Office2john Windows
Basa Benejan
Microsoft Office files can be password-protected in order to prevent tampering and ensure data integrity. But password-protected documents from earlier versions of Office are susceptible to having their hashes extracted with a simple program called office2john. Those extracted hashes can then be cracked using John the Ripper and Hashcat.
Extracting the hash from a password-protected Microsoft Office file takes only a few seconds with the office2john tool. While the encryption standard across different Office products fluctuated throughout the years, none of them can stand up to office2john's hash-stealing abilities.
This tool is written in Python and can be run right from the terminal. As for Office compatibility, it's known to work on any password-protected file from Word, Excel, PowerPoint, OneNote, Project, Access, and Outlook that was created using Office 97, Office 2000, Office XP, Office 2003, Office 2007, Office 2010, and Office 2013, including the Office for Mac versions. It may not work on newer versions of Office, though, we saved a DOCX in Office 2016 that was labeled as Office 2013.
To get started, we'll need to download the tool from GitHub since office2john is not included in the standard version of John the Ripper (which should already be installed in your Kali system). This can easily be accomplished with wget.
In order to run office2john with Python, we will need to change into the same directory that it was installed into. For most of you, this will be Home by default (just enter cd), but feel free to create a separate directory.
Next, we need an appropriate file to test this on. I am using a simple DOCX file named "dummy.docx" that I created and password-protected with Word 2007. Download it to follow along. The password is "password123" as you'll find out. You can also download documents made with Word 2010 and Word 2016 (that shows up as 2013) to use for more examples. Passwords for those are also "password123."
Set the --wordlist flag with the location of your favorite word list. The one that is included with Nmap will do for our purposes here, but for tougher passwords, you may want to go with a more extensive word list.
John will start cracking, and depending on the password complexity, will finish when a match is found. Press almost any key to view the current status. When the hash is cracked, a message will be displayed on-screen with the document's password: Since our password was pretty simple, it only took seconds to crack it.
We can begin by displaying the help menu (--help) for Hashcat. This will provide us with a wealth of information including usage options, hash modes, and other features. There is a ton of information here, so I won't show the output, but you should dive into it if you really want to know Hashcat.
From the output, we're just interested in the MS Office hash modes. Near the bottom of the help menu, we will find the MS Office mode options and their corresponding numbers. We know from our hash that this is an Office 2007 file, so locate its number ID of 9400.
When it comes to password cracking of any kind, the best defense technique is to use password best practices. This means using unique passwords that are long and not easily guessable. It helps to utilize a combination of upper and lowercase letters, numbers, and symbols, although recent research has shown that simply using long phrases with high entropy is superior. Even better are long, randomly generated passwords which makes cracking them nearly impossible.
In regards to this specific attack, using Microsoft Office 2016 or 2019 documents or newer may not be effective, since office2john is designed to work on earlier versions of Office. However, as you can see above, Office 2016 may very well spit out a 2013 document without the user even knowing, so it doesn't mean a "new" file can't be cracked. Plus, there are still plenty of older Microsoft Office documents floating around out there, and some organizations continue to use these older versions, making this attack still very feasible today.
Today, we learned that password-protected Microsoft Office files are not quite as secure as one would be led to believe. We used a tool called office2john to extract the hash of a DOCX file, and then cracked that hash using John the Ripper and Hashcat. These types of files are still commonly used today, so if you come across one that has a password on it, rest easy knowing that there is a way to crack it.
Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.
Hi, I think you are downloading the HTML page on GitHub as opposed to the actual tool. If you go to the page that's linked, click on the "Raw" button and then download, or use the exact URL I used with wget in the example.
Whether it works in Ubuntu 20.04 lst (Focal Fossa) or only works in Kali Linux ?? I have an Excel file (2007), tried it in Ubuntu 20.04 LST, with both the options i.e. john and hashcat. I got error msgs in both the options :
John the Ripper is password cracking software used by penetration testers and cyber security experts. It is completely free. In starting it was only made for Unix operating system but now it can be used on several other platforms also like windows, mac, etc. It was first released in 1996 by OpenWall. Its latest version is 1.9.0 which was released in 2019. It has the ability to crack passwords and also it automatically detects the hash type if passwords are saved in a hash rather than plain text, it combines a number of strategies to crack passwords. It is mainly used to perform dictionary attacks and brute force attacks on any system or application.
At work, I recently came across the need to crack a handful of MS Office files that someone had password protected. Of course, that person was no longer around, so the person who took over needed to figure out how to access these documents, and they asked the Security team for help.
The main issue I faced was extracting the password hash from the Office docs in question so that John The Ripper could have something to run against. Turns out there is a handy python script you can use that does exactly this: office2john.py ( -40-brute-office)
You may not want to bruteforce the ssh directly with user dennis. There is other service running on the machine. You may want to brute force this service using the resource provide by HTB (user list and password list). Good luck.
You did cracked the samba password. Next step is to get a file from this samba share. You cannot connect to the samba since you were using a command to connect to windows smb share. This is Linux box so the directory use different slash.
La versin comunitaria de John The Ripper en github (Jumbo version) tiene soporte para ficheros cifrados PDF y OLE2 de Microsoft (Microsoft Compound Document File Format). Estos ficheros con formato OLE2 pueden ser docx, xlsx, mensajes de Outlook, Image Composer, archivos FlashPix, etc. El mecanismo de funcionamiento es muy sencillo, descargar el cdigo del repositorio github, compilarlo, extraer los hashes de los documentos cifrados con office2john (PDF) y office2john (Office) a un fichero y ejecutar John sobre el mismo.
This post will cover a little Excel Macro project by @0x23353435 and me. It was made during an engagement at a customers environment. They were using a password protected Excel-file as password manager. This post will show how to attack such szenarios and why people should not use this method for password storage.
Excel gives users the option of assigning a password to the sheet so that it is protected from unauthorized access. This can be done under the File -> Info -> Protect Workbook -> Encrypt with Password tab:
0x23353435 and me were at a customers environment for an internal penetrationtest earlier this year. In order to make the criticality of the found vulnerabilities clear, we usually show the customer the worst case - if agreed. With the highest privileges, it is just a matter of time before the attacker reaches his given goal. We already achieved the goals from Domain Administrator to Global Admin for the Azure-Cloud and access to protected networks. However, we had not managed to gain access to the password manager of the internal IT. Accordingly, access to firewalls, switches, etc. was not yet ensured. However, we already found out that a password protected Excel-file is used for these passwords. It was located in the file servers network-share of the administrators team. Only group members of their team had read and write permissions here. We had some administrators credentials at this point so we also had write permissions on this share. Our first attempt to access the missing passwords took place using office2john.py. Getting a crackable hash from the protected Excel-file is as simple as follows:
If the set password is not complex enough, it can be cracked using john or hashcat using the generated hash. We did not succeed in cracking the password for the Excel password manager, because a complex password was chosen. We had one more day to gain access to the file and thus the remaining passwords. So in the evening we sat down with a few beers in the hotel and brainstormed about how we could get access to the remaining passwords. Another way to get access would have been to compromise the administrators clients computers, connect them to our C2-Server and capture the password via keylogger. However, this way is quite noisy, as all admins would need to be compromised at the same time. After all, we did not know which person opens the file and when. Our consideration was therefore to replace the Excel password manager with a separate Excel file containing a self-written macro. This Phishing-file should behave the same as the password protected Excel-file and send the password to our attacker system.
c80f0f1006