Cracking Password-Protected MS Office Files

Disclaimer: Don’t do this unless it’s for legitimate reasons, such as the one outlined below.

At work, I recently came across the need to crack a handful of MS Office files that someone had password protected. Of course, that person was no longer around, so the person who took over needed to figure out how to access these documents, and they asked the Security team for help.

My first instinct turned out to be the correct one: use John the Ripper on Kali 2.

The main issue I faced was extracting the password hash from the Office docs in question so that John The Ripper could have something to run against. Turns out there is a handy python script you can use that does exactly this: office2john.py (https://github.com/kholia/RC4-40-brute-office)

Instructions

Download office2john.py, then make it executable.

Now you can use this tool to extract the hash from the Office document, and save it to a text file:

Now check out the contents of the hash file if you want:

All you need at this point is a good password list to run through John the Ripper, and a few options to run it with. The sqlmap.txt file that comes with Kali2 is a good candidate:

Here’s the full command:

Options:
–session=docx – This is the name of this session. Could be anything, really.
–rules – Enables word mangling on the defined wordlist
–wordlist – Path to the word list you are running this against

Now, sit back and wait for John to do its thing.

PDFs

Just use pdfcrack in Kali.

About Will Chatham

Will Chatham is a Cyber Security Analyst, Ethical Hacker, and Penetration Tester at a federal data center in Asheville, NC. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.
Bookmark the permalink.

Leave a Reply