 9710 as per the referenced post, and not mode 9700):
oclHashcat64.exe -m 9710 hashFile.txt -a 3 ?b?b?b?b?b -w 3


However if you run into the same AMD Catalyst 14.9 issue that I'm having you may not be able to retrieve the value needed for collisions.
Excuse my ignorance, gentlemen, but how do I obtain the hash value from an office doc?
Thanks!

Is it the same mechanism as in office2john.py ?
yes. it's a slightly modified version of office2john.py
Hi,

I do have a Office 2007 document with an write protected area - so the document itself is not encrypted. The python script doesn't work so, but I can extract the salt and password hash of the file.

Do you if this password is encrypted the same way as the regular encryption routine of a file? If so, how can I merge the hash for hashcat manually?

Thanks for your help!
Hi, I have a quick question on colliding.

I see that it has been successfully implemented for $oldoffice $1 $2 and $3. Do you know if this will also work for $4? I know that oclhashcat (-m 9810) currently only matches hashes for $3. Is this because it is not possible to collide in $4 or it was accidentally omitted in the hash matching code?
The collider modes work due to the fact Microsoft truncated the RC4 key to 40 bits in types $1, $2 and $3. The $4 type does not have that (intended) flaw so it's not beneficial to attack the RC4 key directly.
Pages: 1 2 3 4