You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello.
I encountered an extremely strange but at the same time interesting situation.
I have a rather old RAR archive (2013, judging by the file properties, created in version RAR 4.*).
The file names in the RAR archive are not encrypted.
Using John I got the hash of this archive.
I apologize in advance, I am not sure that the rules allow publishing full hashes, but when studying other topics I saw similar examples.
I believe that without a full indication of the hash the description of the problem will be incomplete and useless.
So, I got the following hash:
Using this hash in Hashcat I got the password: 861582585
I used this password on the RAR archive, however, when using it I was able to decrypt only one file (out of a total of about 20 files). The remaining files remained encrypted.
As far as I understand, this archive is a structure in which files were added one by one with different passwords.
Next, I tried to attack this hash using John, using a dictionary containing an already known password and by brute force.
John does not find it.
To exclude the possibility of a build error, I tried it on three different systems (MAC, Kali, Debian - build from repo, my main system is MAC M1), the result is the same.
The most interesting thing is that I created a test RAR, where I created a similar structure, adding several files with different passwords (I also used version RAR 4.*). After that, I also took a hash from it using John. According to this hash, the password (the password of the last added file) was found by both John and Hashcat.
This situation confused me and I did the following.
I deleted this one file from the archive, for which I had the password, and made the RAR hash again using John.
I found that after deleting this one file with a known password, the hash of the overall RAP file changed.
I used this new hash again in Hashcat and got another password: ivanmendezl
This password again only unlocked one file, the rest of the files remained encrypted.
The situation repeated itself completely, John could not find this password.
Later, when working with the remaining files manually, by gradually deleting files, I found that this archive has 8 different passwords, 2 of which I already know.
I am currently trying to get them using Hashcat (except for two hashes that are too large and are not accepted by Hashcat, accordingly - my only chance to get passwords from them is to use John).
As far as I understand, with this structure, John can get the hash of the last file added to the RAR with a password. He does not see the rest, but when deleting that very last file and accordingly changing the general structure of the RAR archive, John sees the hash of the previous file added and so on chronologically.
To sum it up, I encountered such a situation for the first time and I can't understand why John can't get the password from the hashes.
I exclude a false positive of Hashcat because 2 different files were successfully decrypted.
In addition, John's successful work on test archives with the conditions met makes me think.
It is quite possible that I am doing something wrong.
I really ask for help from the community and would be grateful for any advice.
The text was updated successfully, but these errors were encountered:
Hello.
I encountered an extremely strange but at the same time interesting situation.
I have a rather old RAR archive (2013, judging by the file properties, created in version RAR 4.*).
The file names in the RAR archive are not encrypted.
Using John I got the hash of this archive.
I apologize in advance, I am not sure that the rules allow publishing full hashes, but when studying other topics I saw similar examples.
I believe that without a full indication of the hash the description of the problem will be incomplete and useless.
So, I got the following hash:
$RAR3$*1*2597b58e3fafb7d9*99875cb5*816*2036*1*45b3052be82d37f6f9ce6500f1771c9d1e7f7f59a6c19664439c16e75a0e8d7785031d6be46e3f86dd17e47fedb3b04154c404dcdf435a28316c40c94bbc09781ddb233e5e3771f6513e05bc32e5b626c98f6bc68a136554a75a4c591cc531728972037ae744c3af6753051f46e9ed03d7020170cfdffc54bc3a5fef10f53fce65f8348faeb2d4fc803c1a0825a4e0ebfdd085b84de9953b46a75c5d6320a96f2cb56be1836185416255399ba8da027f1ad2e078ed2ec5ac251e02e94b1f454ac72dc07d84b5d3efd8ee50e1a345274983f330bb4a5442144d13262ff41fa3d5eafcfb335c6657c28e50d9f38ef48faa5a43cfdd798f77c93d634f13aa6b62c7646fd79e3f6959766ebb57df5c84786027701ec877b5c137bb8082826e97bbdcc9b935bcf38958ad73e4d2c742431a4e2ccf6f896106d538466b42eb880074c0b66adf607634be03e6a2902a81041c62aadc8683af69845a6c36fd5ba40d9974a63e5917b51d32ec3b119939aa57e5f6bf70903fea93e9ecbb6bdf96feef4de427958fdac732ca661da112bb3686b0e840cd67f6d171ed2fb358acd92ff9f19895b9a16afeed9d6c15337f51a2270c9231d47292a44a5c5942e90c165ced4239118c11a299f04c68a3c157e489f472b353b79ebb50ca97fb6a84ec74a8267da5f239bd3b32a68f5df1fc882d0a5718ffe466c9423cdb8b26a7f49e5e014eb0e6cd3556098651403a5cb24a31f96e19458a5c70151bcca94faa21460cbc9bb12b15fbf432422685918a2082fd0d154a448a5ae29a78bbdc722fd5b49daa6ad907cb24c6a24f69ea74775383c45b7b768bdfcb87fdef569609dd7ebbaa6bd147073b2f4959f6f4ee045b73f5e00c50780dd38b046ef4f2249f910055b18f383d699125cadb12f5ac747803e4f869478fe9cccdd744a8e67c6e3e5caa5c0e4ce4051d8229c68dee601ae118ee4207ef1915a701bc3bd0e51c7a2f664d57ef3037cafeaa6e6e0093a0bcb6d0115adf979b1f03c70247df684e412d432fc31d625b29d2d3a33f4814cfdc23e485358996a468f570ce1e97541f1405a096049c29b580385c99f9dd7efc16e36a1a41f0d3454bdeae737a9a0746de0b7b214c25f7d6bebe2b1940f2cc28b32e83c93c4d6236a3*33Using this hash in Hashcat I got the password: 861582585
I used this password on the RAR archive, however, when using it I was able to decrypt only one file (out of a total of about 20 files). The remaining files remained encrypted.
As far as I understand, this archive is a structure in which files were added one by one with different passwords.
Next, I tried to attack this hash using John, using a dictionary containing an already known password and by brute force.
John does not find it.
To exclude the possibility of a build error, I tried it on three different systems (MAC, Kali, Debian - build from repo, my main system is MAC M1), the result is the same.
The most interesting thing is that I created a test RAR, where I created a similar structure, adding several files with different passwords (I also used version RAR 4.*). After that, I also took a hash from it using John. According to this hash, the password (the password of the last added file) was found by both John and Hashcat.
This situation confused me and I did the following.
I deleted this one file from the archive, for which I had the password, and made the RAR hash again using John.
I found that after deleting this one file with a known password, the hash of the overall RAP file changed.
$RAR3$*1*2597b58e3fafb7d9*0731a89e*1728*3992*1*97c436855492a6b3803093fac58ab9a9b1d7accdec6b64e3499e0adcdce925c26b8361bb52702facde66af4ef5da4bf1e67456d4470de77a68b59df1d24a52a594a2437680e6542975ba4489ce0fd6a1a85ec61dd80321cce334811651f1b6d3eb89f5c1b542601ce97a6ad34eb69bf4e8ce380627f94dc5b3ff40373bc645f9d32c13c24719823a0f587252262c335773b916b55f8dfd193a991002fe69b46fb303d5c4cdb2da5e4c6131632e63640f3e9c5b8cf495fe11c4854f20e28326a0c70fd142558f461d3130ad5b791d10e2f456e8ce8b5686361a80e06da6101a11c026bfcac07fe996894bbea66720946c616156e6f8674cab445b470fdb1be7b5bf354fa563f2b16010eea34d2f2b30dc519e71aebdc5b89e5b7d5986d4f8ae5a821ec2e897abcf7aaa9bb2d478dfb9b53b6aca32a604cba6199c65c888a1e7b570b59da4886e060c1c3c831d2c8d4865305ac7755847df9cea1422bd538ebf3d3b2ca39b59aa03b41735468030c63b82c1195c2e8686180412d089ae8f5a02a03a6f04fe467fe1d2a9840b6d31de2193c6aac9edf09a0b01a9f548bad2624b9bf0eb73092c6246a7e6e3836950c9dd79ef1ed1a0e579cfcc3588e2627fa8359e374b73eb577e01d3f0f7b6cb82edba60f1949c4144c9776e5647b18acfa2d9eb6b26a566226553b0f862f5ed66af0d475b5bdc7e918785d028dc86c06f7f3dfb0abe020995e26e762898d42a6f5928794139a93e7fcdd16c90df1d4bb4143218131acb87fdf116050098e82a39ff8174bb5c9b148ff80eaa649d8d881048e8f51b9d31eba5c43e9ae85f57c156ef540b8471fb9e95f6a4177988c57810d392095ee45efe6b5882b5cde5c87bc36a43d4ae3e698b9c5f7b16dfa1cf412f792c2244a287d285bffdf1374a52a9fa4c21cff314aa845e66a106ffb723ed8eeeafa0109165d83fb87e53b0a318cac8c21d3c735e31c62fd32a07359f4956102873b3521f9711bfa2c9f36f2e5295fdc9fc885d9f34e21d941f8c7fe1e51c21adeb4e3e2e74b9b1d6055bd7c49da073b1a38bad5509abf29953002fb0407e8abd17bad99c3a5f09418a2becee90c3f7b060245405a635ca159ecf2b9246be009cd9dc2e260522a18f2047f271ac5f173abc9fc912ecef6135110d33bba44df2af638ff5712d14ea9812c5afbefd3d4c86a176e9ec42e9c5bcaa2249b2ad3353fc6f1706af2a375e92f39a71875d544a426620967ac357a82639ff86c47804437f9d2cd80501c750b92a75cd6923ab709dccce766f15f902146bb0c81e6d84b3f0521d62a6cc1073a9dd5f98314545c2e3b9c9cced3d381caccdfc3a5e07db3e76b97d2f3023c90875c2c672107b0839cd0a77985d33daebf823c276b3862b833954ee28df06548f82b1553bef853a626c6c8b51669b8b051242f66d6ebcab751adaff7aef1c54a00c7899210bce61fc4b6d19ba43aff2f9faffced399fe2d37b7f585055bd8655ba1439b7500f43d1fa099c4bac3690dbe32a4bc3cace4db90724e064e6659ce67186156a9533c875f37f269a99fcd6d95b982140180f5a8cc1240a68200225391df67f5e1b07c77e6d4af203d69169fe5e8e04344bc6d95064e29c624f0d88dafb5cb7be15393d55fd622cceb703dedbdf32d36e53b25cd883623e9685f45ce85145ce4b8c12edc8d8bcf159b8a0ef5f8085caf7976f9fcf7692597132d05a738eb569b54075c32426d9344a7f668b81e830e68ba8bcaf1d0f5bf4d3f2355c652c14640ed8fdd6c7209df0c84af56da37218029945061b603a3f0ec34de5e7b1071028c65e9b106bbe770965e60b4fb71fec52bbc272329554026d149be20c240101d6d0b3a02ab3fd2a7066d952b68a56ee3f995f533ee22152eee2fec892669a84e25b9f934a28aa2880e966fc3bb8029248291786818950497fdc1e8bc824956779925d611e8266f0da43e46a30097c303d676cc9af3c2badc8077ca1c4ae3f52760f83d61fe8425867b1c3c8507d0b4c61e928f1ed26b8c60a563821172f06767922e847698b6df882337713dc90add1a0d496492e127aba77779d170c1f8205781a5ecd5acef19f8590ac2c684997bbf1e537cc3c563af4c0ebd456c62a2f784e5f9c1993814a9d39b772589582118b2918b93805caeb1d8e140ce6b6d45e7a56bb824daefc297c8847418c0bfb5c99f0365c967ea4e0423130a95988f5d3c90d8fe52a323131808afce2279ca8649f00cb81085386445979bfbbd76650c0e40cf6305dd342777182b8b5928008d0ead7ff7d01e7a4706d50554cd57feef85eef8ca2e329722aa6da3dbb86a4009defc6966a18a3aa311faa924dc3077ec0aa3c4171b65b171c459de741c1eac7eb1a36b12011b7c8ab33c64fd2d5495afe85eea1b3d4c908d7213e44dff192986ef1d5d852782fa07bdcf16*33I used this new hash again in Hashcat and got another password: ivanmendezl
This password again only unlocked one file, the rest of the files remained encrypted.
The situation repeated itself completely, John could not find this password.
Later, when working with the remaining files manually, by gradually deleting files, I found that this archive has 8 different passwords, 2 of which I already know.
I am currently trying to get them using Hashcat (except for two hashes that are too large and are not accepted by Hashcat, accordingly - my only chance to get passwords from them is to use John).
As far as I understand, with this structure, John can get the hash of the last file added to the RAR with a password. He does not see the rest, but when deleting that very last file and accordingly changing the general structure of the RAR archive, John sees the hash of the previous file added and so on chronologically.
To sum it up, I encountered such a situation for the first time and I can't understand why John can't get the password from the hashes.
I exclude a false positive of Hashcat because 2 different files were successfully decrypted.
In addition, John's successful work on test archives with the conditions met makes me think.
It is quite possible that I am doing something wrong.
I really ask for help from the community and would be grateful for any advice.
The text was updated successfully, but these errors were encountered: