hashcat Forum
Obtain a Hash from a Excel 2007 file - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Obtain a Hash from a Excel 2007 file (/thread-2308.html)



Obtain a Hash from a Excel 2007 file - taratota - 05-19-2013

Hi there, According to the Microsoft whitepaper the following specs are defined for the Excel password security encryption:

Key derivation is performed using 50,000 iterations[source] of SHA-1 (increased to 100k in SP2).
Uses a 16-byte (128-bit) random salt.
AES is the block cipher used to encrypt the document.
By default, 128-bit key are used. There is a registry tweak to change this to 256-bit.
The AES block cipher is implemented in Microsoft's CSP / CryptoAPI.

This info give me a good point to crack a Excel password, but... I don't find any information or documentation to get the hash from an Excel file.

Anyone knows how get it?

Thanks in advance and sorry for my english Wink

Byebye!


RE: Obtain a Hash from a Excel 2007 file - halfie - 05-19-2013

See https://github.com/magnumripper/JohnTheRipper/blob/unstable-jumbo/run/office2john.py


RE: Obtain a Hash from a Excel 2007 file - taratota - 05-19-2013

Works fine! Smile (So I think although I have not checked it)
This is the output for my test-Excel: excel-test.xlsx:$office$*2007*20*128*16*93da6e1d346c793d821daf7877d440ff*fdad25c4a27cb26816602397a55e0755*decc89fa6d72b495cac8ced2e66dfca26d4b44111d1def88becd82b749fca647

I don't understand yet de format of this string, but I will investigate this Smile


RE: Obtain a Hash from a Excel 2007 file - taratota - 05-20-2013

Good morning from Spain Smile

I successfully pass the hash obtained from chain obtained from "https://github.com/magnumripper/JohnTheR...ce2john.py" to John the Ripper, was very easily invoking Jhon with this chain directly.

Can anyone help me to pass this Hash to Hashcat? I think, this Hash is splitted in 3 chains, according the documentation White Paper, because the password is too long..

Thanks in advance Smile


RE: Obtain a Hash from a Excel 2007 file - epixoip - 05-20-2013

hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.


RE: Obtain a Hash from a Excel 2007 file - taratota - 05-20-2013

(05-20-2013, 09:32 AM)epixoip Wrote: hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.

Hi, in the documentation figures that this algorithm is SHA1, concretly salt+SHA1. For this reason I trying/playing to do it with Hashcat.

Maybe I'm wrong... Wink


RE: Obtain a Hash from a Excel 2007 file - epixoip - 05-20-2013

(05-20-2013, 09:37 AM)taratota Wrote: Maybe I'm wrong... Wink

yes, you're wrong. it's not near as simple as you think it is.


RE: Obtain a Hash from a Excel 2007 file - taratota - 05-20-2013

(05-20-2013, 01:58 PM)epixoip Wrote:
(05-20-2013, 09:37 AM)taratota Wrote: Maybe I'm wrong... Wink

yes, you're wrong. it's not near as simple as you think it is.

Thanks! I invistigate this, bye! Smile


RE: Obtain a Hash from a Excel 2007 file - achaeon - 10-24-2014

(05-20-2013, 09:37 AM)taratota Wrote:
(05-20-2013, 09:32 AM)epixoip Wrote: hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.

Hi, in the documentation figures that this algorithm is SHA1, concretly salt+SHA1. For this reason I trying/playing to do it with Hashcat.

Maybe I'm wrong... Wink

You're not far off. The hashcat format should look like:
$office$*2007*20*128*16*411a51284e0d0200b131a8949aaaa5cc*117d532441c63968bee7647d9b7df7d6*df1d601ccf905b375575108f42ef838fb88e1cde

So you only need to slightly adjust the office2john output by removing the filename from the front. The hashcat mode you want is 9400 for office 2007, 9500 for 2010, 9600 for 2013.


RE: Obtain a Hash from a Excel 2007 file - Rolf - 10-24-2014

Silence, necromancer!