Home

Awesome

About

The goal of this project is to make it very easy to convert password-protected .7z files (and .sfx files which contain .7z files) to "hashes" which hashcat can crack with mode: -m 11600 = 7-Zip

Requirements

Software:

Note: for windows users the release page provides executable files (.exe) which should work AS-IS without the need to install perl or perl modules.
Attention: the release version (7z2hashcat.exe) might not be up-to-date with the newest source code all the time, therefore please prefer to use the source code version (instead of the .exe version), especially when you experience some problems and want to report issues.

Installation and first steps

Note: this paragraph is only intended for users that do not use the release version for windows. You should be able to just run the 7z2hashcat executable (.exe) within cmd (see note below) if you are a windows user.

Note: independent from how you launch 7z2hashcat, i.e. either the perl script directly or the windows executable, you always need to launch your shell/cmd/konsole/xterm application first and only afterwards start 7z2hashcat, otherwise, if you for instance just double-click the script/executable, it might appear to you that the program just opens and closes immediately.

Command line parameters

The usage is very simple: you just specify the path to the 7-Zip file as the first command line argument.

You can also use multiple files on the command line like this:

perl 7z2hashcat.pl file1.7z file2.7z file3.sfx
perl 7z2hashcat.pl *.7z
perl 7z2hashcat.pl seven_zip_files/*
perl 7z2hashcat.pl splitted_7z_files/huge_file.7z.*

Note: on windows you can use the release files (.exe) and therefore you shouldn't forget to replace the ".pl" extension with ".exe"
Note2: you can also use the perl script on windows directly after installing the requirements e.g. perl 7z2hashcat.pl ...

Explanation of the hash format

The following paragraph explains some details about the output of 7z2hashcat.
You do not need to understand or know all this information for just cracking hashes. Instead, this is just some documentation about the different fields within the output.

7z2hashcat outputs one hash per line. Warning and error messages are outputted to STDERR and therefore shouldn't interfere with the outputted "hashes".

Each hash line has several fields separated by the dollar character ($), but some fields can sometimes be omitted (indicated by "always outputted: no" in the table below). This depends whether the fields are needed or not.

This is an overview of the output:

$content of the fieldalways outputtedExplanation
$"7z"yesthe literal string "7z" indicates the type of the hash
$[data type indicator]yesa number ranging from 0 to 255 to indicate truncation and compression (see below)
$[cost factor]yesthe cost factor indicates how many iterations need to be performed (2 ^ [cost factor])
$[length of salt]yesthe length of the following field (the salt)
$[salt]yesthe hexadecimal output of the salt
$[length of iv]yesthe length of the initialization vector (values from 0 to 16)
$[iv]yesthe initialization vector in hexadecimal form
$[CRC32]yesthe actual "hash" aka the CRC checksum in decimal form
$[length of encrypted data]yesthe length of the encrypted data (see [encrypted data])
$[length of decrypted data]yesthe length of the output of the AES decryption of [encrypted data]
$[encrypted data]yesthe encrypted data itself (this field in some cases could be truncated, see below)
$[length of data for CRC32]nooptional field indicating the length of the first "file" in case decompression needs to be used
$[coder attributes]nooptional field indicating the comma-separated list of attributes for the decompressor(s)
$[preprocessor attributes]nooptional field indicating the comma-separated list of attributes for the preprocessor

The data type indicator is a special field and needs some further explanation:

This field is the first field after the hash signature (i.e. after "$7z$").
Whenever the data is longer than the value of PASSWORD_RECOVERY_TOOL_DATA_LIMIT (see 7z2hashcat.pl) and an AES padding attack is possible, the value will be 128 and [data] will be truncated (a warning message will be shown in case the data limit was reached but padding attack is not applicable).

If no truncation is used/possible:

Truncated data can only be verified using the padding attack and therefore combinations between truncation and a compressor are not meaningful/allowed.

Therefore, whenever the value is 128 or 0, neither coder attributes nor the length of the data for the CRC32 check is within the output.

On the other hand, for all values above or equal 1 and smaller than 128, both coder attributes and the length of the decompressed data for CRC32 check is within the output.

The following table should sum up the most common data type indicator values pretty nicely:

data type indicatorExplanation
0uncompressed
1LZMA
2LZMA2
3PPMD
6BZIP2
7DEFLATE
128truncated

Whenever the data needs to be either (pre)processed by multiple (2+) filters or whenever the data needs to be decompressed by multiple (2+) decompression algorithms, the attribute list (the fields preprocessor attributes and coder attributes accordingly) will be a comma-separated list of fields with type, order/position and attribute indicators.

The rules for this Multiple Compressor(s)/Preprocessor(s) list are as follows:

Multiple Compressor(s)/Preprocessor(s) type and order indicator (it is one combined field/number):

Sensitive data warning

WARNING: as you can see from the hash format explanation above the hashes themself could sometimes contain sensitive data (in some cases the data is both encrypted and compressed). You should be careful when it comes to sharing the output of 7z2hashcat because people that understand the format might be able to extract sensitive data out of the decrypted (and decompressed) data.

hc_to_7z

For debugging / troubleshooting purposes, we have also developed a tool that tries to reverse the work of 7z2hascat to try to generate a valid 7-Zip (*.7z) archive file from hash lines (output of 7z2hashcat). This is a proof of concept that you can find here: https://github.com/philsmd/hc_to_7z

Hacking / Missing features

Credits and Contributors

Credits go to:

License/Disclaimer

License: belongs to the PUBLIC DOMAIN, donated to hashcat, credits MUST go to hashcat and philsmd for their hard work. Thx

Disclaimer: WE PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

NO GUARANTEES THAT IT WORKS FOR YOU AND WORKS CORRECTLY