Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2020 10:13:56 +0200
From: magnum <>
Subject: Re: decryption without original password

On 2020-06-23 23:23, Solar Designer wrote:
> On Mon, Jun 22, 2020 at 02:50:45PM +0200, Johny Krekan wrote:
>> I have tryed Advanced office password breaker. It is product from
>> Elcomsoft which can break 40-bit encryption
>> which is used in Word/Excel versions 97/2000. It decrypts document
>> without recovering the actual password. It
>> recovers the key which is generated from the password.
>> 1. Is doing something like this possible with John on old office documents?
> No.  JtR currently only supports passwords, not binary keys.

We don't attack the key directly, but we're still getting the "benefit" 
of the crippled 40-bit encryption in that we'll hit usable password 
collisions at about the same rate anyway (once in about 2**40).

Also, we actually have (at least the GPU version) some quirky means for 
exploiting the 40-bit key once we know it, but I never found it very 
interesting since the format is so weak anyway:

The format can read a "hash" with an attached known 40-bit key, 
formatted as hashcat does it (Atom calls it MITM key):


The trailing 91b2e062b9 is the 40-bit key. If given, the format will use 
it for speedup, but we're not getting hashcat speeds (I think). Until we 
know they key, I see ~438 Mp/s on a 2080ti using mask mode. Once we hit 
the key, finding more usable passwords (given you used the 
--keep-guessing option) runs about 3x faster at ~1.3 Gp/s.

We never store the RC4 key in the potfile though, it just ends up in the 
log file. If you want to use it for future sessions, find it (grep log 
for MITM) and attach it to the original non-hash.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.