قالب وردپرس درنا توس
Home / Tips and Tricks / How to crack password-protected Microsoft Office files, including Word documents and Excel spreadsheets «Null Byte :: WonderHowTo

How to crack password-protected Microsoft Office files, including Word documents and Excel spreadsheets «Null Byte :: WonderHowTo



Microsoft Office files can be password-protected to prevent tampering and ensure data integrity. However, for password-protected documents from earlier versions of Office, hashes can be extracted with a simple program called office2john. These extracted hashes can then be cracked with John the Ripper and Hashcat.

Extracting the hash from a password-protected Microsoft Office file takes only a few seconds with the office2john tool. While the encryption standard for various Office products has fluctuated over the years, none of them can withstand the hash-stealing abilities of Office2john.

This tool is written in Python and can be run directly from the terminal. In terms of office compatibility, it is known to work with any password-protected file from Word, Excel, PowerPoint, OneNote, Project, Access, and Outlook that are compatible with Office 97, Office 2000, Office XP, Office 2003, Office 2007, Office 2007 was created in 201

0 and Office 2013, including the versions for Office for Mac. It may not work on newer versions of Office. However, we saved a DOCX in Office 2016, which was marked Office 2013.

Step 1: Install Office2John

To begin, we need to download the tool from GitHub, as office2john is not included in the standard version of John the Ripper (which should already be installed in your Kali system ). This can easily be achieved with wget .

  wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py[19659007 posted--2019-02- 05 14: 34: 45 - https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
Auflösen von raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Verbindung zu raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... hergestellt.
HTTP-Anfrage gesendet, wartet auf Antwort ... 200 OK
Länge: 131690 (129K) [text/plain]
Save as: "office2john.py"

office2john.py 100% [=======================================================================>] 128.60K --.- KB / s in 0.09s

2019-02-05 14:34:46 (1.45 MB / s) - & # 39; office2john.py & # 39; saved [131690/131690]

Step 2: Make sure everything is in the same directory

To run office2john with Python, we need to go to the same directory where it was installed. For most of you, this will default to "Home" (just enter cd ), but create a separate directory.

Next we need a suitable file to test this. I'm using a simple DOCX file called dummy.docx that I created with Word 2007 and protected with a password. Download it to follow. The password is "password123", as you will find out. You can also download documents created with Word 2010 and Word 2016 (which will be displayed as 2013) for more examples. Passwords for these are also "password123".

Step 3: Extracting the hash with Office2john

The first thing we need to do is to extract the hash from our password-protected Office file. Run the following command and redirect the output to hash.txt for later use.

  python office2john.py dummy.docx> hash.txt 

To verify that the hash was extracted successfully, use the cat command. We can see that the backed up data matches Microsoft Office 2007. Neat. [19659bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhubcopusdocx:$office$*2007*20*128*16*a7c7a4eadc2d90fb22cbbcbbbbbbbbbbbbbbbb*bc5f80409f5bfbbb*Step4:DengeradegerettetenHashknacken

As mentioned above, we show you two ways to crack the hash just saved from the password-protected Microsoft Office file. Both methods work well, so it's the preference.

Option 1: Cracking with John

Set the – Word List indicator with the position of your favorite word list. The one included in Nmap is suitable for our purposes here, but for tougher passwords you should use a more extensive word list.

  john --wordlist = / usr / share / wordlists / nmap .lst hash.txt 
  Use standard input encoding: UTF-8
1 password hash loaded (Office, 2007/2010/2013 [SHA1 128/128 SSE2 4x / SHA512 128/128 SSE2 2x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Runs 4 OpenMP threads
Press & # 39; q & # 39; or Ctrl-C to cancel the operation. Almost every other button for the status 

John is starting to crack, and depending on the complexity of the password, it ends when a match is found. Press almost any key to display the current status. When the hash is cracked, a message appears on the screen with the document's password: Since our password was fairly simple, it only took a few seconds to crack it.

  password123 (dummy.docx)
1g 0: 00: 00: 03 READY (2019-02-05 15:00) 0.2824 g / s 415.8 p / s 415.8 c / s 415.8 c / s lacoste..cooldude
Use the --show option to reliably display all cracked passwords
Session Completed 

We can also use the option – show to display it as:

  john - show hash.txt 
  dummy.docx: password123

1 password hash cracked, 0 left 

Now that we've learned a way to crack a password-protected Microsoft Office file, let's look for another way with the powerful Hashcat tool.

Option 2: Cracking with Hashcat

We can start with the help menu ( – help ) for Hashcat. This will give you a wealth of information, including usage options, hash modes, and other features. There's a ton of information here, so I'm not going to display the output, but you should look into it if you really want to get to know Hashcat in the MS Office hash modes. At the bottom of the Help menu are the MS Office mode options and their numbers. We know from our hash that it is an Office 2007 file, so look for the ID number of 9400 .

  9700 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4 | documents
9710 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, Collider # 1 | documents
9720 | MS Office <= 2003 $ 0 / $ 1, MD5 + RC4, Collider # 2 | documents
9800 | MS Office <= 2003 $ 3 / $ 4, SHA1 + RC4 | documents
9810 | MS Office <= 2003 $ 3, SHA1 + RC4, Collider # 1 | documents
9820 | MS Office <= 2003 $ 3, SHA1 + RC4, Collider # 2 | documents
9400 | MS Office 2007 | documents
9500 | MS Office 2010 | documents
9600 | MS Office 2013 | Documents 

Now we can set the remaining options with the following command:

  hashcat -a 0 -m 9400 --username -o cracked_pass.txt hash.txt /usr/share/wordlists/nmap.lst [19659036] The flag  -a  sets the attack type as the default mode for the even mode of  0 .  
  • The flag -m indicates the mode we want to use, which we just found.
  • The option - username ignores all usernames in the hash file.
  • We can print the output file as cracked.txt with the -o flag.
  • And finally, we can pass hash.txt which contains the hash, and set a word list as we did before.
  • Hashcat will then start cracking.

      hashcat (v5.1.0) is started ...
    
    * Device # 2: No native Intel OpenCL runtime environment. Expect a massive loss of speed.
    With --force you can override, but not report related errors.
    OpenCL Platform # 1: Intel (R) Corporation
    =========================================
    * Device # 1: Intel (R) Core (TM) i5 CPU M 480 @ 2.67 GHz, 934/3736 MB assignable, 4MCU
    
    ... 

    After some time, the status is displayed as cracked and we can see the password.

      Session ..........: hashcat
    Status ...........: Cracked
    Hash.Type ........: MS Office 2007
    Hash.Target ......: $ office $ * 2007 * 20 * 128 * 16 * a7c7a4eadc2d90fb22c073c6324 ... 2b6870
    Time.Started .....: Tue Feb 5 15:08:00 2019 (4 seconds)
    Time.Estimated ...: Tue Feb 5 15:08:04 2019 (0 sec.)
    Guess.Base .......: file (/usr/share/wordlists/nmap.lst)
    Guess.Queue ......: 1/1 (100.00%)
    Speed ​​# 1 .........: 610 H / s (8,51 ms) @ Acceleration: 512 Loops: 128 Thr: 1 Vec: 4
    Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts
    Progress .........: 2048/5084 (40.28%)
    Rejected .........: 0/2048 (0,00%)
    Restore.Point ....: 0/5084 (0,00%)
    Restore.Sub. # 1 ...: Salt: 0 amp: 0-1 iteration: 49920-50000
    Candidates. # 1 ....: #! Comment: ***************************************************************************************************** *** -> princess
    
    Started: Tue 5 Feb 15:07:50 2019
    Stopped: Tue Feb 5 15:08:05 2019 

    Just cat executes the specified output file, and the hash is pinned to the plain-text password at the end.

      cat cracked_pass.txt 
      $ office $ * 2007 * 20 * 128 * 16 * a7c7a4eadc2d90fb22c073c6324b6b49 * abc5f80409f5f96f97e184e44aacd0b7 * 930b0c48a7eb5e13a57af4f3030b48e9402b6870: password123 

    Success! Now we know two methods to crack the hash after extracting it from a password-protected Microsoft Office file with office2john:

    How to Protect Yourself from Cracking

    When it comes to password cracking any Art goes, this is the best defense The technique is to use best practices for passwords. This means using unique passwords that are long and not easy to guess. It helps to use a combination of uppercase and lowercase letters, numbers, and symbols, although recent research has shown that the use of long phrases with high entropy is superior. Even better are long, randomly generated passwords that make cracking almost impossible.

    With respect to this attack, the use of Microsoft Office 2016 or 2019 documents or newer may not be effective because office2john was developed for earlier versions of Office. However, as you can see above, Office 2016 may spit out a 2013 document without the user even knowing it. This does not mean that a "new" file can not be cracked. In addition, there are still a lot of older Microsoft Office documents, and some organizations continue to use these older versions, so this attack is still very much feasible today Microsoft Office files are not quite as safe as you might think. We used a tool called office2john to extract the hash of a DOCX file, and then cracked that hash with John the Ripper and Hashcat. This type of file is still commonly used today. So, if you come across a password with a password, you'll easily know there's a way to crack it.

    Title image by efes / Pixabay

    Source link