Ancient .xls file [$oldoffice$0] - 2 mo. trial and error
#1
Question 
Hello! 

Please bare with me, as I haven't had much practice in bashing away at hashcat. I have, however, given it my all, Googled any and everything similar to my situation, but I haven't gotten anywhere after 2-ish months of trial and error. 

The situation:
  • I have an excel file that is protected (several sheets in one file, and it's a VBA project, whatever that means). 
  • The file is .xls and probably made before 2007, and by Dutch people.
  • I have legitimate access to the file and its contents.
  • I used office2john.py to obtain this hash value from the file itself: 
    Code:
    $oldoffice$0*c3cbb67cfacc8c343d3f8bbeb03119f5*0d4348507d88a8ff217fbe91f555461f*f351c3330f7e47d451e2a53690da34ef
  • The command I am currently running is: 
    Code:
    hashcat.exe -m 9700 -a 3 $oldoffice$0*c3cbb67cfacc8c343d3f8bbeb03119f5*0d4348507d88a8ff217fbe91f555461f*f351c3330f7e47d451e2a53690da34ef --keep-guessing -o result.txt
  • This crack has up until now given me passwords (such as: qt2ptpk, t2sq4z9!, 03shcki*, 31b7i3n*, S3jjxiz1, K2dla0h4, t2sq4z9!, etc), but they're not able to unlock the protected sheet (or the entire excel sheet). 

I know this type of brute force might be a very non-efficient way to do it, but I haven't gotten any usable passwords from any other method (such as rockyou.txt, and ?l?l?l?l? etc..., so now I'm taking the slow and steady route. 

I'm using -m 9700 because it's the only one that is accepted by hashcat for the format I am using. 

Anyone out there willing to tell me what on earth is going on, or what I should be doing differently?
Reply
#2
Edit: someone suggested I run -m 9710, but deleted their comment:
----

When running the following code, I get this, even though its brute force and keep guessing: 
Code:
hashcat.exe -m 9710 -a 3 $oldoffice$0*c3cbb67cfacc8c343d3f8bbeb03119f5*0d4348507d88a8ff217fbe91f555461f*f351c3330f7e47d451e2a53690da34ef --keep-guessing -o result.txt
 

.png   Screenshot 2022-07-26 234115.png (Size: 39.96 KB / Downloads: 10)

But I also have this... so something is going on with my kernel. :/ 

.png   Screenshot 22.png (Size: 38.73 KB / Downloads: 9)
Reply
#3
(07-26-2022, 10:26 PM)avveie Wrote: I have an excel file that is protected (several sheets in one file, and it's a VBA project, whatever that means). 
...
This crack has up until now given me passwords, but they're not able to unlock the protected sheet (or the entire excel sheet). 

$oldoffice$ is hash for encrypted *.xls file. For whole file, which requires password while trying to open. Protected sheets and VBA projects use their own passwords.

There are some tools for removing protection from sheets and VBA without finding passwords. Google will help you.
Reply
#4
Read this thread for info on 9710/9720, this is the correct way to open the document and it should take only a few minutes: https://hashcat.net/forum/thread-3665.html
Reply