Wednesday, February 11, 2015

Cracking Password Protected Word, Excel, and Powerpoint Documents

Password cracking a Word document or an Excel file has become much easier.  Previously you had to rely on a flaw in the document, some sketchy software or an even sketchier website. Since October 2014 OclHashcat now supports cracking the documents password.  The process is simple but not as straight forward as a novice might want. You need a couple of things a graphics card capable of cracking using GPU’s, such as an NVidia card with cuda support, OclHashcat version 1.31 or greater, python, and a password protected document.

I’m writing this for Windows because, let’s face it if you lost a password for Word, Excel or Powerpoint you probably have Windows.  First go to hashcat.net grab the correct OclHashcat version for your GPU either AMD or NVidia.  Download it and unzip it, you may need 7zip if you can’t unzip the file. Next, you need python, get that here python.org. (I’m not going to say use Python 2.7 or Python3 just grab whatever, I just use 2.7.) Grab the installer, and install it. You also need a python script called office2john and you can get that here office2john. Long story short john the ripper another password cracking suite is also capable of doing this, but I prefer OclHashcat.

Now, we have everything we need to recover that password right? Nope, we need one more thing some dictionaries to use with OclHashcat. Get those from SkullSecurity. You can move on to rule attacks or brute force if the dictionaries fail. One of my first go to lists is the rockyou list start there.

Let’s get cracking, open up a command prompt and navigate to the directory with the office2john.py file and the password protected file.  Enter:  python office2john.py FILENAME, filename being the protected document. After a second you will see the output like below:




Book1.xlsx:$office$*2010*100000*128*16*657ca4864bf8f86a617d21cb71b0c572*0d689a95b0e6ddca4c6f0b3b2c30cc46*1b4c305643f3a7da83f0671df10e80e6ed4d6c576129406f79dd6526ca34f153

This is the hash of the password that protects the document, the important part here is highlighted as we need to tell OclHashcat what type of hash this is. This one is an Office 2010 document.  From the command prompt navigate to where you have OclHashcat actually CudaHashcat for me. Entering --help after the cudahashcat32.exe or cudahashcat64.exe will show you the hash type numbers and you pick the one that matches your office version you see in the extracted hash above. 


Since the document is Office 2010 I need hash type 9500. Here is my command

“cudaHashcat32.exe -a 0 -m 9500 --username Book1.xlsx:$office$*2010*100000*128*16*657ca4864bf8f86a617d21cb71b0c572*0d689a95b0e6ddca4c6f0b3b2c30cc46*1b4c305643f3a7da83f0671df10e80e6ed4d6c576129406f79dd6526ca34f153 "D:\password_lists\skullsecurity-lists\skullsecurity-lists\rockyou.txt"

  •         -a 0, specifies dictionary attack mode
  •          -m, is the hash type
  •          --username, tells hashcat to ignore the username in this case the username is “Book1.xlsx”

The next part is the hash followed by the dictionary. Running this will result in the output similar to below.


In the image the hash was cracked in 4 seconds with the password being “Password”.  If that doesn’t work try another dictionary use rules or try to brute force. Keep in mind that a brute force can take a LONG TIME.

Even brute forcing a 6 character password with uppercase, lowercase and numbers can take more than a year. Obviously, the better or more GPU’s you have the faster it will be.  

Long story short:


  • Run office2john.py to get the hash of the protected document
  • Run OclHashcat on the hash 
  • Open document
See, I told you. easy.