I regularly get asked about Office documents and forgotten passwords, the question is "I have set a password on my Office document and I cannot remember what it is" followed by "Can you help me?"
Well that answer to that is yes, possibly, if you have set a very insecure or sub-optimal password then there is a high percentage the the toolset "John the Ripper" combined with "Hashcat" can recover this password.
I will be using Kali as it comes pre-installed but ensure you update the packages regardless anyway with this:
sudo apt update
sudo apt install john -y
sudo apt install hashcat -y
Office Hash
Then we need to know what we are recovering to get the hash from the file so first up is Office documents which are protected with the password that you do not know, so first we need the "office2jhohn" python script as below:
Excel : python3 /usr/share/john/office2john.py protected.xlsx > hash.txt
Word : python3 /usr/share/john/office2john.py protected.docx > hash.txt
Powerpoint : python3 /usr/share/john/office2john.py protected.pptx > hash.txt
This script works with encrypted files from Microsoft Office versions:
- Office 2007
- Office 2010
- Office 2013+
PST Hash
Yes you can also set a password on your PST file that people also forget, if its a password people will forget it (unless using a password manager)
In this example we are looking at PST files to recover hashes from Outlook PST files (password-protected) then you need "pst2john"
python3 /usr/share/john/pst2john.py protected.pst > hash.txt
Confirm the Hash
When you run these utilities you will end up with a hash.txt file this will look something like this:
protected.xlsx:$office$*2013*100000*256*16*2e2692af08f912da688cd6f25d2320ea*ea4794c89442f4efb428b13dc0b668b2*192f0a814ceb226f87520fb36fd38e982fc2fe3f92eb6d67278ed33d8d588807
We now need to clean this file to get it to a format that Hashcat can work with, so this is the command we need, which means removing in this example protected.xlxs from the start of the hash.txt:
Note : Replace the bold name with the name of the your actual file
sed 's/^protected.xlsx://' hash.txt > hashcat_hash.txt
$office$*2013*100000*256*16*2e2692af08f912da688cd6f25d2320ea*ea4794c89442f4efb428b13dc0b668b2*192f0a814ceb226f87520fb36fd38e982fc2fe3f92eb6d67278ed33d8d588807
If you have not already done this then you need to extract the "rockyou" password list from the zipped state to a valid txt file with this command below:
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
This will result in a file with the full path as shown below:
/usr/share/wordlists/rockyou.txt
Using hashcat to Recovery the password
Office 2007+:
hashcat -m 9400 hashcat_hash.txt /usr/share/wordlists/rockyou.txt
Office 2010:
hashcat -m 9500 hashcat_hash.txt /usr/share/wordlists/rockyou.txt
Office 2013+:
hashcat -m 9600 hashcat_hash.txt /usr/share/wordlists/rockyou.txt
Office PST's
hashcat -m 8800 hashcat_hash.txt /usr/share/wordlists/rockyou.txt
hashcat magic in progress
You now need to wait for hashcat to recover the password, current with a CPU only I am looking at 10 hours to recover this password:
The success of the recovery will depend on the password used, you processing power (CPU/GPU) and the time you wish to wait for this to complete, another idea would be do not set a password you have then forgotten.