+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: PDF Hash type (/thread-11875.html)
Pages:
1
2
PDF Hash type - xJiiKo - 03-26-2024
Hey guys
When I try to figure out the hash type with -identify, I get this output:
No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.
My hash starts like this: $pdf$1*2*40*2147422012*1*16*
I've already tested every hash mode, always the same error:
Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception
* Token length exception: 1/1 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
RE: PDF Hash type - b8vr - 03-27-2024
(03-26-2024, 11:39 PM)xJiiKo Wrote: Hey guys
When I try to figure out the hash type with -identify, I get this output:
No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.
My hash starts like this: $pdf$1*2*40*2147422012*1*16*
I've already tested every hash mode, always the same error:
Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception
* Token length exception: 1/1 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
Is the end part of the hash 64 bytes long? If not, try and pad it with 0 until it is. Or trim it if necessary.
There also exists pdf2hashcat (google it), maybe that will format the hash string a bit different....
RE: PDF Hash type - xJiiKo - 03-27-2024
(03-27-2024, 01:49 AM)b8vr Wrote:The end part of the hash is 168 character long. Idk how many bytes that is...(03-26-2024, 11:39 PM)xJiiKo Wrote: Hey guys
When I try to figure out the hash type with -identify, I get this output:
No hash-mode matches the structure of the input hash.
I
f I pull out the hash via Jack the ripper, it is only partially similar to the existing hashtype examples.
My hash starts like this: $pdf$1*2*40*2147422012*1*16*
I've already tested every hash mode, always the same error:
Hashfile 'pdf.txt' on line 1 ($pdf$1...xxxxxxxxxxxxx): Token length exception
* Token length exception: 1/1 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
Is the end part of the hash 64 bytes long? If not, try and pad it with 0 until it is. Or trim it if necessary.
There also exists pdf2hashcat (google it), maybe that will format the hash string a bit different....
RE: PDF Hash type - JDLH - 03-27-2024
Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .
In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.
I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have.
I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.
RE: PDF Hash type - xJiiKo - 03-27-2024
(03-27-2024, 02:50 AM)JDLH Wrote: Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .
In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.
I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have.
I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.
I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*
RE: PDF Hash type - b8vr - 03-27-2024
(03-27-2024, 02:59 AM)xJiiKo Wrote:(03-27-2024, 02:50 AM)JDLH Wrote: Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .
In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.
I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have.
I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.
I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*
Would you mind sharing the hash?
RE: PDF Hash type - Chick3nman - 03-27-2024
No need to share, I'm pretty sure the problem is the 2147422012. This value is incredibly high, either it's an error or a new value that the modules/kernels aren't ready to support. Changing it to be a smaller number would probably allow the hash to load but, depending on the version, it may impact the ability to crack it. I believe in some cases it won't though, so it's worth a shot.
RE: PDF Hash type - xJiiKo - 03-27-2024
b8vr dateline='[url=tel:1711522518' Wrote: 1711522518[/url]']
xJiiKo dateline='[url=tel:1711501148' Wrote: 1711501148[/url]']
JDLH dateline='[url=tel:1711500614' Wrote: 1711500614[/url]']
Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .
In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.
I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have.
I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.
I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*
Would you mind sharing the hash?
No I’m completely fine with sharing the hash, but am I allowed to? I thought I read somewhere that I’m not allowed to post the full hash.
RE: PDF Hash type - xJiiKo - 03-27-2024
Chick3nman dateline='[url=tel:1711523712' Wrote: 1711523712[/url]']
No need to share, I'm pretty sure the problem is the 2147422012. This value is incredibly high, either it's an error or a new value that the modules/kernels aren't ready to support. Changing it to be a smaller number would probably allow the hash to load but, depending on the version, it may impact the ability to crack it. I believe in some cases it won't though, so it's worth a shot.
How do I change it to a smaller number? Just shorten it? Can you give me an example?
RE: PDF Hash type - xJiiKo - 03-27-2024
b8vr dateline='[url=tel:1711522518' Wrote: 1711522518[/url]']
xJiiKo dateline='[url=tel:1711501148' Wrote: 1711501148[/url]']
JDLH dateline='[url=tel:1711500614' Wrote: 1711500614[/url]']
Have a look at the example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes .
In the PDF hashes which hashcat and Jack the Ripper use, the first two numbers are a Version and Revision number. What comes after that — the number of fields, and the length of each field — differs depending on the Version and Revision. Which hashcat hash type ("-m" number) you use also differs.
I suggest you find a hash in example_hashes which matches the beginning of your hash: $pdf$1*2* . Then copy the entire example hash, and compare its structure carefully to the structure of the hashes you have.
I have noticed that some tools which claim to read a PDF file and generate a hash get the hash wrong. Sometimes there is a clear place to file a bug against the tool, sometimes there is not.
I did that, the most similiar one is PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
But its still very different...
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 $pdf$1*2*40*-1*0*16*
Would you mind sharing the hash?
I wrote u a pm