Decrypting a password-protected 7z file with Delta filter fails

Question

I have made a 7z archive using Delta filter containing a wav file and I have protected it with a password. I am running a terminal in Kali Linux. My problem is that I cannot get the password cracked using 7z2john.pl and John the Ripper. If I omit the Delta compression, using only the default compression of 7z, then the cracking succeeds. My question: is it possible to use 7z2john.pl and john the ripper to crack a password-protected 7z file with Delta compression? If it is possible, how can it be done?

Here are the steps to reproduce the problem:

1. I use the following command to create the archive:

7z a test.7z *.wav -mf=Delta:4 -peasy

I get this output:

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460  CPU @ 3.20GHz (306C3),ASM,AES-NI)

Open archive: test.7z
--
Path = test.7z
Type = 7z
Physical Size = 1090
Headers Size = 162
Method = Delta LZMA2:15 7zAES
Solid = -
Blocks = 1

Scanning the drive:
1 file, 32080 bytes (32 KiB)

Updating archive: test.7z

Items to compress: 1

    
Files read from disk: 1
Archive size: 1090 bytes (2 KiB)
Everything is Ok

2. I use 7z2john.pl to generate material for John the Ripper to crack the archive:

/usr/share/john/7z2john.pl test.7z > test.hash

The test.hash file content is like this:

test.7z:$7z$2$19$0$$8$6fec50e4cfb022cc0000000000000000$1800792722$928$925$b665c1d09a2879e9b44df915ed349df90bc46fc7d0d59efb3a033e6443098536346a6108d8b47b225eb104d35b434fc718abc3f29e8303faa7ae9d9dc28f15bc0ffc9ac3d711a764a135d910ca0ca952ed9d845802175b8aad1bf6fb4087ab4652257c8b23e228e02051bc37b0988404e0ed358ceb9b56157f9bd8561dad9e0ed9fdf6baa3d01a87a020b9500c4e47e87087e25b6f94dfb9f18ca275b2728268053ca5c0d4aff788cf54543d8f06693930674f2da28568f3658e9f90f2bade190a2299d07ccce65a5fcd779f2cadd66710a2ad180b1258bfb346e5e5b31ab2c2221fb0ae127b9e5995c9de799c0d36c5162cc8affb264325a12cd6b7432b311eac3a54c8c99a4320612f9bef059ae27215906c18045bc17ca9182132ae37d089764d3502c04eac5ae372be02065df6d37f9d65fa0dee0e598efc52be0b4c0583625da05b004c8d03851580650df84820633301fd5767157e1b8ac3f32b198ddc38c15b2f6aafbb2fd9549374902f73fa1bfba0a5f2e76849ddfcc13ca36764154bb410e9396b5a70aa997e7c06281899f65ca5a7eecd69df2911f2ef18ffea647db67833008209c2efa41cffcb430e639a0e9a616e419e4ed37a8826c8244f0d825e7fd6e34acc0b5aef1919774457c0216e813e55b5189d7c10e0dff48f72384f79653c8ecf0fe7da2a4d2ee8a136c4e9867876bb83bfa6cfe6a7aedcbffcb7af636a0fb51c44b252fe062c3d9b567bb065b68ec3cc38a31de2dc7b001f2293d68b470cf07b3dceb96ca32f7e668475552279939e0b8c53b816db040e6d93e869cd26b62a002b9b685c2e5aae97c5d1db0f66f0f3dd747310ca710188abc51d44cd32ce95c4723dfac6ec864ed37777327a0c4fc071c45e1665ddc3e00afa723c58213ff6834076a5d5b3d39a03ed59fe7db87c01b0c1ac1232f3af0196bfd7f9571235d38c080b49a59bcc626bd30a8b297f63062c95c5545afd9039acfb8641f50614f005683219a6ef6270ca0238ece6ff6869fcf6a2961256adf92f882cada87a757b1a7860fcdeecd764d5963d550dc781caa07ee5acb7410fcfc87438334b176e4bf695a66604cafb1c39c07740d87c2a6ef3cf5ad54150247171851d21399fd911a76d098346fba4e138e9239cf00741584134a13a7a22fc28298bb06da1ef038f2a081f60727e66f30c851e379d249127f45c4a73474e3389f011aac76c1db8d9775a7d5b973a913719486917fcd3d7a540d5f2fe7639f14830f78a3fbc374bc5525377b9793ac1d1a9833932cc3d05d588ce47999d12a0ffc498b0$32080$06

3. I create a word list file containing only the password I gave to the archive:

echo easy > wordlist.txt

Then I try to decrypt the file:

sudo john test.hash --wordlist=wordlist.txt

I get the following output:

Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 3 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 32 needed for performance.
0g 0:00:00:00 DONE (2020-08-15 07:37) 0g/s 5.555p/s 5.555c/s 5.555C/s easy
Session completed

4. I check if the password has been cracked: sudo john --show test.hash

I get the following output:

0 password hashes cracked, 1 left

So it seems that the decrypting did not succeed. However, I can extract the archive using command 7z e test.7z -peasy so the password should be correct. Also, if I create the archive without specifying the Delta filter using command 7z a test.7z *.wav -peasy. That way, by repeating the steps 1-4 I get the password cracked and am shown the result that the correct password has been found:

$ 7z a test.7z *.wav -peasy

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460  CPU @ 3.20GHz (306C3),ASM,AES-NI)

Scanning the drive:
1 file, 32080 bytes (32 KiB)

Creating archive: test.7z

Items to compress: 1

    
Files read from disk: 1
Archive size: 1058 bytes (2 KiB)
Everything is Ok

$ /usr/share/john/7z2john.pl test.7z > test.hash
$ cat test.hash
test.7z:$7z$2$19$0$$8$6afc0305ac999f760000000000000000$1800792722$912$901$5c80931ff6b7fa78cd9f6bc921ac4be97493536b4dd3f3f61d7822e6a0b07c087ec55d1b159725b380463d8fbbbdd0e22e6e49f8874e923b6166db0a5e48f733594da523f6cea9c2b2f54d6bfe9a989ce6f8c5f4f6e7d8373bca57b12261a4122a96b279696072cd5eec6a1a45726b6a461df4e5dd8ef3de0c11f9005c9674c00824909eb61cb98e6c7f10f5278e46dc846c6dec3d03c5ee6225c4af2b00e430801c95cd5934e67b1292c35d6ad8d5d909ed09750fee2ed583a3c6342380a008765467cbdd66b42e013f101d092fc504aca11d68e50f869cfce3645ce16acfac8d9729cf44c61c67d2648dacb964b6672983568b93cb8fd8064e58f5db87d3f276f551e5a07a6be4bd3eb43fb193e6bf83691aa711b71e173f6247ed047a403572a07bb993dfd52081de64a4d68622dbdef51b207d107cbb0c0a118b1c608512585d970761b133b098a27a1986183b1f0c649f4eda9c795e4d160a553f497515f0b09bef1999a6a808cf351e463261ac905a01332cf35df69576fe6a7f542741dc9210e7221a9b61466928d4d24bfd4242ada9a599faa1cb8d987d71446f9b026b04a9312bad2f5b74a6f8d4b579490e11cd1a18388ec86e73caab6408bc9217abb9123731247d3232cf3ed551587d9d1cab85a3c24159f36993697a9aa3ff950a751cd2f211911b4930d48c3c2ba24ad96a82d6122d13ac2c22c7ed8c0e16b452d126e5cce48a16ca311fd3b8100e859661252bb56f7cf758134fc86d96086f76c384f22092ee998079c2f480a1b819830cb68c24a84b3ceed23002296474675f5a99eee97d96edb593dbfadd3c6558ad67cada699aab5e686c2d916393cde83428dee027f411f1511ba9a1ca42798cf139973a9bafb624dc38c0078a3af724334ad8fdb5af1b084f2133813b7cee7b1bed4b0b37b9b92bb4f655c1a8e58a3264e2889a95adaa5d791bbdd236a1c7303e02342ceb951096192f13eafb4e826640eb26a467d8859e675f251275fb6d9595969df3acef1337f9ac819e6af8dc21e7db4d2716d152460ea5821d44c6dbf504698b813e8963088aaa91a8bf5a07da10f8f99be977f6874409ef072603cd68b853a69725ef78085de8681bd77f0ef758e372a598c7e840575e31f02b83e1b1014a2334d6e0dc064a487bdfd4037089b0bf14837f94f524de46e79cae7ae9a5f7496957a489562680ee7268a52ece748394d9597836284d66b13c88bc802dc3b9773242fd64c61ba6e4620628d5bf21ea9d4cbb81bfa211c2c8fcfc46fbbb1c$32080$06
$ echo easy >> wordlist.txt
$ sudo john test.hash --wordlist=wordlist.txt
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 11 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 32 needed for performance.
easy             (test.7z)
1g 0:00:00:00 DONE (2020-08-15 07:49) 5.263g/s 5.263p/s 5.263c/s 5.263C/s easy
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ sudo john --show test.hash
test.7z:easy

1 password hash cracked, 0 left

Answer 1

Did you notify the hashcat or John the Ripper teams at the time?

Two weeks ago, someone did. As a result of that, 7z2hashcat got support for the delta filter three days ago. The same day, support was added to John the Ripper (bleeding-edge version here).

As far as I know, it's not in hashcat yet (although I believe it will now reject such hashes as opposed to providing false negatives), but adding it is trivial so they'll probably do it soon (especially if kindly asked to).