Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 13 Jun 2013 20:33:58 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: rar2john failing?

On 13 Jun, 2013, at 19:59 , Luis Santana <hacktalk@...ktalk.net> wrote:
> Hey, trying to run rar2john on an OSX system but getting the following output:
> 
> ! -hp mode entry found in 1.rar
> 1.rar:$RAR3$*0*0000000000000000*00000000000000000000000000000000:0::::1.rar
> 
> The "file" command gives the following:
> 
> 1.rar: RAR archive data, v0, os: MS-DOS
> 
> And the header of the archive is the following:
> 
> [13:58:25 connection@...DOS.local:~/john]$ hexdump -C 1.rar |head
> 00000000  52 61 72 21 1a 07 00 ce  99 73 80 00 0d 00 00 00  |Rar!.....s......|
> 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> *
> 00000060  00 00 00 00 00 00 00 00  00 00 00 00 cc 0b 7d 38  |..............}8|
> 00000070  34 9f 04 e8 57 e3 7b 70  f3 c7 76 7b b9 19 a9 07  |4...W.{p..v{....|
> 00000080  5b 72 6d eb c6 c5 59 05  51 ff c5 2f 04 ea b9 4a  |[rm...Y.Q../...J|
> 00000090  b0 1f d1 c3 e5 b7 f5 6a  b9 87 82 1b 19 de d8 3e  |.......j.......>|
> 000000a0  11 9d 30 0a d9 66 18 45  6e 77 9d f9 4f 79 ea 1a  |..0..f.Enw..Oy..|
> 000000b0  76 21 84 5a 18 4c 4d e4  48 88 58 3e ae 20 92 59  |v!.Z.LM.H.X>. .Y|
> 000000c0  74 a6 10 c5 f2 03 80 fa  bc bc a2 05 21 77 c5 f1  |t...........!w..|
> 
> 
> As this is a file that a client believes is being used to exfiltrate data from the network, I sadly cannot share the archive for debugging purposes but I hope someone has run into this issue in the past and can point me in the right direction.
> 
> I hope it's just an OSX issue and I can throw the rar into a Virtual Machine to solve this 

Unfortunately rar2john is very generic code and it's tested on OSX. The file(1) output seems to confirm the file is bogus: My bet is it isn't a RAR file at all, it just tries (a little) to look like one.

Try this:
$ dd if=1.rar of=payload bs=$((0x6c)) skip=1
$ file payload

...and perhaps

$ ent payload

But I would not spend too much more time on it than that. You probably won't have a chance to get anything from that file unless you find what created it and rev that.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.