Microsoft Office files can be password-protected to prevent tampering and ensure data integrity. However, for password-protected documents from earlier versions of Office, hashes can be extracted with a simple program called office2john. These extracted hashes can then be cracked with John the Ripper and Hashcat.
Extracting the hash from a password-protected Microsoft Office file takes only a few seconds with the office2john tool. While the encryption standard for various Office products has fluctuated over the years, none of them can withstand the hash-stealing abilities of Office2john.
This tool is written in Python and can be run directly from the terminal. In terms of office compatibility, it is known to work with any password-protected file from Word, Excel, PowerPoint, OneNote, Project, Access, and Outlook that are compatible with Office 97, Office 2000, Office XP, Office 2003, Office 2007, Office 2007 was created in 201
Step 1: Install Office2John
To begin, we need to download the tool from GitHub, as office2john is not included in the standard version of John the Ripper (which should already be installed in your Kali system ). This can easily be achieved with wget .
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py[19659007 posted--2019-02- 05 14: 34: 45 - https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py Auflösen von raw.githubusercontent.com (raw.githubusercontent.com) ... 22.214.171.124 Verbindung zu raw.githubusercontent.com (raw.githubusercontent.com) | 126.96.36.199 |: 443 ... hergestellt. HTTP-Anfrage gesendet, wartet auf Antwort ... 200 OK Länge: 131690 (129K) [text/plain] Save as: "office2john.py" office2john.py 100% [=======================================================================>] 128.60K --.- KB / s in 0.09s 2019-02-05 14:34:46 (1.45 MB / s) - & # 39; office2john.py & # 39; saved [131690/131690]
Step 2: Make sure everything is in the same directory
Next we need a suitable file to test this. I'm using a simple DOCX file called dummy.docx that I created with Word 2007 and protected with a password. Download it to follow. The password is "password123", as you will find out. You can also download documents created with Word 2010 and Word 2016 (which will be displayed as 2013) for more examples. Passwords for these are also "password123".
Step 3: Extracting the hash with Office2john
python office2john.py dummy.docx> hash.txt
To verify that the hash was extracted successfully, use the cat command. We can see that the backed up data matches Microsoft Office 2007. Neat. [19659bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhubcopusdocx:$office$*2007*20*128*16*a7c7a4eadc2d90fb22cbbcbbbbbbbbbbbbbbbb*bc5f80409f5bfbbb*Step4:DengeradegerettetenHashknacken
As mentioned above, we show you two ways to crack the hash just saved from the password-protected Microsoft Office file. Both methods work well, so it's the preference.
Set the – Word List indicator with the position of your favorite word list. The one included in Nmap is suitable for our purposes here, but for tougher passwords you should use a more extensive word list.
john --wordlist = / usr / share / wordlists / nmap .lst hash.txt
Use standard input encoding: UTF-8 1 password hash loaded (Office, 2007/2010/2013 [SHA1 128/128 SSE2 4x / SHA512 128/128 SSE2 2x AES]) Cost 1 (MS Office version) is 2007 for all loaded hashes Cost 2 (iteration count) is 50000 for all loaded hashes Runs 4 OpenMP threads Press & # 39; q & # 39; or Ctrl-C to cancel the operation. Almost every other button for the status
John is starting to crack, and depending on the complexity of the password, it ends when a match is found. Press almost any key to display the current status. When the hash is cracked, a message appears on the screen with the document's password: Since our password was fairly simple, it only took a few seconds to crack it.
password123 (dummy.docx) 1g 0: 00: 00: 03 READY (2019-02-05 15:00) 0.2824 g / s 415.8 p / s 415.8 c / s 415.8 c / s lacoste..cooldude Use the --show option to reliably display all cracked passwords Session Completed
We can also use the option – show to display it as:
john - show hash.txt
dummy.docx: password123 1 password hash cracked, 0 left
Now that we've learned a way to crack a password-protected Microsoft Office file, let's look for another way with the powerful Hashcat tool.
We can start with the help menu ( – help ) for Hashcat. This will give you a wealth of information, including usage options, hash modes, and other features. There's a ton of information here, so I'm not going to display the output, but you should look into it if you really want to get to know Hashcat in the MS Office hash modes. At the bottom of the Help menu are the MS Office mode options and their numbers. We know from our hash that it is an Office 2007 file, so look for the ID number of 9400 .
9700 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4 | documents 9710 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, Collider # 1 | documents 9720 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, Collider # 2 | documents 9800 | MS Office <= 2003 $ 3 / $ 4, SHA1 + RC4 | documents 9810 | MS Office <= 2003 $ 3, SHA1 + RC4, Collider # 1 | documents 9820 | MS Office <= 2003 $ 3, SHA1 + RC4, Collider # 2 | documents 9400 | MS Office 2007 | documents 9500 | MS Office 2010 | documents 9600 | MS Office 2013 | Documents
Now we can set the remaining options with the following command:
hashcat -a 0 -m 9400 --username -o cracked_pass.txt hash.txt /usr/share/wordlists/nmap.lst  The flag -a sets the attack type as the default mode for the even mode of 0 .
The flag -m indicates the mode we want to use, which we just found. The option - username ignores all usernames in the hash file. We can print the output file as cracked.txt with the -o flag. And finally, we can pass hash.txt which contains the hash, and set a word list as we did before.
Hashcat will then start cracking.
hashcat (v5.1.0) is started ... * Device # 2: No native Intel OpenCL runtime environment. Expect a massive loss of speed. With --force you can override, but not report related errors. OpenCL Platform # 1: Intel (R) Corporation ========================================= * Device # 1: Intel (R) Core (TM) i5 CPU M 480 @ 2.67 GHz, 934/3736 MB assignable, 4MCU ...
After some time, the status is displayed as cracked and we can see the password.
Session ..........: hashcat Status ...........: Cracked Hash.Type ........: MS Office 2007 Hash.Target ......: $ office $ * 2007 * 20 * 128 * 16 * a7c7a4eadc2d90fb22c073c6324 ... 2b6870 Time.Started .....: Tue Feb 5 15:08:00 2019 (4 seconds) Time.Estimated ...: Tue Feb 5 15:08:04 2019 (0 sec.) Guess.Base .......: file (/usr/share/wordlists/nmap.lst) Guess.Queue ......: 1/1 (100.00%) Speed # 1 .........: 610 H / s (8,51 ms) @ Acceleration: 512 Loops: 128 Thr: 1 Vec: 4 Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts Progress .........: 2048/5084 (40.28%) Rejected .........: 0/2048 (0,00%) Restore.Point ....: 0/5084 (0,00%) Restore.Sub. # 1 ...: Salt: 0 amp: 0-1 iteration: 49920-50000 Candidates. # 1 ....: #! Comment: ***************************************************************************************************** *** -> princess Started: Tue 5 Feb 15:07:50 2019 Stopped: Tue Feb 5 15:08:05 2019
Just cat executes the specified output file, and the hash is pinned to the plain-text password at the end.
$ office $ * 2007 * 20 * 128 * 16 * a7c7a4eadc2d90fb22c073c6324b6b49 * abc5f80409f5f96f97e184e44aacd0b7 * 930b0c48a7eb5e13a57af4f3030b48e9402b6870: password123
Success! Now we know two methods to crack the hash after extracting it from a password-protected Microsoft Office file with office2john:
How to Protect Yourself from Cracking
When it comes to password cracking any Art goes, this is the best defense The technique is to use best practices for passwords. This means using unique passwords that are long and not easy to guess. It helps to use a combination of uppercase and lowercase letters, numbers, and symbols, although recent research has shown that the use of long phrases with high entropy is superior. Even better are long, randomly generated passwords that make cracking almost impossible.
With respect to this attack, the use of Microsoft Office 2016 or 2019 documents or newer may not be effective because office2john was developed for earlier versions of Office. However, as you can see above, Office 2016 may spit out a 2013 document without the user even knowing it. This does not mean that a "new" file can not be cracked. In addition, there are still a lot of older Microsoft Office documents, and some organizations continue to use these older versions, so this attack is still very much feasible today Microsoft Office files are not quite as safe as you might think. We used a tool called office2john to extract the hash of a DOCX file, and then cracked that hash with John the Ripper and Hashcat. This type of file is still commonly used today. So, if you come across a password with a password, you'll easily know there's a way to crack it.