Wednesday, September 9, 2015

Cracking Microsoft Office File Passwords

The best way to crack the password on a Microsoft Office file is by first extracting the hash of the actual password itself. But how to do that? The script office2john.py is really useful for this. It extracts the password hash and converts it to a format that John the Ripper can handle. This is not a tutorial on John, so you'll have to hit up google for that. But I'll give you the basic commands to get the job done. This should work on files from pretty much any version of Office, including xls and xlsx, etc. (Office 2003-2013).

First, you'll need to download office2john.py. You can get it from github here: https://github.com/kholia/RC4-40-brute-office Or, you can download a copy I put here: http://bit.ly/1KKLlfV

Depending on your cracking strategy, you will likely also need a dictionary file for the attack. I will be using a dummy dictionary file as PoC, but there are lots out there and I won't go into that as a part of this post.

You'll of course also need John installed (google it) and will need a target Office file. I'm doing this from Kali 2.0 on an Excel 2013 test file which I encrypted with a password from Excel. Here are the files/names I used:

dictionary.lst (dictionary file)
office2john.py (extracts hash)
test-crack.xlsx (target)

Okay, here we go. First, we extract the hash:

./office2john.py test-crack.xlsx > test-crack-hash.txt




(click to zoom)


The hash has now been outputted to test-crack-hash.txt and we can begin cracking. The method I used was a dictionary attack:

john --session=xlsx --rules --wordlist=dictionary.lst test-crack-hash.txt

Here is an explanation of the command line options used:

--session=
An optional identifier for you to manage the John session, in case you have multiple sessions. You can make the string after the equals sign be whatever you want.

--rules
Enables wordlist rules

--wordlist=
The dictionary file to use for the attack.

[filename]
The last parameter is the text file containing the extracted hash.

It should show the password when it completes, if your cracking was successful. You can also run the following to show the cracked password, after it completes: john --show test-crack-hash.txt

Now you should be able to open the Office file using the password you cracked. It goes without saying, that this should only be used for ethical purposes, so don't do evil stuff!

Ciao!





2 comments:

  1. Hello there!

    Is there any way to extract Hash from an .xlsm file? I tried using the script but I got the following error:
    AttributeError: 0leFileI0 instance has no attribute 'dumpsect'

    Thanks in advance!
    Cheers

    ReplyDelete

Spammy/foul language comments or those with an explicit avatar will be tossed in a 55 gallon drum and a match thrown in after them. (Oooo, now I can warm my hands!!)