Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 1 Apr 2020 15:38:40 +0200
From: magnum <>
Subject: Re: Some 7Zip hashes can't be cracked?

On 2020-03-24 20:20, magnum wrote:
> On 2020-03-17 19:13, magnum wrote:
>> On 2020-03-17 08:25, Jonathan A wrote:
>>> I have a sample of an encrypted 7Zip file (I know the password). When 
>>> I use
>>> on it, I get *a long hash (492 kb)*. Then when I try using 
>>> john
>>> with the known password (i.e. through stdin or wordlist) - it finishes
>>> unsuccessfully.
>> So it does accept it? We hate false negatives :-(
>>> The only difference I could see myself between the two is that 7Zip says
>>> the first file is encrypted with *LZMA2:768k BCJ 7zAES*.
>>> (I can share the first sample, but it has malware in it (I'm a malware
>>> researcher), so it can't go in this email).
>> I guess we don't support BCJ. I should be able to fix that. Please 
>> mail med the sample!
> This was indeed the case. This is now an issue with upstream 7z2hashcat. 
> It has to be fixed first, then John (and hashcat) need to be fixed as well.

This is now completely fixed in bleeding-Jumbo on GitHub.  After 
upgrading, you also need to re-run on all files to be sure 
you're not bitten by the bug.

Beware: I opened an issue with hashcat and also sent a PR to upstream 
7z2hashcat but until they are fixed, hashcat will still give false 
negatives with no warning.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.