How to Crack Passwords for Password Protected MS Office Documents

Carrie Roberts* // (Updated, 2/11/2019)

Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password using a long list of potential passwords that you provide. This works for all MS Office document types (docx, xlsx, pptx, etc). There are three different solutions provided in this blog post so read through the entire thing and choose the one that best fits your needs before you get started.

Let’s say we want to guess the password for a file called crackme.xlsx. Put this file on your desktop along with these two files:

  • msoffice-crypt.exe
  • rockyou.txt

You can download msoffice-crypt.exe as described here.

The rockyou file is a well-known list of passwords used for guessing passwords. You can download the rockyou list here. Alternatively, you can make any password list you want, but rockyou is a good start.

So now you should be set with the three files you need, all in one location: the MS Office file you want to crack the password for (crackme.xlsx), the decryption tool (msoffice-crypte.exe), and a text file full of password guesses (rockyou.txt).

Open a cmd.exe window and change directories to the location where the three files are located (C:\Users\swhite\Desktop\Blog in this example) and run the following command:

@FOR /F %p in (rockyou.txt) DO @msoffice-crypt.exe -d -p %p crackme.xlsx 1>NUL && echo [*] score, password is: %p && pause

You can watch the speed of progress in the cmd window title bar. When the password is found it will be printed on the line that starts with “[*]” and the script will be paused. Just press Ctrl+C to end the script. On my system it would take about 11 days of running this around the clock to guess all 14,344,391 passwords contained in the rockyou list. Maybe you want to start with a smaller list or consider using John the Ripper, or better yet, Hashcat to speed things up.

For John the Ripper Instructions, check this out:

For Hashcat Instructions, there is a very nice tutorial here:

For a quick reference, here are the commands:

python crackme.xlsx > hash.txt

You can find here.

hashcat64.exe -a 0 -m 9400 --username hash.txt rockyou.txt

You determine which flag to use (-m 9400 in the example above) via this chart from

       Office 97-03(MD5+RC4,oldoffice$0,oldoffice$1): flag -m 9700

       Office 97-03(MD5+RC4,collider-mode#1): flag -m 9710

       Office 97-03(MD5+RC4,collider-mode#2): flag -m 9720

       Office 97-03(SHA1+RC4,oldoffice$3,oldoffice$4): flag -m 9800

       Office 97-03(SHA1+RC4,collider-mode#1): flag -m 9810

       Office 97-03(SHA1+RC4,collider-mode#2): flag -m 9820

       Office 2007: flag -m 9400

       Office 2010: flag -m 9500

       Office 2013: flag -m 9600

Hashcat brings the time down to 3 hours to guess the entire rockyou list using a standard laptop with a single GPU. Nice!

I hope this comes in handy for you!

*We love when Carrie guest posts for us! Follow her on Twitter @OrOneEqualsOne

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!