First, you'll need to download office2john.py. You can get it from github here: https://github.com/kholia/RC4-40-brute-office Or, you can download a copy I put here: http://bit.ly/1KKLlfV
Depending on your cracking strategy, you will likely also need a dictionary file for the attack. I will be using a dummy dictionary file as PoC, but there are lots out there and I won't go into that as a part of this post.
You'll of course also need John installed (google it) and will need a target Office file. I'm doing this from Kali 2.0 on an Excel 2013 test file which I encrypted with a password from Excel. Here are the files/names I used:
dictionary.lst (dictionary file)
office2john.py (extracts hash)
Okay, here we go. First, we extract the hash:
./office2john.py test-crack.xlsx > test-crack-hash.txt
|(click to zoom)|
The hash has now been outputted to test-crack-hash.txt and we can begin cracking. The method I used was a dictionary attack:
john --session=xlsx --rules --wordlist=dictionary.lst test-crack-hash.txt
Here is an explanation of the command line options used:
An optional identifier for you to manage the John session, in case you have multiple sessions. You can make the string after the equals sign be whatever you want.
Enables wordlist rules
The dictionary file to use for the attack.
The last parameter is the text file containing the extracted hash.
It should show the password when it completes, if your cracking was successful. You can also run the following to show the cracked password, after it completes: john --show test-crack-hash.txt
Now you should be able to open the Office file using the password you cracked. It goes without saying, that this should only be used for ethical purposes, so don't do evil stuff!