This is the nut of "how it is done" as asked and the answer is "you don't" get the real password hash of a zip file until just before the file is cracked. The newer zip process is similar, but the iterations are not variable-last I checked-making it somewhat easier. What makes rar cracking so difficult is a different salt for each rar file and, more importantly, the large and variable number of hash iterations that are needed before the decryption test can be performed. The steps to crack are essentially: 1) a hash is generated from a password guess, 2) a few extra steps are added to check that decryption succeeds or fails (a lot of fails), and 3) repeat. So, while JtR is not "extracting a password hash" that can be sent to any ol' password-hash-checker-rainbow-table-lookup-thingy, it is doing the next best thing-extracting critical cracking information. The generated crypt key values are then used to test against a small, extracted, and well-defined portion of the encrypted file. It uses the zip or rar password hash generation functions to create a hash from the guess that is in turn used to generate the crypt key values.
These items are used by JtR with various password guesses to test decryption. Instead, critical unencrypted and encrypted file items, such as the salt, are retrieved to generate a "non-hash". Also, it is a complete fail to believe that the file is "entirely" encrypted (as suggested by others answering similar questions). So, as shown above, the "password hash" is not extracted. Hex(full encrypted file)\*method:type::file_name * archive_name:$RAR3$\*type\*hex(salt)\*hex(crc)\*PACK_SIZE\*UNP_SIZE\*0\*Īrchive_name\*offset-for-ciphertext\*method:type::file_name * For type = 1 for files encrypted with "rar -p. * archive_name:$RAR3$\*type\*hex(salt)\*hex(partial-file-contents):type:: * For type = 0 for files encrypted with "rar -hp. It extracts certain information from the file, for example, as documented in the rar2john code: Output Line Format: To correct the misnomer, JtR does not actually "retrieve the hash" from the file.
Here is a little article on how to get the so called "non-hash" info for. You can download the code for JtR to figure out how it is done. John the Ripper (JtR) does not really do this. Password hashes are not extracted from the file.
0 kommentar(er)
