MS Office Instant decryption
#1
Hello,

I wonder how some tools (Passware for example) claim our their website to "instant decrypt" Office files version <2003 40-bit encryption.

Then I saw their secret - I guess - which is "Decryptum Portable : a set of rainbow tables that allow instant decryption of Word and Excel files up to v.2003 with a Rainbow Tables".

What do you think about that ?
Would it possible to implement this kind of attack in hashcat for old Office hashes ?
Once one have the rainbow tables I guess the attack will be hugely fast ?

Thank you for your advices Smile
Reply
#2
The 40 bit cracking is guaranteed in hashcat as well and it's just a few minutes on GPU.
Reply
#3
"few minutes" ? Are you sure ? It take 10 hours on my 1080.
Using
Code:
hashcat64.exe -m 9700 --keep-guessing -a 3  hash.txt ?a?a?a?a?a?a
Am I doing something wrong?
Reply
#4
because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data
Reply
#5
(08-21-2017, 08:58 AM)philsmd Wrote: because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data

Here's a post by Atom with a more detailed explanation -> https://hashcat.net/forum/thread-3665.html . And it does mention: "...Problem is that in theory even by iterating through 2^40 combinations it's not guaranteed to find at least one matching one. But I believe there's still a good chance as it's only the first 5 byte we need to collide..."

So collider mode MIGHT not work 100% of the time if I am reading this correctly. Still, it's quick to try, so why do it the hard way if you don't have to.
Reply
#6
(08-18-2017, 10:02 AM)atom Wrote: The 40 bit cracking is guaranteed in hashcat as well and it's just a few minutes on GPU.

Does this trick work on Office 2007 and later?
Reply
#7
(08-26-2017, 11:10 AM)irispurs Wrote: Does this trick work on Office 2007 and later?

MS Office encryption is much more secure from version 2007 - AES was used instead of RC4, so there is no such trick anymore.
Reply
#8
(08-21-2017, 08:58 AM)philsmd Wrote: because you probably should use the collider mode 9710 (with mask ?b?b?b?b?b) for instant access to the data

Back to my tests, I have a oldoffice "type 1" for which I have the RC4 key thanks to -m 9710.
When I want to find colisions with -m 9720 with ?a mask, it fails to find one colision (cmd: hashcat64 -m 9720 --username -a 3 -w 3 -o result -1 ?a  hash   ?1?1?1?1?1?1?1)
I guess I have to try ?b mask, but it will take 200 days to complete ! Confused -> not quite instant.

I have also several "type 3" oldoffice where I can't even find the RC4 key (attack -m 9810 with ?b?b?b?b?b : exhausted without result).
Again, it's not quite instant ^^

Any idea why? I can share the hashes in private to reproduce if needed.

Thanks.
Reply
#9
If you read this carefully https://hashcat.net/forum/thread-3665.html, you will see that you only need -m 9710 to access the data.
Have a look at the list of steps under the "KDF" section https://hashcat.net/forum/thread-3665-po...l#pid20935.
9710 is used to get the 5 bytes which are the main source of the overall encryption key of the document. Just look at step 6-9. You only have to append 4 bytes zero, MD5 the result and use the 16 bytes as the 128 bit encryption key to decrypt the document.

atom already explained in the post that you do not need to use -m 9720 (and therefore steps 1-5) just to decrypt the data:
Quote:you will not need to do that unless you try to find the real password that was used (forensic stuff)
Reply
#10
Thanks philsmd for this explanation.
But as I said before (I hope) I am looking for "a" password - not necessarily the original one - just one working password for forensics as you quote it.
That's why I am using 9720 to find one colision, but my issue was with one hash I get 'exhausted' without result.
Do you need the hash?
Reply