Posts: 803
Threads: 135
Joined: Feb 2011
Hello,
I wonder how some tools (Passware for example) claim our their website to "instant decrypt" Office files version <2003 40-bit encryption.
Then I saw their secret - I guess - which is "Decryptum Portable : a set of rainbow tables that allow instant decryption of Word and Excel files up to v.2003 with a Rainbow Tables".
What do you think about that ?
Would it possible to implement this kind of attack in hashcat for old Office hashes ?
Once one have the rainbow tables I guess the attack will be hugely fast ?
Thank you for your advices
Posts: 5,185
Threads: 230
Joined: Apr 2010
The 40 bit cracking is guaranteed in hashcat as well and it's just a few minutes on GPU.
Posts: 803
Threads: 135
Joined: Feb 2011
08-20-2017, 08:47 PM
(This post was last modified: 08-20-2017, 08:48 PM by Mem5.)
"few minutes" ? Are you sure ? It take 10 hours on my 1080.
Using
Code:
hashcat64.exe -m 9700 --keep-guessing -a 3 hash.txt ?a?a?a?a?a?a
Am I doing something wrong?
Posts: 2,267
Threads: 16
Joined: Feb 2013
08-21-2017, 08:58 AM
(This post was last modified: 08-21-2017, 08:59 AM by philsmd.)
because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data
Posts: 83
Threads: 19
Joined: Dec 2014
(08-21-2017, 08:58 AM)philsmd Wrote: because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data
Here's a post by Atom with a more detailed explanation ->
https://hashcat.net/forum/thread-3665.html . And it does mention: "...Problem is that in theory even by iterating through 2^40 combinations it's not guaranteed to find at least one matching one. But I believe there's still a good chance as it's only the first 5 byte we need to collide..."
So collider mode MIGHT not work 100% of the time if I am reading this correctly. Still, it's quick to try, so why do it the hard way if you don't have to.
Posts: 14
Threads: 5
Joined: Aug 2017
(08-26-2017, 11:10 AM)irispurs Wrote: Does this trick work on Office 2007 and later?
MS Office encryption is much more secure from version 2007 - AES was used instead of RC4, so there is no such trick anymore.
Posts: 803
Threads: 135
Joined: Feb 2011
09-11-2017, 09:37 PM
(This post was last modified: 09-12-2017, 08:19 AM by Mem5.)
(08-21-2017, 08:58 AM)philsmd Wrote: because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data
Back to my tests, I have a oldoffice "type 1" for which I have the RC4 key thanks to -m 9710.
When I want to find colisions with -m 9720 with
?a mask, it fails to find one colision (cmd: hashcat64 -m 9720 --username -a 3 -w 3 -o result -1 ?a hash ?1?1?1?1?1?1?1)
I guess I have to try
?b mask, but it will take 200 days to complete !
-> not quite instant.
I have also several "type 3" oldoffice where I can't even find the RC4 key (attack -m 9810 with ?b?b?b?b?b : exhausted without result).
Again, it's not quite instant ^^
Any idea why? I can share the hashes in private to reproduce if needed.
Thanks.
Posts: 2,267
Threads: 16
Joined: Feb 2013
09-12-2017, 05:00 PM
(This post was last modified: 09-12-2017, 05:01 PM by philsmd.)
If you read this carefully
https://hashcat.net/forum/thread-3665.html, you will see that you only need -m 9710 to access the data.
Have a look at the list of steps under the "KDF" section
https://hashcat.net/forum/thread-3665-po...l#pid20935.
9710 is used to get the 5 bytes which are the main source of the overall encryption key of the document. Just look at step 6-9. You only have to append 4 bytes zero, MD5 the result and use the 16 bytes as the 128 bit encryption key to decrypt the document.
atom already explained in the post that you do not need to use -m 9720 (and therefore steps 1-5) just to decrypt the data:
Quote:you will not need to do that unless you try to find the real password that was used (forensic stuff)
Posts: 803
Threads: 135
Joined: Feb 2011
Thanks philsmd for this explanation.
But as I said before (I hope) I am looking for "a" password - not necessarily the original one - just one working password for forensics as you quote it.
That's why I am using 9720 to find one colision, but my issue was with one hash I get 'exhausted' without result.
Do you need the hash?
Posts: 803
Threads: 135
Joined: Feb 2011
MS Word <2003 is oldoffice so yes