Help with Word 2010 file hash
#1
Lightbulb 
Hello guys,

First time poster here, please go easy on me :-)

I've been having a problem with an encrypted Word 2010 file for a couple of days now, and it's driving me mad.

WARNING: Long story inc! Skip to the end for tl;dr!

So, a story...

One fine day a year ago I was on vacation. And took my wife's laptop, fired up Word and started writing. Yes, a real space-opera crime thriller! I was so enthusiastic about it that everyone could see it on my face and they left me alone and gave me space to write. I guess they were as much eager to get a first read on it as much as I was to write it :-)

Of course, the holiday ended and I had to get back home... work an all :-)
Another 'of course' - I had the file locked to keep it from prying eyes while I was swimming with the dolphins. File was in a Dropbox shared folder between me and my wife so I could easily pick it up later.

... and I forgot about it!

Work, stress, small child and a lot of other things preoccupied my mind and I very rarely though back. When I did, I had no time for another thought about it, let alone writing.

And then I quit my job. I decided I had enough of the high volumes of stress daily and found another one. My company let me go on a paid leave during my 'cancellation period'. The time where you're still with the company but you submitted your letter of resignation. English isn't my primary language, so forgive me for not having the correct word here :-)

Anyway, I have the time now. A lot of it. And I never imagined I'd spend a good chunk of it trying to recall of the password I set a year ago! I know it contains the (nick)names of my wife and kid, and I tried every possible combination I could think of!
'wifekid', 'wife kid', 'wife and kid', 'wifebaby', 'wife baby', 'wife and baby', 'wifeykid'.... you get the idea. I even tried 'kidwife', 'kid wife'... etc. Nothing.

Next step was computer help. I downloaded a couple of programs for recovering Word/Office passwords. Most of them commercial and trial, but it didn't bother me. Most of them will at least tell you first 3 characters, and that would get me on a good way. But they were sooo slow! Used CPU instead of GPU and as I couldn't recall of the exact number of characters, I had to go with 8-15 which was horrible.

Some of the apps had advanced filters like 'try only combinations which have all of the following: m, n, p, a, e', no capitalization, use space only from special chars. Even though I have no idea what's the exact pass, I still remember general 'feel' of the password. Should be a surprise as I typed it in a couple of times a day. A year ago :-)

So, this failed. Miserably.

Next was to try and use my help to help my computer to help me.
Freeware or not, all the apps worked with dictionary attacks well. I created a test file and used a custom dictionary - pass was found.

Then I wrote a short C program that will use two arrays. One with my wife's name and all the variations. Second one with my son's name and all the cuddle names we came up with for him. Like "wife", "honey", "sweety" for the first array and "kid", "son", "diablo" for the second. I'm using general terms here, as you noticed above, but only to protect the innocent :-)

And my program created quite an impressive list of words for dictionary attack:
Code:
wifekid
wife kid
wife and kid
kidwife
kid wife
kid and wife
wifeson
wife son
...

The more I added to the arrays, the more exponentially the wordlist grew. But I didn't care. It was processed fairly quickly, withing minutes, and I really didn't care about time. I just wanted the bloody password!

It's not about the writing any more. It's about not trying to allow myself be an idiot! OK, one could argue that train has left the station, but if I can find a way to hop on it on the next station or two, it will still take me where I need to go.

In the end, or nearly at the end, I almost gave up. I have "MS Word Recovery", as it being the fastest of all of the tested so far, running in the background. Hours passed, it's still on the 7-char password attempts. Bruteforce attack not really being configurable, but hey - it works, unlike anything so far, so let's not complain.

Then I though of Google. If you don't know it, Google surely knows who does. So I Googled who can help me help my computer to help me find the password. And HashCat popped up. Quite distinctive from the others, to be honest, on the first glance. Speficically, this thread popped up.

I had my share of fun and excitement just reading about it! People even provided a link to Python script that will get a hash of the Word file. OMG I never downloaded a program and installed it so quickly as Python engine now! Ran it, got the hash and was super-excited. But then I recalled a NirSoft app called hashmyfiles. Wondered if that might help. No, it won't Big Grin

It will give you something like this:
Code:
File    filename.docx
MD5    f99da72790974e455f2b827d6f1c4a16
SHA1    e4f547522ddef353c3ffd71c18c6f9ea28130b90
CRC32    98b5a434
SHA-256    297366ce7f7584cda0229738b96c01909dc79325542fa1ba60a2d3d6b37c6ee2
SHA-512    b54729aab2ee7c5a62bda2032c91e1e8f0c9289c3f68715996c7e1eba91ba9e97fc2a498a6e1223767c41c7204b3c20ef79ab8846034cc1328d518c26d02a06e
SHA-384    5c765c79b3a1ab65177ef697a704fba08e300dfe4a85cc5aab8259277e2dce05f40f8ff0ba37f5e67b8c05bee37ec5f1

I'm just providing this in case someone needs a tool like this. All NirSoft stuff is free, like SysInternals ones.

Back on topic. I downloaded oclHahscat and tried to make it process my Word file hash. Well, I had a good 15-minute fun trying to make it run as I hoped it will. In the end I figured you don't need to say 'hash <hash>' or 'hashfile <path to file>', but just enter hash or the filename Smile Silly me, but hey! I got it working!

Oh the heart stopped as the command was accepted and started working the magic!

BTW, just checking if you are hooked on the story and asking 'what then?! what then?! Well... nothing. I apparently need to invest in my graphics card, as this one's from the time I served in military ages ago. Nvidia GeForce 8600 GT.

Oh, the error message?
"Your card sucks. Remove it from the system and use the one that doesn't".

Not sure if anything can be done about it, so here's the full output. Perhaps there's something I'm doing wrong.

Code:
C:\Users\Six\Downloads\cudaHashcat-1.35>cudaHashcat32.exe -m 9500 -a 3 $office$*2010*100000*128*16*0eba58880beeda50d9ee016b3bf4a8b4*4a641c6b793d956a1fa6cae11cd3ba42*24e039ca2c0e882e5062eff31f8b3d83c37839a903ee44c05211fd829e4cb6ef
cudaHashcat v1.35 starting...

Device #1: GeForce 8600 GT, 256MB, 1438Mhz, 4MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
           You can disable it with a regpatch, see here: http://hashcat.net/wiki/doku.php?id=timeout_patch

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes, 0/1 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c


ERROR: Shader Model 1.0 - 1.3 based GPU detected. Support for CUDA was dropped by NVidia.



       Remove it from your system or use -d and select only supported cards.

I have no idea if the regpatch to disable kernel exec timeout will help, but somehow doubt it.

So we got to the bottom line now. And also a tl;dr part :-)

Is there anyone who can help me run this hash for Word 2010?
Code:
Hash redacted - R

Rogue line break above :-)

I'll go check with my friends if someone has high end graphics car so oclHashcat will run on their GPUs, but I assume most of the people on this forum have something like that. And quite possibly much more powerful. Any help is very much appreciated at this point, even if just an advice or a suggestion.

I'm not giving up, and I'm certain I'll find the way to open the document and get my short story back. If I don't find any, I'll get an Amazon cloud server and run the bruteforce attack there and check every week for results Smile

Oh, and thanks to everyone who actually read this topic. I hope this situation is interesting to talk about :-)
#2
You are not allowed to post hashes.

The forum rules:
http://hashcat.net/forum/announcement-2.html
#3
Welcome to HC forums.
Not reading and following the rules is a bad idea here.
Account has been temporarily banned for a week, during which you should familiarize yourself with the forum rules.

There are specialized forums which deal with users' requests for password recovery: hashkiller, InsidePro and what have you.