Carrie Roberts* // (Updated, 2/11/2019)
Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password using a long list of potential passwords that you provide. This works for all MS Office document types (docx, xlsx, pptx, etc). There are three different solutions provided in this blog post so read through the entire thing and choose the one that best fits your needs before you get started.
Let’s say we want to guess the password for a file called crackme.xlsx. Put this file on your desktop along with these two files:
You can download msoffice-crypt.exe as described here.
The rockyou file is a well-known list of passwords used for guessing passwords. You can download the rockyou list here. Alternatively, you can make any password list you want, but rockyou is a good start.
So now you should be set with the three files you need, all in one location: the MS Office file you want to crack the password for (crackme.xlsx), the decryption tool (msoffice-crypte.exe), and a text file full of password guesses (rockyou.txt).
Open a cmd.exe window and change directories to the location where the three files are located (C:\Users\swhite\Desktop\Blog in this example) and run the following command:
@FOR /F %p in (rockyou.txt) DO @msoffice-crypt.exe -d -p %p crackme.xlsx 1>NUL && echo [*] score, password is: %p && pause
You can watch the speed of progress in the cmd window title bar. When the password is found it will be printed on the line that starts with “[*]” and the script will be paused. Just press Ctrl+C to end the script. On my system it would take about 11 days of running this around the clock to guess all 14,344,391 passwords contained in the rockyou list. Maybe you want to start with a smaller list or consider using John the Ripper, or better yet, Hashcat to speed things up.
For John the Ripper Instructions, check this out:
For Hashcat Instructions, there is a very nice tutorial here:
For a quick reference, here are the commands:
python office2john.py crackme.xlsx > hash.txt
You can find office2john.py here.
hashcat64.exe -a 0 -m 9400 --username hash.txt rockyou.txt
You determine which flag to use (-m 9400 in the example above) via this chart from pentestcorner.com:
Office 97-03(MD5+RC4,oldoffice$0,oldoffice$1): flag -m 9700
Office 97-03(MD5+RC4,collider-mode#1): flag -m 9710
Office 97-03(MD5+RC4,collider-mode#2): flag -m 9720
Office 97-03(SHA1+RC4,oldoffice$3,oldoffice$4): flag -m 9800
Office 97-03(SHA1+RC4,collider-mode#1): flag -m 9810
Office 97-03(SHA1+RC4,collider-mode#2): flag -m 9820
Office 2007: flag -m 9400
Office 2010: flag -m 9500
Office 2013: flag -m 9600
Hashcat brings the time down to 3 hours to guess the entire rockyou list using a standard laptop with a single GPU. Nice!
I hope this comes in handy for you!
*We love when Carrie guest posts for us! Follow her on Twitter @OrOneEqualsOne
Wild West Hackin’ Fest – Most Hands-On Infosec Con!
Join us at Wild West Hackin’ Fest in Deadwood — September 23-25th, 2020. Learn more: https://www.wildwesthackinfest.com/
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.