قالب وردپرس درنا توس
Home / Tips and Tricks / How to crack password-protected Microsoft Office files, including Word documents and Excel spreadsheets «Zero Byte :: WonderHowTo

How to crack password-protected Microsoft Office files, including Word documents and Excel spreadsheets «Zero Byte :: WonderHowTo



Microsoft Office files can be password protected to prevent tampering and ensure data integrity. But password-protected documents from earlier versions of Office are susceptible to having their hashs extracted with a simple program called office2john. The extracted hashs can then be cracked by John the Ripper and Hashcat.

Extracting of hash from a password-protected Microsoft Office file takes just seconds with the office2john tool. While the encryption standard of various Office products fluctuated over the years, none of them can stand up for office2john's hash-stealing abilities.

This tool is written in Python and can be run directly from the terminal. Regarding Office compatibility, it is known to work on any password-protected Word, Excel, PowerPoint, OneNote, Project, Access, and Outlook file created with Office 97, Office 2000, Office XP, Office 2003, Office 2007, Office 201

0, and Office 2013, including Office for Mac versions. It can't work on new versions of Office, but we saved a DOCX in Office 2016 that was labeled Office 2013.

Step 1: Install Office2John

To get started, we need to download the tool from GitHub office2john is not included in the standard version of John the Ripper (already to be installed in your Kali system). This can easily be done with wget .

  wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
--2019-02- 05 14: 34: 45-- https: // raw. githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
Solution raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, waiting for reply ... 200 OK
Length: 131690 (129K) [text/plain]
Save to: & # 39; office2john.py & # 39;

office2john.py 100% [=======================================================================>] 128.60K - .- KB / s in 0.09s

2019-02-05 14:34:46 (1.45 MB / s) - & # 39; office2john.py & # 39; saved [131690/131690]

Step 2: Make sure everything is in the same directory

To be able to run office2john with Python, we have to switch to the same directory in which it was installed. For most of you, this is home by default (just enter cd ), but please create a separate directory.

Next, we need an appropriate file to test this. I use a simple DOCX file named "dummy.docx" that I created and password protected with Word 2007. Download it to follow. The password is "password123" that you find out. You can also download documents made with Word 2010 and Word 2016 (shown as 2013) to use for more examples. Passwords for them are also "password123."

Step 3: Download Hash with Office2john

The first thing we need to do is to extract the hash of our password-protected Office file. Run the following command and touch the output to "hash.txt" for later use.

  python office2john.py dummy.docx> hash.txt 

To verify that the hash was extracted, use the cat command. We can see that the hash I saved corresponds to Microsoft Office 2007. : Crack what you just saved

As we already mentioned, we show you two ways to crack the hash that you just saved from the password-protected Microsoft Office file. Both methods work well, so it is really high to prefer.

Option 1: Cracking with John

Enter – wordlist flag with the location of your favorite glossary. The one included in Nmap will do for our purposes here, but for harder passwords you might want to go with a more comprehensive dictionary.

  john --wordlist = / usr / share / wordlists / nmap .lst hash.txt 
 Use default input encoding: UTF-8
Loaded 1 password speed (Office, 2007/2010/2013 [SHA1 128/128 SSE2 4x / SHA512 128/128 SSE2 2x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration bill) is 50,000 for all loaded hashes
Will run 4 OpenMP threads
Press "q" or Ctrl-C to cancel, almost any other status key 

John will start to crack, and depending on the password complexity, it will be completed when a match is found. Press almost any button to display the current status. When isch is cracked, a message will appear on the screen with the document's password: Because our password was quite simple, it just took seconds to crack it.

  password123 (dummy.docx)
1g 0: 00: 00: 03 GÅTT (2019-02-05 15:00) 0.2824g / s 415.8p / s 415.8c / s 415.8C / s lacoste ..kolvdude
Use the "- show" option to reliably show all the cracked passers
The session ended 

We can also use the option – view to view it like this:

  john --show hash.txt 
 dummy.docx: password123

1 password hash cracked, 0 left 

Now that we know a method to crack a password-protected Microsoft Office file, let's look at another path with the powerful Hashcat tool.

Option 2: Cracking with Hashcat

We can start by showing the help menu ( – help ) for Hashcat. This gives us a wealth of information, including usage options, hash modes and other features. There are lots of information here, so I won't show the production, but you should pop into it if you really want to know Hashcat.

  hashcat --help 

From the production, we are only interested in MS Office hash modes. At the bottom of the help menu, we find the options MS Office mode and their corresponding number. We know from our hash that this is an Office 2007 file, so find its number ID on 9400 .

  9700 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4 | Document
9710 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, collider # 1 Document
9720 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, collider # 2 | Document
9800 | MS Office <= 2003 $ 3 / $ 4, SHA1 + RC4 | Document
9810 | MS Office <= 2003 $ 3, SHA1 + RC4, collider # 1 | Document
9820 | MS Office <= 2003 $ 3, SHA1 + RC4, collider # 2 | Document
9400 | MS Office 2007 | Document
9500 | MS Office 2010 | Document
9600 | MS Office 2013 | Document 

Now we can set the rest of our options with the following command.

  hashcat -a 0 -m 9400 - username -sprickad_pass.txt hash.txt /usr/share/wordlists/nmap.lst [19659036] The flag  -a  indicates the type of attack as the default straight mode on  0 .  
  • The -m flag indicates the mode we want to use
  • The - username option ignores any usernames in the hash file.
  • We can specify the output file as cracked.txt with -o flag.
  • And finally, we can forward hash.txt which contains the hash and put a glossary just as we did before.
  • Hashcat will then start to crack.

      hashcat (v5.1.0) starts ...
    
    * Device # 2: Not a built-in Intel OpenCL runtime. Expect massive speed loss.
    You can use - force to override, but do not report related errors.
    OpenCL Platform # 1: Intel (R) Corporation
    ========================================
    * Unit # 1: Intel (R) Core (TM) i5 CPU M 480 @ 2.67 GHz, 934/3736 MB Distributable, 4MCU
    
    ... 

    After some time has passed, the status is shown as cracked and we are ready to see the password.

      Session ..........: hashcat
    Status ...........: Cracked
    Hash.Type ........: MS Office 2007
    Hash.Target ......: $ office $ * 2007 * 20 * 128 * 16 * a7c7a4eadc2d90fb22c073c6324 ... 2b6870
    Time.Started .....: Tue Feb 5 15:08:00 2019 (4 seconds)
    Time.Estimated ...: Tue Feb 5 15:08:04 2019 (0 sec)
    Guess.Base .......: File (/usr/share/wordlists/nmap.lst)
    Guess.Queue ......: 1/1 (100.00%)
    Speed. # 1 .........: 610 H / s (8.51ms) @ Accel: 512 Tracks: 128 Thr: 1 Vec: 4
    Restored ........: 1/1 (100.00%) Digest, 1/1 (100.00%) Salts
    Progress ...: 2048/5084 (40.28%)
    Rejected .........: 0/2048 (0.00%)
    Reset.Point ....: 0/5084 (0.00%)
    Restore.Sub. # 1 ...: Salt: 0 Amplifier: 0-1 Iteration: 49920-50000
    Candidates. # 1 ....: #! Comment: *********************** IMPORTANT NMAP LICENSE TERMS ********** ************ ** -> Princess
    
    Started: Tue Feb 5 15:07:50 2019
    Stopped: Tue Feb 5 15:08:05 2019 

    Simply cat issued the specified output file, and it will display the ice with the plaintext password stuck at the end. ! Now we know two methods of cracking the hock after removing it from a password-protected Microsoft Office file with office2john.

    How to Defend Against Cracks

    As for password cracking of any kind, the best defense technique is to use best practices for passwords. This means that you use unique passwords that are long and not easy to guess. It helps to use a combination of upper and lower case letters, numbers and symbols, although new research has shown that it is only superior to use long, high entropy phrases. Even better are long, randomly generated passwords that make them almost impossible.

    As for this specific attack, Microsoft Office 2016 or 2019 documents or later may not work, because office2john is designed to work on earlier versions of Office. But as you can see above, Office 2016 can very well spit out a 2013 document without the user even knowing, so that does not mean that a "new" file cannot be cracked. In addition, there are still many older Microsoft Office documents floating around there, and some organizations continue to use these older versions, making this attack still very feasible today.

    Wrapping Up

    Today, we learned that password-protected Microsoft Office files are not as safe as one would lead to believe. We used a tool called office2john to extract the hash of a DOCX file and then cracked the hash using John the Ripper and Hashcat. These types of files are still commonly used today, so if you encounter someone who has a password on it, it was easy to know that there is a way to crack it.

    Cover image of Efes / Pixabay

    Source link