Top Categories

Spotlight

todayJanuary 2, 2024

Red Teaming + Social Engineering krptyk

Reverse Proxy Phishing With Evilginx

Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it [...]


Cracking Password Protected Excel Documents

Cyber security + Penetration Testing krptyk todayOctober 16, 2023

Background
share close

Recently, someone approached me with a predicament: they had forgotten the password to an essential Excel document and wondered if there was any way to recover the data or the document’s password.In this case, there is indeed a solution, provided the password isn’t an ultra-secure combination of 16 characters, comprising uppercase, lowercase, special characters, and digits. Luckily for us in the industry, this generally isn’t the case. I’m looking at you 8 character passwords with first letter being a capital and ending in a number and “!”. Don’t worry, we’re all guilty of doing this at some point.

So lets say you’ve forgotten your password to your excel document, what are your options? In this case I am not talking about password protected sheets within the excel document (there’s a very easy solution to getting access to those sheets), I am talking about a password protected document.

Lets go through the lifecycle of this process.

Step 1: Create the excel sheet with your super secret information inside

Step 2: Password protect the excel document

  1. Select File > Info.
  2. Select the Protect Workbook box and choose Encrypt with Password.
  3. Enter a password in the Password box, and then select OK.
  4. Confirm the password in the Re-enter Password box, and then select OK.

In our case we set a super secure password of “Password1”

Step 3: Check our password protection has been applied:

Great our excel doc is now password protected, let’s get to the real reason we’re all here.

Step 4: Convert the hash to a Hashcat crackable format

Download the office2hashcat.py code to your machine you will be cracking the password on.  The code is located here.

Now that you have downloaded the python code we can get the hash of the password of the Excel document with the following code:

python2 office2hashcat.py <Path to our password protected excel document>

Save the hash output in a file called Excel.hash

Now that we have the hash in hashcat format, let’s look up what mode this will use in the Hashcat example hashes sheet:

Mode 9600 matches our hash that has been output from the python command:

Step 5: Cracking the hash

Now that we have the hash of the password extracted from the Excel document we can begin the process of cracking it with hashcat. In this case I will be using Kali Linux which comes with Hashcat preinstalled, to get the Hashcat help menu, open your terminal (Ctrl + Alt + T) and then enter:

Hashcat -h

This will print a lot of information on how to use Hashcat, but in case you aren’t interested in understanding how Hashcat works, I will give you the command to get this to work. In this case we won’t use mask attacks / brute forcing (It is quite slow on this encryption algorithm – especially using a VM – for client related work we will push serious computational power towards the process) so we will use a dictionary attack. The word list I’ll use in this case is the Rockyou.txt wordlist.

Open your terminal (Ctrl + Alt + T) and run the following command (In this example I shortened the wordlist for brevity)

Hashcat -a 0 -m 9600 <path to Excel.hash> <path to Rockyou.txt>

So the command will look like:

hashcat -a 0 -m 9600 Excel.hash rockyou.txt

Success – we were able to crack the password, as we can see it is “Password1”

If you need to get the password again at a later date, you can pull it from the potfile. The potfile location on the standard Kali image is located at:

/home/kali/.local/share/hashcat/hashcat.potfile

Otherwise it will be in your hashcat folder under hashcat.potfile file. To get the contents, simply type the following:

cat /home/kali/.local/share/hashcat/hashcat.potfile

Now that we have successfully retrieved the password that was used to password protect the document, we can open it and view all the information inside and get access to our excel document again.

Written by: krptyk

Tagged as: .

Rate it

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *