In a similar spirit to an old post, where I compared the cracking speed of various GPUs and CPUs, however hopefully more useful (and shorter)…

My experience with MS Office passwords is that they do more harm than good – after several months the password is lost and the document meaningless.

Let’s a create an Office 2013 excel spreadsheet which is password-protected (“economist91”):

crack1

Now, imagine half a year has passed and we have forgotten the password.

We need to obtain a hash from this file (which we can then brute-force – just like the WPA example). The easiest way to do this is to download the “office2john.py” python script from here: https://github.com/kholia/RC4-40-brute-office – otherwise this would be a lot more difficult!

We run the script like so:

> python office2john.py protected_book.xlsx

And the script returns the hash:

protected_book.xlsx:$office$*2013*100000*256*16*d1…

We need to do two things now:

  1. Specify what the hash-type is
  2. Specify the type of attack to use to crack the hash

First, we can see from the output that the hash is from a MS Office 2013 file – to get the correct flag to pass we can try:

> cudaHashcat64 –help

hash

Hence, we will use the flag:

-m 9600

to identify the hash-type as “MS Office 2013”

Second, I want to perform a dictionary attack using the infamous “rockyou.txt” wordlist, from the ‘attack modes’ listed:

attck

I will thus use:

-a 0 

Putting all of this together ->

cudaHashcat64.exe -a 0 -m 9600 –username “protected_book.xlsx:$office$*2013*100000*256*16*d1…” “rockyou.txt”

crack3

After around 6 minutes (because I picked a password a bit higher up in the dictionary list) we crack it:

crack4

With a speed of 4,700 hashes per second on the Nvidia GTX 980 it would take us just 50 minutes to try all the 14 mill common passwords in the wordlist.