Date: Wed, 18 Aug 2021 16:09:40 -0400 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: Help interpreting JtR informational message output while cracking an MS Word document Depends on the version and even service pack of office sometimes: https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/office-crypto-follies (prior versions) https://docs.microsoft.com/en-us/deployoffice/security/cryptography-and-encryption-in-office (latest) Each version of office is backward compatible with most if not all previous versions, but the defaults are what people mostly use for the password to open. For office 2013, I believe the password is iterated as a sha-256 hash 100k times, and then that final hash is used as the asymmetric key to encrypt/decrypt the document that is AES-128 (can be 256 too) Encrypted... I think? So hashing the word 'password' in sha-256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" then hashing that hash = "113459eb7bb31bddee85ade5230d6ad5d8b2fb52879e00a84ff6ae1067a210d3" and then that one... 100k times. It could be that SHA-512 is being used and JtR detect that. Have a look at the sample hashes and try those: https://openwall.info/wiki/john/sample-non-hashes?s=office Now the AVX numbers you see should pertain to how John was built and what on-chip/die JtR is able to take advantage of. So AVX and SSE are good to see, they will likely offer some speed up over a CPU that doesn't support them. I really don't know the ins/outs of how JtR and others take advantage of those on-chip resources :( Check the benchmarks site to see how those on-board resources can help speed up CPU cracking: https://openwall.info/wiki/john/benchmarks I hope this helps, I know Solar and others can add much more to this conversation !-) -rich On Wed, Aug 18, 2021 at 1:42 PM Y Perron <yperron@...ers.com> wrote: > Hello All, > Can someone please help me understand the information that appears in the > line below that begins with Loaded 1 password hash (Office, 2007/2010/2013 > [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES]). In particular here is > the information I am after: > - which algorithm/method is used to hash the encryption password;- what > information is conveyed in the following (Office, 2007/2010/2013 [SHA1 > 128/128 AVX 4x / SHA512 128/128 AVX 2x AES]). > Thanks in advance, > Yvan > > F:\AppliedCrypto\john-1.9.0-jumbo-1-win64\john-1.9.0-jumbo-1-win64\run>john > --incremental --format=office CrackMe.docx.passUsing default input > encoding: UTF-8Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 > AVX 4x / SHA512 128/128 AVX 2x AES])Cost 1 (MS Office version) is 2013 for > all loaded hashesCost 2 (iteration count) is 100000 for all loaded > hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any > other key for status0g 0:00:02:03 0g/s 57.54p/s 57.54c/s 57.54C/s > motted..mothel0g 0:00:04:16 0g/s 57.74p/s 57.74c/s 57.74C/s > mykash..mynami0g 0:00:09:05 0g/s 56.56p/s 56.56c/s 56.56C/s > 036118..0361350g 0:00:26:11 0g/s 56.03p/s 56.03c/s 56.03C/s cely5..ced120g > 0:00:26:13 0g/s 56.02p/s 56.02c/s 56.02C/s larru..laccaSession aborted
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.