I installed Office 2007 so I can run Excel 2007. I now have my Excel 2007 document that's password protected, and I know it's made in Excel 2007. I have some surprising results.
As you can see, the original "office2john" script still works. I have named it "office2john2" as I saved it after the bad one. The bad "office2john" script still doesn't work, as expected. But the surprising bit is that the "office2hashcat" script now works.
So there you have it. The Hashcat variant of the script that's on the FAQ page works with some Excel formats, but not all of them. Cracking is not a matter of luck over skill as some will say, but more of a matter of staying consistent and diligent. Otherwise you're left with this impression of playing Russian roulette, a hit or miss game.
"office2john":
"office2hashcat":
If you compare these two, you can see that the file name prefix is the only difference:
First of all, I don't have a "$HEX[blabla]" in either string. Also, I have sent the output to a new file called "hello.hash" and then edited out the "hello.xlsx:" (because I used the original script).
However, despite having everything set and ready for Hashcat to crack the password, I ran into trouble, using Hashcat 6.2.5. I haven't tried other versions yet.
For this input:
I got this output:
First of all, the hash was ready to be loaded and it could locate it, but it failed to load it because it encountered unmatching signature on the first line. The second line is just a blank line. It looks like it's picking up the newline as a separator. Separator for what? I don't know. Someone can fill me in maybe. It worked the first time for the "Excel 97 - 2003" document. Comparing "world.hash" (first document I tested) with "hello.hash" (the new document), I see a newline in both of them.
There was also this message:
I will look at it at a later time. But to me, this is telling that John The Ripper is probably the better choice for cracking newer Excel hashes. I haven't tried older versions of Hashcat yet.
Code:
PS C:\ExcelCracking\hashcat-6.2.5> python.exe ..\office2hashcat.py ..\hello.xlsx
$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8
PS C:\ExcelCracking\hashcat-6.2.5> python.exe ..\office2john.py ..\hello.xlsx
Traceback (most recent call last):
File "C:\ExcelCracking\office2john.py", line 2674, in process_file
if accdb_magic in data and accdb_xml_start in data:
TypeError: a bytes-like object is required, not 'str'
..\hello.xlsx : OLE check failed, a bytes-like object is required, not 'str'
PS C:\ExcelCracking\hashcat-6.2.5> python.exe ..\office2john2.py ..\hello.xlsx
hello.xlsx:$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8
PS C:\ExcelCracking\hashcat-6.2.5>As you can see, the original "office2john" script still works. I have named it "office2john2" as I saved it after the bad one. The bad "office2john" script still doesn't work, as expected. But the surprising bit is that the "office2hashcat" script now works.
So there you have it. The Hashcat variant of the script that's on the FAQ page works with some Excel formats, but not all of them. Cracking is not a matter of luck over skill as some will say, but more of a matter of staying consistent and diligent. Otherwise you're left with this impression of playing Russian roulette, a hit or miss game.
"office2john":
Code:
hello.xlsx:$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8"office2hashcat":
Code:
$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8If you compare these two, you can see that the file name prefix is the only difference:
Code:
$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8
hello.xlsx:$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8First of all, I don't have a "$HEX[blabla]" in either string. Also, I have sent the output to a new file called "hello.hash" and then edited out the "hello.xlsx:" (because I used the original script).
However, despite having everything set and ready for Hashcat to crack the password, I ran into trouble, using Hashcat 6.2.5. I haven't tried other versions yet.
For this input:
Code:
PS C:\hashcat-6.2.5> .\hashcat.exe -a3 -m9400 -o ..\hello.password.txt ..\hello.hashI got this output:
Code:
Hashfile '..\hello.hash' on line 1 ($): Signature unmatched
Hashfile '..\hello.hash' on line 2 (): Separator unmatched
No hashes loaded.First of all, the hash was ready to be loaded and it could locate it, but it failed to load it because it encountered unmatching signature on the first line. The second line is just a blank line. It looks like it's picking up the newline as a separator. Separator for what? I don't know. Someone can fill me in maybe. It worked the first time for the "Excel 97 - 2003" document. Comparing "world.hash" (first document I tested) with "hello.hash" (the new document), I see a newline in both of them.
There was also this message:
Code:
..\hello.hash: Byte Order Mark (BOM) was detectedI will look at it at a later time. But to me, this is telling that John The Ripper is probably the better choice for cracking newer Excel hashes. I haven't tried older versions of Hashcat yet.