RC4 attack for 40bit Word 97-2003
#1
Hey guys,
im trying to open a password protected word file which uses the old 40bit key to encrypt. 
I used https://hashc.co.uk/office2john because im a computer noob and was to lazy to run a Python Script. I received the following header:
$oldoffice$1*fullresultfromoffice2john

It also recommended Mode 9700 (However i read that mode 9710 is faster as far as i understood). I ran:
"hashcat64.exe -m 9710 $oldoffice$1*fullresultfromoffice2john -a 3 ?b?b?b?b?b -w 3 --potfile-disable" on my windows 7 machine. 

It reached 100% with 0/1 recovered. I tried it on my main device with a 660ti which was super slow (10000kH/s or less, even my laptop is faster, but thats not my problem) and is now @95% progress with no results yet. Tried a mates devide with a 7970 next and it reached 100% with no results in both modes (9700/9710). Am I doing anything wrong? Any suggestions? 
I only need a short answer with correct command in case mine is wrong, im really unexperienced with hashcat. 
Thanks in advance guys!
EDIT: Potential noob mistake: On the 7970 machine i interrupted the 9700 attempt by accident at 60% and restarted it with --skip (just changed the value until i started from 58%), as far as i understood the brute force attack there should be no problem because its only guessing through the whole key space anyway, but hey, as mentioned above im a total noob Big Grin
#2
How do you know it is only 5 binary characters?  That might be your problem.
BTW, you're not supposed to post hashes on the board unless requested by the admins.  Might want to redact it or risk getting banned for a period for not following the rules. . . .
just saying  . . . . . . .


(11-15-2017, 10:05 PM)janmaier27 Wrote: Hey guys,
im trying to open a password protected word file which uses the old 40bit key to encrypt. 
I used https://hashc.co.uk/office2john because im a computer noob and was to lazy to run a Python Script. I received the following header:
$oldoffice$1*.......................

It also recommended Mode 9700 (However i read that mode 9710 is faster as far as i understood). I ran:
"hashcat64.exe -m 9710 $oldoffice$1*.......................... -a 3 ?b?b?b?b?b -w 3 --potfile-disable" on my windows 7 machine. 

It reached 100% with 0/1 recovered. I tried it on my main device with a 660ti which was super slow (10000kH/s or less, even my laptop is faster, but thats not my problem) and is now @95% progress with no results yet. Tried a mates devide with a 7970 next and it reached 100% with no results in both modes (9700/9710). Am I doing anything wrong? Any suggestions? 
I only need a short answer with correct command in case mine is wrong, im really unexperienced with hashcat. 
Thanks in advance guys!
EDIT: Potential noob mistake: On the 7970 machine i interrupted the 9700 attempt by accident at 60% and restarted it with --skip (just changed the value until i started from 58%), as far as i understood the brute force attack there should be no problem because its only guessing through the whole key space anyway, but hey, as mentioned above im a total noob Big Grin
#3
https://hashcat.net/forum/thread-3665.html

Im referring to that guide which ran almost the exact same code. I just tried to copy it, and have no idea why i have to use that ?b?b?b?b?b stuff.
Edit: Removed the Word header, but it still shows up in your quote, sorry for that^^.
Edit2: As a far as i understood the whole approach the programm is trying to directly attack the rc4 key instead of guessing the password from which the key is usually created. the whole keyspace is only 2^40. Each key has the same length and therefore i only have to check which key from the keyspace creates the same word header. 2^40 is equal to a 10digit Hex. But seriously i have no idea how hashcat is doing all that stuff and why i need ?b?b?b?b?b. Only thing i know is that hashcat only got exhausted as result.
#4
?b means that hashcat should try all possible values a byte can have, i.e.
from 0x00 to 0xff, this means that each byte has 256 possibilities

256^5 = 256*256*256*256*256 = 1099511627776 combinations
2^40 = 2*2*2*2*....*2 = 1099511627776 combinations

As you can see, a 40 bit key is the same as 5 combinations of 8 bits (1 byte) key

Therefore ?b?b?b?b?b exhaust the whole 40-bit keyspace (and 256^5 is the same as 2^40)


BTW: I would try to troubleshoot the problem by trying to crack the example hashes of -m 9700 from https://hashcat.net/wiki/example_hashes with -m 9710 / -m 9720 . In addition to that you should create a freshly new and similar document for which you know the password and try to extract the hash with office2john and try to crack it with -m 9710
#5
Thanks for your answer. For some reason hashcat now found the correct rc4 key. Colliding with 9720 failed with ?a?a?a?a?a?a and i now added another ?a. Is there a programm than can decrypt a word document using the rc4 key instead of using a collided password?
#6
My guess is that there might be a lot of tools around or you just slightly modify a popular tool like libreoffice. We only need to replace the actual key that was generated from a "fake" password with the key that you now know.

But I can see a lot of tools that might work (not tested myself), like this one: https://github.com/nolze/ms-offcrypto-tool that can also decrypt with the key (by specifying the key with the -k option).

update: it seems this tool only works with AES, not with RC4... but there should be other tools that support older decryption algorithmshttps://github.com/nolze/ms-offcrypto-tool
#7
That would be interesting in order to derive the password from the RC4 secret key that was used (probably a different keyboard layout) in the North Korean attack dubbed "FallChill" 

https://www.us-cert.gov/ncas/alerts/TA17-318A

Feature enhancement request anyone? Smile