Recently, during a forensic analysis on a laptop of an employee charged with corporate espionage, I've carved from disk a suspicious Excel file.



Obviously, the file was password protected, and I had to find a way to read it.

I did it,and now i'd like to share workflow for XLSX cracking.

What tools do i use?

The encryption algorithm of encrypted Microsoft Excel files is 40bit RC4.
As it is encrypted nothing could be tweaked by opening the document with a hex editor.

The correct way is to extract the password hash from the file and then cracking it using John The Ripper.

For this purpose, you need to get a 'jumbo' build of John The Ripper, that supports Office files cracking.

First, clone the git repository:

$ git clone https://github.com/magnumripper/JohnTheRipper.git

Then compile the sources:

$ cd JohnTheRipper/src

$ ./configure && make

If everything goes well, the executables for John and its related utilities will be created under "../run/".

Now, under "run" you can also find a python script, office2john.py: you can use it for extract the hash from the encrypted XLSX file:

$ python office2john.py ./test.xlsx > hash.txt

$ cat hash.txt
test.xlsx:$office$201010000012816b1203fe2e498cec4d5452e1d0aea3775cd130baf73f5de29ec3744c8f883b873*aeeeffa8673fde485a013d6b9c367a3ef40a357ed7f111e17b2a13e3339ec69

Finally, you can start a bruteforce session with John The Ripper, maybe using a specific wordlist:

$ john --rules --wordlist=yourwordlist.txt hash.txt

Now, make a cup of coffee, sit back and wait for John to do its thing.

References