Recently, during a forensic analysis on a laptop of an employee charged with corporate espionage, I’ve carved from disk a suspicious Excel file.
Obviously, the file was password protected, and I had to find a way to read it.
I did it,and now i’d like to share workflow for XLSX cracking.
What tools do i use?
The encryption algorithm of encrypted Microsoft Excel files is 40bit RC4.
As it is encrypted nothing could be tweaked by opening the document with a hex editor.
The correct way is to extract the password hash from the file and then cracking it using John The Ripper.
For this purpose, you need to get a ‘jumbo’ build of John The Ripper, that supports Office files cracking.
First, clone the git repository:
$ git clone https://github.com/magnumripper/JohnTheRipper.git
Then compile the sources:
$ cd JohnTheRipper/src
$ ./configure && make
If everything goes well, the executables for John and its related utilities will be created under “../run/”.
Now, under “run” you can also find a python script, office2john.py: you can use it for extract the hash from the encrypted XLSX file:
$ python office2john.py ./test.xlsx > hash.txt
$ cat hash.txt
Finally, you can start a bruteforce session with John The Ripper, maybe using a specific wordlist:
$ john --rules --wordlist=yourwordlist.txt hash.txt
Now, make a cup of coffee, sit back and wait for John to do its thing.