解码rar文件
参考文档:
https://www.hkepc.com/forum/viewthread.php?fid=24&tid=2660011&page=1
https://blog.csdn.net/weixin_46081055/article/details/119594510
在docker中进行破解:
docker run -it --privileged --name snap \
-v /home/wl/wl/data/docker/data:/wl \
diddledani/snapcraft:core22 bash
安装
John
Ubuntu:
snap install john-the-ripper
apt install ocl-icd-opencl-dev
apt-get install hashcat
版本:
/snap/john-the-ripper/610/run/john
John the Ripper 1.9.0-jumbo-1+bleeding-39db7dd63e 2023-09-20 17:02:33 -0300 OMP [linux-gnu 64-bit x86_64 AVX AC]
Copyright (c) 1996-2023 by Solar Designer and others
Homepage: https://www.openwall.com/john/
hashcat -V
v6.2.5
说明:
- 测试报错:
/snap/john-the-ripper/610/run/rar2john test.rar报错:/snap/john-the-ripper/610/run/rar2john: error while loading shared libraries: libOpenCL.so.1: cannot open shared object file: No such file or directory解决方法:apt install ocl-icd-opencl-dev - 使用
/snap/bin/john-the-ripper.rar2john test.rar报错:! test.rar: No such file or directory查看/snap/bin/john-the-ripper.rar2john软连接内容:john-the-ripper.rar2john -> /usr/bin/snap*指向的二进制是错误的。
Windows可以直接下载:
https://www.openwall.com/john/k/john-1.9.0-jumbo-1-win64.7z
https://hashcat.net/files/hashcat-6.2.5.7z
hashcat
apt install hashcat
莫认potfile的存储路径: cat ~/.local/share/hashcat/hashcat.potfile
rar 加密hash格式
参考文档: https://openwall.info/wiki/john/sample-non-hashes#RAR
hashcat 支持的rar:
12500 | RAR3-hp | Archive
23800 | RAR3-p (Compressed) | Archive
23700 | RAR3-p (Uncompressed) | Archive
13000 | RAR5 | Archive
官方示例如下:
| -m 参数 | 类型 | 示例 hash |
|---|---|---|
| 12500 | RAR3-hp | $RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317 |
| 13000 | RAR5 | $rar5$16$74575567518807622265582327032280$15$f8b4064de34ac02ecabfe9abdf93ed6a$8$9843834ed0f7c754 |
注意 hash 中,RAR3-hp 值为$RAR3$*0*xxx,中间的数值是0(-hp)而不是1(-p),-p尚未得到支持,只支持-hp。
本例中使用的就是 RAR3-hp,因为没有新版 WinRAR 所以没测试 RAR5 类型。
关于 RAR 参数-p和-hp的区别
-p:只对 RAR 文件加密,里面的目录和文件名没加密;
-hp:对目录中的文件名和子目录都进行加密处理。
获取正确的rar hash
参考文档: https://bbs.deepin.org/post/248491
使用rar2john工具提取rar的hash值。
提取后要删除开头xxx.rar:文件名以及末尾:::及type,文件名等内容,只留$RAR$开头与末尾的33,或者30。否则hashcat运行会提示Token length exception或者no hashes load,而john the ripper可以使用。
对RAR文件hash值结构的分析:
RAR Archive hashcat mode are 12500 (RAR3-hp) and 13000 (RAR5), and output format looks like:
$RAR3$*type*hex(salt)*hex(partial-file-contents):type::::
type = 0 stands for files encrypted with rar -hp Option “hp” encrypts both file data and headers. Sample:
$RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
type = 1 stands for files encrypted with rar -p Option “-p” option encrypts only files. Sample:
$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*0*archive_name*offset-for-ciphertext*method:type::file_name
or
$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*1*hex(full encrypted file)*method:type::file_name
$RAR3$*1* : 对应23800 | RAR3-p (Compressed)
My hash looks like this :
$RAR3$*1*salt*crc*pack_size*unpack_size*1*data*33
$RAR3$*1* 的Hash破解
参考文档: https://hashcat.net/forum/archive/index.php?thread-11451.html
I have a RAR3 hash from a winrar archive.
| -m 参数 | 类型 | 示例 hash |
|---|---|---|
| 23700 | RAR3-p (Uncompressed) | $RAR3$*1*e54a73729887cb53*49b0a846*16*14*1*34620bcca8176642a210b1051901921e*30 |
| 23800 | RAR3-p (Compressed) | $RAR3$*1*ad56eb40219c9da2*834064ce*32*13*1*eb47b1abe17a1a75bce6c92ab1cef3f4126035ea95deaf08b3f32a0c7b8078e1*33 |
操作步骤: you need to use rar2john your_file.rar > output_file next command john output_file
- 使用
rar2john生成hash文件。 - 使用
john解析hash文件。
示例:
/snap/john-the-ripper/610/run/rar2john 1.rar > 1.hash
/snap/john-the-ripper/610/run/john 1
输出:
/snap/john-the-ripper/610/run/john 1
Warning: detected hash type "rar", but the string is also recognized as "rar-opencl"
Use the "--format=rar-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (rar, RAR3 [SHA1 256/256 AVX2 8x AES])
Will run 56 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:25 DONE 1/3 (2023-12-26 09:10) 0g/s 1289p/s 1289c/s 1289C/s Mp3中国传统节日习俗来历故事1906..Rar1900
Proceeding with wordlist:/snap/john-the-ripper/current/run/password.lst
Enabling duplicate candidate password suppressor
说明: Mp3中国传统节日习俗来历故事1906..Rar1900 为解出的第一个值: 1906..Rar1900
测试实例
使用rarlab测试,版本: rarlinux-x64-700b3.tar.gz
https://www.rarlab.com/download.htm
RAR 7.00 beta 3 Copyright (c) 1993-2023 Alexander Roshal 13 Dec 2023
Trial version Type 'rar -?' for help
rar5
参考文档: https://www.hkepc.com/forum/viewthread.php?fid=24&tid=2660011&page=1
生成rar文件:
echo 'Hello' > hello.txt
echo 'World' > world.txt
rar a -P1234 test.rar hello.txt
rar a -P1234 test.rar world.txt
获取hash值:
/snap/john-the-ripper/610/run/rar2john test.rar
test.rar:$rar5$16$f560657b75914c14c58ed60f7b91a8bb$15$9b5051b8eb95fb6fba2d0a96010061ba$8$677dfcaf3a1b709f
test.rar:$rar5$16$f560657b75914c14c58ed60f7b91a8bb$15$5d7945a2bf6e8c18e442ca43ecfe05ae$8$677dfcaf3a1b709f
破解:
hashcat -a 3 -m 13000 --increment --increment-min 1 --increment-max 8 \
'$rar5$16$f560657b75914c14c58ed60f7b91a8bb$15$9b5051b8eb95fb6fba2d0a96010061ba$8$677dfcaf3a1b709f' \
?d?d?d?d?d?d?d?d
输出:
$rar5$16$f560657b75914c14c58ed60f7b91a8bb$15$9b5051b8eb95fb6fba2d0a96010061ba$8$677dfcaf3a1b709f:1234
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13000 (RAR5)
Hash.Target......: $rar5$16$f560657b75914c14c58ed60f7b91a8bb$15$9b5051...1b709f
Time.Started.....: Tue Dec 26 08:04:20 2023 (1 sec)
Time.Estimated...: Tue Dec 26 08:04:21 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d [4]
Guess.Queue......: 4/8 (50.00%)
Speed.#1.........: 1287 H/s (6.05ms) @ Accel:128 Loops:512 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 512/10000 (5.12%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/1000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32768-32799
Candidate.Engine.: Device Generator
Candidates.#1....: 1234 -> 1124
Hardware.Mon.#1..: Temp: 43c Util: 86%
Started: Tue Dec 26 08:04:15 2023
Stopped: Tue Dec 26 08:04:22 2023