Password cracking a Word document or an Excel file has
become much easier. Previously you had
to rely on a flaw in the document, some sketchy software or an even sketchier
website. Since October 2014 OclHashcat now supports cracking the documents
password. The process is simple but not
as straight forward as a novice might want. You need a couple of things a
graphics card capable of cracking using GPU’s, such as an NVidia card with cuda
support, OclHashcat version 1.31 or greater, python, and a password protected
document.
I’m writing this for Windows because, let’s face it if you
lost a password for Word, Excel or Powerpoint you probably have Windows. First go to hashcat.net
grab the correct OclHashcat version for your GPU either AMD or NVidia. Download it and unzip it, you may need 7zip
if you can’t unzip the file. Next, you need python, get that here python.org.
(I’m not going to say use Python 2.7 or Python3 just grab whatever, I just use
2.7.) Grab the installer, and install it. You also need a python script called
office2john and you can get that here office2john.
Long story short john the ripper another password cracking suite is also
capable of doing this, but I prefer OclHashcat.
Now, we have everything we need to recover that password
right? Nope, we need one more thing some dictionaries to use with OclHashcat.
Get those from SkullSecurity. You can move on to
rule attacks or brute force if the dictionaries fail. One of my first go to
lists is the rockyou list start there.
Let’s get cracking, open up a command prompt and navigate to
the directory with the office2john.py file and the password protected
file. Enter: python office2john.py FILENAME, filename
being the protected document. After a second you will see the output like
below:
Book1.xlsx:$office$*2010*100000*128*16*657ca4864bf8f86a617d21cb71b0c572*0d689a95b0e6ddca4c6f0b3b2c30cc46*1b4c305643f3a7da83f0671df10e80e6ed4d6c576129406f79dd6526ca34f153
This is the hash of the password that protects the document,
the important part here is highlighted as we need to tell OclHashcat what type
of hash this is. This one is an Office 2010 document. From the command prompt navigate to where you
have OclHashcat actually CudaHashcat for me. Entering --help after the
cudahashcat32.exe or cudahashcat64.exe will show you the hash type numbers and
you pick the one that matches your office version you see in the extracted hash
above.
Since the document is Office 2010 I need hash type 9500.
Here is my command
“cudaHashcat32.exe -a 0 -m 9500 --username Book1.xlsx:$office$*2010*100000*128*16*657ca4864bf8f86a617d21cb71b0c572*0d689a95b0e6ddca4c6f0b3b2c30cc46*1b4c305643f3a7da83f0671df10e80e6ed4d6c576129406f79dd6526ca34f153
"D:\password_lists\skullsecurity-lists\skullsecurity-lists\rockyou.txt"
- -a 0, specifies dictionary attack mode
- -m, is the hash type
- --username, tells hashcat to ignore the username in this case the username is “Book1.xlsx”
The next part is the hash followed by the dictionary.
Running this will result in the output similar to below.
In the image the hash was cracked in 4 seconds with the
password being “Password”. If that
doesn’t work try another dictionary use rules or try to brute force. Keep in
mind that a brute force can take a LONG TIME.
Even brute forcing a 6 character password with uppercase,
lowercase and numbers can take more than a year. Obviously, the better or more
GPU’s you have the faster it will be.
Long story short:
Long story short:
- Run office2john.py to get the hash of the protected document
- Run OclHashcat on the hash
- Open document
On an xlsx or docx file, rather than brute forcing the password. Can you just extract the file and change the xml flags to not enforce protection. For word I believe there is an enforce flag, excel has different flags depending on whats been set.
ReplyDeleteif the document has a read or edit password yes you can do that. however we are talking if the whole document or xlsx file is protected.
ReplyDeleteExcellent - thank you!
ReplyDeleteWorked perfectly and much easier than all the crappy pay apps out there. Great stuff!
ReplyDeleteawesome!!!
ReplyDeletebruteforcing 6 character excel sheet takes 18mins on a laptop with Nvidia 750m (there are better cards now, the laptop is from 2014 or so, asus n550)
ReplyDeleteAwesome write-up. Used this for a CTF :D
ReplyDelete