Cracking Microsoft Excel Documents using John The Ripper

Recently, during a forensic analysis on a laptop of an employee charged with corporate espionage, I’ve carved from disk a suspicious Excel file.

Obviously, the file was password protected, and I had to find a way to read it.

I did it,and now i’d like to share workflow for XLSX cracking.

What tools do i use?

The encryption algorithm of encrypted Microsoft Excel files is 40bit RC4.
As it is encrypted nothing could be tweaked by opening the document with a hex editor.

The correct way is to extract the password hash from the file and then cracking it using John The Ripper.

For this purpose, you need to get a ‘jumbo’ build of John The Ripper, that supports Office files cracking.

First, clone the git repository:

$ git clone https://github.com/magnumripper/JohnTheRipper.git

Then compile the sources:

$ cd JohnTheRipper/src

$ ./configure && make

If everything goes well, the executables for John and its related utilities will be created under “../run/”.

Now, under “run” you can also find a python script, office2john.py: you can use it for extract the hash from the encrypted XLSX file:

$ python office2john.py ./test.xlsx > hash.txt

$ cat hash.txt
test.xlsx:$office$201010000012816b1203fe2e498cec4d5452e1d0aea3775cd130baf73f5de29ec3744c8f883b873*aeeeffa8673fde485a013d6b9c367a3ef40a357ed7f111e17b2a13e3339ec69

Finally, you can start a bruteforce session with John The Ripper, maybe using a specific wordlist:

$ john --rules --wordlist=yourwordlist.txt hash.txt 

Now, make a cup of coffee, sit back and wait for John to do its thing.


References


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.