Add specific PKZIP hashes and tests

JorianWoltjer commented 2 years ago

I'm using Name-That-Hash for a tool of mine, and I wanted it to recognize ZIP hashes. There was already a PKZIP hash regex that matched any type of PKZIP hash, but hashcat uses 5 different types. So I made these 5 regexes that match all 5 of these different types.

These are the 5 types of PKZIP that I added. You can click on them to see some tests in Regexr.

It took me quite a bit to understand how these hashes work, and how you can tell them apart. So to aid in understanding it here are my very rough notes:

$pkzip2$C*B*[DT*MT{CL *UL *CR      *OF*OX}*CT*DL *CS  *TC  *DA]                         *$/pkzip2$
$pkzip2$1*1* 2 *0 *e3 *1c5*eda7a8de*0 *28 *8 *e3 *eda7*5096*a9fc1f4e951c8fb3031a6f903e5f4e3211c8fdc4671547bf77f6f682afbfcc7475d83898985621a7af9bccd1349d1976500a68c48f630b7f22d7a0955524d768e34868880461335417ddd149c65a917c0eb0a4bf7224e24a1e04cf4ace5eef52205f4452e66ded937db9545f843a68b1e84a2e933cc05fb36d3db90e6c5faf1bee2249fdd06a7307849902a8bb24ec7e8a0886a4544ca47979a9dfeefe034bdfc5bd593904cfe9a5309dd199d337d3183f307c2cb39622549a5b9b8b485b7949a4803f63f67ca427a0640ad3793a519b2476c52198488e3e2e04cac202d624fb7d13c2*$/pkzip2$
$pkzip2$1*1* 2 *0 *1d1*1c5*eda7a8de*0 *28 *0 *1d1*eda7*5096*1dea673da43d9fc7e2be1a1f4f664269fceb6cb88723a97408ae1fe07f774d31d1442ea8485081e63f919851ca0b7588d5e3442317fff19fe547a4ef97492ed75417c427eea3c4e146e16c100a2f8b6abd7e5988dc967e5a0e51f641401605d673630ea52ebb04da4b388489901656532c9aa474ca090dbac7cf8a21428d57b42a71da5f3d83fed927361e5d385ca8e480a6d42dea5b4bf497d3a24e79fc7be37c8d1721238cbe9e1ea3ae1eb91fc02aabdf33070d718d5105b70b3d7f3d2c28b3edd822e89a5abc0c8fee117c7fbfbfd4b4c8e130977b75cb0b1da080bfe1c0859e6483c42f459c8069d45a76220e046e6c2a2417392fd87e4aa4a2559eaab3baf78a77a1b94d8c8af16a977b4bb45e3da211838ad044f209428dba82666bf3d54d4eed82c64a9b3444a44746b9e398d0516a2596d84243b4a1d7e87d9843f38e45b6be67fd980107f3ad7b8453d87300e6c51ac9f5e3f6c3b702654440c543b1d808b62f7a313a83b31a6faaeedc2620de7057cd0df80f70346fe2d4dccc318f0b5ed128bcf0643e63d754bb05f53afb2b0fa90b34b538b2ad3648209dff587df4fa18698e4fa6d858ad44aa55d2bba3b08dfdedd3e28b8b7caf394d5d9d95e452c2ab1c836b9d74538c2f0d24b9b577*$/pkzip2$

$pkzip$C*B*[DT*MT{CL *UL *CR      *OF*OX}*CT*DL *CS  *DA]                               *$/pkzip$
$pkzip$1*1* 2 *0 *163*2b5*cd154083*0 *26 *8 *163*cd15*d6b094794b40116a8b387c10159225d776f815b178186e51faf16fa981fddbffdfa22f6c6f32d2f81dab35e141f2899841991f3cb8d53f8ee1f1d85657f7c7a82ebb2d63182803c6beee00e0bf6c72edeeb1b00dc9f07f917bb8544cc0e96ca01503cd0fb6632c296cebe3fb9b64543925daae6b7ea95cfd27c42f6f3465e0ab2c812b9aeeb15209ce3b691f27ea43a7a77b89c2387e31c4775866a044b6da783af8ddb72784ccaff4d9a246db96484e865ea208ade290b0131b4d2dd21f172693e6b5c90f2eb9b67572b55874b6d3a78763212b248629e744c07871a6054e24ef74b6d779e44970e1619df223b4e5a72a189bef40682b62be6fb7f65e087ca6ee19d1ebfc259fa7e3d98f3cb99347689f8360294352accffb146edafa9e91afba1f119f95145738ac366b332743d4ff40d49fac42b8758c43b0af5b60b8a1c63338359ffbff432774f2c92de3f8c49bd4611e134db98e6a3f2cfb148d2b20f75abab6*$/pkzip$
$pkzip$1*2* 2 *0 *11 *5  *22dc8822*0 *42 *0 *11 *55ee*bfcbf39396ab87b78eb574a02dd5020f23*$/pkzip$

if CT == 8:
    return 17200
elif CT == 0:
    return 17210

$pkzip2$C*B*[DT*MT{CL*UL *CR      *OF  *OX}*CT*DL*CS  *TC  *DA]
$pkzip2$3*1* 1 *0 *8 *24 *a425    *8827*d1730095cd829e245df04ebba6c52c0573d49d3bbeab6cb385b7fa8a28dcccd3098bfdd7
           * 1 *0 *8 *24 *2a74    *882a*51281ac874a60baedc375ca645888d29780e20d4076edd1e7154a99bde982152a736311f
           * 2 *0 *e3*1c5*eda7a8de*0   *29 *8 *e3*eda7*5096*1455781b59707f5151139e018bdcfeebfc89bc37e372883a7ec0670a5eafc622feb338f9b021b6601a674094898a91beac70e41e675f77702834ca6156111a1bf7361bc9f3715d77dfcdd626634c68354c6f2e5e0a7b1e1ce84a44e632d0f6e36019feeab92fb7eac9dda8df436e287aafece95d042059a1b27d533c5eab62c1c559af220dc432f2eb1a38a70f29e8f3cb5a207704274d1e305d7402180fd47e026522792f5113c52a116d5bb25b67074ffd6f4926b221555234aabddc69775335d592d5c7d22462b75de1259e8342a9ba71cb06223d13c7f51f13be2ad76352c3b8ed*$/pkzip2$

$pkzip$C*B*[DT*MT{CL*UL *CR      *OF*OX}*CT*DL*CS  *DA]
$pkzip$3*1* 1 *0 *8 *24 *4001    *8986ec4d693e86c1a42c1bd2e6a994cb0b98507a6ec937fe0a41681c02fe52c61e3cc046
          * 1 *0 *8 *24 *4003    *a087adcda58de2e14e73db0043a4ff0ed3acc6a9aee3985d7cb81d5ddb32b840ea2057d9
          * 2 *0 *e4*1c5*eda7a8de*0 *4c *8 *e4*eda7*89a792af804bf38e31fdccc8919a75ab6eb75d1fd6e7ecefa3c5b9c78c3d50d656f42e582af95882a38168a8493b2de5031bb8b39797463cb4769a955a2ba72abe48ee75b103f93ef9984ae740559b9bd84cf848d693d86acabd84749853675fb1a79edd747867ef52f4ee82435af332d43f0d0bb056c49384d740523fa75b86a6d29a138da90a8de31dbfa89f2f6b0550c2b47c43d907395904453ddf42a665b5f7662de170986f89d46d944b519e1db9d13d4254a6b0a5ac02b3cfdd468d7a4965e4af05699a920e6f3ddcedb57d956a6b2754835b14e174070ba6aec4882d581c9f30*$/pkzip$

VS.

$pkzip2$C*B*[DT*MT{CL*UL*CR      *OF  *OX}*CT*DL*CS  *TC  *DA]
$pkzip2$3*1* 1 *0 *0 *24*3e2c    *3ef8*0619e9d17ff3f994065b99b1fa8aef41c056edf9fa4540919c109742dcb32f797fc90ce0
           * 1 *0 *8 *24*431a    *3f26*18e2461c0dbad89bd9cc763067a020c89b5e16195b1ac5fa7fb13bd246d000b6833a2988
           * 2 *0 *23*17*1e3c1a16*2e4 *2f *0 *23*1e3c*3f2d*54ea4dbc711026561485bbd191bf300ae24fa0997f3779b688cdad323985f8d3bb8b0c*$/pkzip2$
$pkzip2$3*2* 1 *2 *8 *c0*7224    *72f6*6195f9f3401076b22f006105c4323f7ac8bb8ebf8d570dc9c7f13ddacd8f071783f6bef08e09ce4f749af00178e56bc948ada1953a0263c706fd39e96bb46731f827a764c9d55945a89b952f0503747703d40ed4748a8e5c31cb7024366d0ef2b0eb4232e250d343416c12c7cbc15d41e01e986857d320fb6a2d23f4c44201c808be107912dbfe4586e3bf2c966d926073078b92a2a91568081daae85cbcddec75692485d0e89994634c71090271ac7b4a874ede424dafe1de795075d2916eae
           * 1 *6 *8 *c0*26ee    *461b*944bebb405b5eab4322a9ce6f7030ace3d8ec776b0a989752cf29569acbdd1fb3f5bd5fe7e4775d71f9ba728bf6c17aad1516f3aebf096c26f0c40e19a042809074caa5ae22f06c7dcd1d8e3334243bca723d20875bd80c54944712562c4ff5fdb25be5f4eed04f75f79584bfd28f8b786dd82fd0ffc760893dac4025f301c2802b79b3cb6bbdf565ceb3190849afdf1f17688b8a65df7bc53bc83b01a15c375e34970ae080307638b763fb10783b18b5dec78d8dfac58f49e3c3be62d6d54f9
           * 2 *0 *2a*1e*4a204eab*ce8 *2c *0 *2a*4a20*7235*6b6e1a8de47449a77e6f0d126b217d6b2b72227c0885f7dc10a2fb3e7cb0e611c5c219a78f98a9069f30*$/pkzip2$

if C > 1:
    if CT == 8:
        return 17220
    elif CT == 0:
        return 17225

$pkzip2$C*B*[DT*MT{CL*UL*CR  *OF  *OX}*CT*DL*CS*TC*DA]
$pkzip2$8*1* 1 *0 *8 *24*a425*8827*3bd479d541019c2f32395046b8fbca7e1dca218b9b5414975be49942c3536298e9cc939e
           * 1 *0 *8 *24*2a74*882a*537af57c30fd9fd4b3eefa9ce55b6bff3bbfada237a7c1dace8ebf3bb0de107426211da3
           * 1 *0 *8 *24*2a74*882a*5f406b4858d3489fd4a6a6788798ac9b924b5d0ca8b8e5a6371739c9edcfd28c82f75316
           * 1 *0 *8 *24*2a74*882a*1843aca546b2ea68bd844d1e99d4f74d86417248eb48dd5e956270e42a331c18ea13f5ed
           * 1 *0 *8 *24*2a74*882a*aca3d16543bbfb2e5d2659f63802e0fa5b33e0a1f8ae47334019b4f0b6045d3d8eda3af1
           * 1 *0 *8 *24*2a74*882a*fbe0efc9e10ae1fc9b169bd060470bf3e39f09f8d83bebecd5216de02b81e35fe7e7b2f2
           * 1 *0 *8 *24*2a74*882a*537886dbabffbb7cac77deb01dc84760894524e6966183b4478a4ef56f0c657375a235a1
           * 1 *0 *8 *24*eda7*5096*40eb30ef1ddd9b77b894ed46abf199b480f1e5614fde510855f92ae7b8026a11f80e4d5f*$/pkzip2$

if C > 1 and CT == None:
    return 17230

In the Regexr links above you can see all the test hashes I've tested them with. In here I put a combination of the john PKZIP format tests and some I found online. All hashes can be cracked with hashcat with the format it found.
In the Python tests I used the hashcat example hashes.

EDIT (RAR archives)

I have since also added hashes for RAR archives.

There was not a lot of documentation about these hash formats, but I've added what I could. Here are the 4 types of RAR archives:

Again, I made some notes to understand these hashes. Here are those very rough notes:

$RAR3$*type*hex(salt)*hex(partial-file-contents)

$RAR3$*type*hex(salt)       *hex(crc)*PACK_SIZE*UNP_SIZE*0*archive_name*offset-for-ciphertext*method

$RAR3$*type*hex(salt)       *hex(crc)*PACK_SIZE*UNP_SIZE*1*hex(full encrypted file)                                        *method
$RAR3$*1   *e54a73729887cb53*49b0a846*16       *14      *1*34620bcca8176642a210b1051901921e                                *30
$RAR3$*1   *ad56eb40219c9da2*834064ce*32       *13      *1*eb47b1abe17a1a75bce6c92ab1cef3f4126035ea95deaf08b3f32a0c7b8078e1*33

$RAR3$*1   *a605a174c0d6230e*42f92a4d*3421968  *3421958 *1*b5fd953f408cae345e4579bdfc58622...009acbf153c72c8eabc59d3622fe75*30
$RAR3$*1   *df205ddd8c3ebfe4*42f92a4d*3429712  *3421958 *1*e951e3fa7c43babffd2a37f09a680fc...7394f4728db49cc17b6ea69069183c*33
$RAR3$*1   *bbe5ffafa822a31d*42f92a4d*3429696  *3421958 *1*e39d24fe1edf6ce85db805c47935a4d...1c0f9c0620fc4179cc606f194e78e2*35

$RAR3$*type*hex(salt)       *hex(crc)*PACK_SIZE*UNP_SIZE*0*archive_name *offset-for-ciphertext*method
$RAR3$*1   *a605a174c0d6230e*42f92a4d*3421968  *16      *0*./archive.rar*3462a                *33

if method == 30:
    return 23700 (uncompressed)
elif method in [31, 32, 33, 34, 35]:
    return 23800 (compressed)

* 0x30 - storing
* 0x31 - fastest compression
* 0x32 - fast compression
* 0x33 - normal compression (default)
* 0x34 - good compression
* 0x35 - best compression

EDIT 2 (KeePass)

Another update. I have also added KeePass hashes in the commit. There were 2 examples in the "Add new hash types" issue, but in the hashcat example hashes I found 4 different types. So I made 4 regexes for the 4 different types, they are all hashcat mode 13400. Here are the regexes with tests as always:

I found this python implementation very helpful in understanding these KeePass hashes.

Note: I also fixed a few small issues with the existing regexes I faced.

bee-san commented 2 years ago

There is a bunch of merge conflicts I need to look at (or you, if you want!) :S <3 <3

JorianWoltjer commented 2 years ago

Thanks for the reply, I have just resolved the merge by basically including both the hashes that I was behind, and my new ones. I also ran a test on the suggested code and it passes all the tests for me

HashPals / Name-That-Hash

Add specific PKZIP hashes and tests #138

EDIT (RAR archives)

EDIT 2 (KeePass)