Extracting hash values from MS Office files using John The Ripper on Linux

-

Part of the series (1 of 2) cracking password protected MS Office files.

When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file. 

What is hash?

Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post.

MS Office hashing algorithm formats

For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format: 

MS Office ⇐ 2003 MD5 + RC4, oldoffice$0, oldoffice$1$oldoffice$1*04477077758555626246182730342136*b1b72ff351e41a7c68f6b45c4e938bd6*0d95331895e99f73ef8b6fbc4a78ac1a

Detailed information on hashing algorithms and lists of variaties can be found here.

Extracting password hash from an Office file

In this section, we will be using following components to extract the file that is containing hash of encryption password. In order to extract hash file from MS Office document, we will need to have a Linux operating system (preferrably Ubuntu), office2john python script which can be found here, and John the Ripper which must be installed in our Linux OS. 

Step 1

If John the Ripper is not already installed, you can use the following commands to install it:

apt-get install john 

OR 

sudo apt-get install john -y

if it asks you about sudo password, then enter it and it will start downloading package.

Step 2

Copy office2john source code that is given previously and paste it into a plain text file. After saving and closing file, rename it with .py extension. Which will automatically turn into a python file.

Also, in order to run John the Ripper properly, don't forget to check python verion installed on your system. In my case, the version I'm running is python version 3. If you are not sure about your version, you can check whether you are using python 3 or not, using the following code:

 

If the version is not the same, you can download it using `apt-get install python3` command from the terminal.

Step 3

Now we need to locate the python file that is containing office2john code (office2john.py), password protected MS Office file (example.xlsx) and text file (hash.txt) that is to be created and which extracted information will be written into respectively. This text file is created automatically during extraction process, so we don't need to have it already created. (Also note that, I keep all documents on the desktop for ease of use)

For my case, the code will be as follows:


After this, the extracted hash will be immediately written into hash.txt and is displayed as something similar to this inside your folder:
 


If you see this then you are good to move on and crack the password you may have long forgotten.

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

Setting up FTK Imager on Ubuntu OS installed USB Drive

-
One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...
Devamı

Cracking password protected MS Office files using Hashcat

-
Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...
Devamı