Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-03-2018, 03:08
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Particular Case of RAR Password Cracking

Hi there,
I'm here to ask some advice for a particular case of RAR Password Cracking.

I'm using ElcomSoft ARCHPR 4.54 for this purpose but the inner workings of the program are slowing down the process, or, at least, I don't know it it can be set properly for my case.

The situation is the following:

1. I have many RAR archives, whose files are protected with a single password. (only the files are protected, the archive can be opened and I can see the contents, only extraction needs password)

2. I know the "philosophy" which was used to generate the passwords. They are all Latin Words, only the first letter is capital, no numbers, nothing else. 50% of the files contain a file which name contains this password. Another 25% of the files has a password which is not present in the files name but it is a common latin word. All the passwords are 2 to 8 character maximum.

3. At the moment, the first 50% of the files have been cracked manually and the second 25% of the passwords have been cracked with the auxilium of ARCHPR and the Dictionary attack with the whole list of Latin words.

The problem is the following:

A Latin word (actually it is not Latin but a language derived from Latin which uses conjugation), can have many forms and the dictionary attack only has the "base" form. (ex. base form: habere conjugted: habeo, habes, habet, habebus, habetis, habent)

Since the "logic" behind the passwords is always the same, I suspect that the 25% of the non cracked passwords do use conjugated words that, of course, ARCHPR is unaware of since they are not present in the dictionary supplied.
There is also a remote possibility that it might use proper people's name, like Jesus, Mary, Joseph and so on, but this is not an issue because with a bruteforce attack the meaning of a word is useless

I am trying to figure out how to instruct ARCHPR to perform a brute-force attack based on these premises.

The problem is that, with ARCHPR, if I specify A->Z and a->z, the software tries every possible combination. This arises 2 problem:

1. Out of feasability of cracking time.
2. A lot of wasted time, since only the first letter is capital, and the others are not, so we have that only the first letter is A->Z + a->z and the subsequent others are only a->z.

So far, I have been unable to figure out a solution using ARCHPR...

Do someone of you have a clue on how to do this thing, or can suggest other, more configurable software, to achieve this goal?

Thankyou.

Last edited by TmC; 03-03-2018 at 03:13.
Reply With Quote
  #2  
Old 03-03-2018, 09:31
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
1) Get a better dictionary - find a list of all conjugated forms of the language words you are dealing with somewhere out there.
2) Generate your own dictionary - find a list of base forms of the language, find an exhaustive list of possible suffixes, write a small program to combine all combinations.

Really I don't think there are any tricks when you have such a specific situation beyond that you have already kind of guided this response.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
tonyweb (03-03-2018)
  #3  
Old 03-03-2018, 16:13
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,342
Rept. Given: 947
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,299
Thanks Rcvd at 479 Times in 338 Posts
niculaita Reputation: 89
1. just simple: ask password from owner you should have 50 % chance

2. passware 1.1 see https://rutracker.org/forum/viewtopic.php?t=5381706
or 4.0 https://dailyuploads.net/7a7g0uqj2xmh for that maybe someone share a good new serial for 2017.4.0

3. AccentRPR 3.5 build 3415 x64 http://sendfile.su/1287496 that works on windows 7 x64

P.S. here is not free databases: https://www.4shared.com/office/fqQqWxKPba/0all_about__dictionary_with_mo.html
__________________
Decode and Conquer

Last edited by niculaita; 03-05-2018 at 06:07.
Reply With Quote
  #4  
Old 03-03-2018, 17:02
traf0 traf0 is offline
Family
 
Join Date: Nov 2017
Posts: 86
Rept. Given: 2
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 228
Thanks Rcvd at 119 Times in 46 Posts
traf0 Reputation: 4
Use free tools, they are more flexible
First use rar2john from John The Cracker jumbo package to get the hashes. With the hashes listed in a file you can start cracking them with john or hashcat .
In your case the "Wordlist + Rules" option is needed: c Capitalize the first letter and lower the rest
Google for a good dictionary or use those from SecLists.

More:
Code:
https://hashcat.net/wiki/doku.php?id=rule_based_attack
https://hashcat.net/wiki/doku.php?id=hashcat
https://github.com/danielmiessler/SecLists/tree/master/Passwords
Regarding "50% of the files contain a file which name contains this password.", you can create a list of them using easy bash script like:
Quote:
for i in $(ls | grep .rar); do unrar l $i | grep "*" | awk '{ print $6}'; done
Reply With Quote
The Following 2 Users Say Thank You to traf0 For This Useful Post:
niculaita (03-04-2018), tonyweb (03-03-2018)
  #5  
Old 03-04-2018, 07:05
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
thankyou everyone.

I'm going to study the situation and decide what is best based on your kind suggestions.

I'll let you know what's going on.

@niculaita: do you believe that if 1 was applicable, i'd have written that long paragraph on this forum?
Reply With Quote
The Following User Says Thank You to TmC For This Useful Post:
niculaita (03-04-2018)
  #6  
Old 03-05-2018, 08:00
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Hi there:

using your help I've been able to find the password for another 20% file (3 proper names, the sons and daughters of the person who protected them). Now there is only left 5% (~50 files) and the program is still working...so there's the change that by tomorrow all the password will be found.

Special thanks to chants who suggested to find a better dictionary. I found one (3.7 mb against 0,66 of the first) that as for now, was able to supply the password do open 2/3 of the files.

I'll let you know when the entire thing will finish
Reply With Quote
The Following 2 Users Say Thank You to TmC For This Useful Post:
an0rma1 (03-09-2018), tonyweb (03-06-2018)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to develop an unpacker - The StarForce case elephant General Discussion 2 04-13-2017 09:58
Cracking an Installshield Package Password temprand General Discussion 4 09-02-2003 15:43


All times are GMT +8. The time now is 17:40.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )