crack MS office2003-2013 password with Hashcat

1. download Office2John
2. run office2john

office2John.py ok.docx

null

3. download Hashcat
4. run hashcat

we get hashed string from office2john s now we can start to crack it with hashcat


-a, --attack-mode              | Num  | Attack-mode, see references below
-m, --hash-type                | Num  | Hash-type, see references below
-i, --increment                |      | Enable mask increment mode
-1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
-2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
-3, --custom-charset3          | CS   | User-defined charset ?3                              |
-4, --custom-charset4          | CS   | User-defined charset ?4                              |

- [ Attack Modes ] -

  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

- [ Basic Examples ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

ex:

hashcat64.exe -a 3 -m 9600 "$office$*2013*100000*256*16*04fcfd77d02d20ce7a2203ad9fed844a*0a3c0c0ba3fbe431b4334253498aef6c*b6898f2ba067baa5a6fa20e07a1df4ba55a2c559cf60f21f0ac5c156633d5094" --force

hashcat64.exe -a 3 -m 0 md5.txt -o result.txt ?1?1?1?1?1 -1 ?d --force

hashcat64.exe -a 3 -m 9600 hash.txt -o result.txt ?1?1?1?1?1?1?1?1?1 -1 ?l?s

hashcat64.exe -a 3 -m 9600 hash.txt -o result.txt ?1?1?1?1?1?1?1?1?2 -1 ?l?s -2 ?l

there are maybe options and hash mode you can choose from
just run hashcat –help then you can see all the options.
you can use hashcat to crack many different has mode/file like md5, pdf,zip,office,wpa/wpa2…etc
easy and short password can easily cracked within mins or even seconds.

Office hash mode options

   9700 | MS Office <= 2003 $0/$1, MD5 + RC4               | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1  | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2  | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4              | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1    | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2    | Documents
   9400 | MS Office 2007                                   | Documents
   9500 | MS Office 2010                                   | Documents
   9600 | MS Office 2013                                   | Documents

example

null


C:\Users\chako\Desktop\hashcat-4.0.0>hashcat64.exe -a 3 -m 0 md5.txt -o result.txt ?1?1?1?1?1 -1 ?d
hashcat (v4.0.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 530, skipped.
* Device #2: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 960M, 512/2048 MB allocatable, 5MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Password length minimum: 0
Password length maximum: 256


Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 827ccb0eea8a706c4c34a16891f84e7b
Time.Started.....: Sat Nov 18 03:37:08 2017 (0 secs)
Time.Estimated...: Sat Nov 18 03:37:08 2017 (0 secs)
Guess.Mask.......: ?1?1?1?1?1 [5]
Guess.Charset....: -1 ?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#3.....: 93590.8 kH/s (0.23ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 50000/100000 (50.00%)
Rejected.........: 0/50000 (0.00%)
Restore.Point....: 0/10000 (0.00%)
Candidates.#3....: 12345 -> 97646
HWMon.Dev.#3.....: Temp: 43c Util: 26% Core:1032MHz Mem:2505MHz Bus:16

Started: Sat Nov 18 03:37:03 2017
Stopped: Sat Nov 18 03:37:10 2017

C:\Users\chako\Desktop\hashcat-4.0.0>

Setup XVWA Web Security Lab

XVWA is designed to understand following security issues.

SQL Injection – Error Based
SQL Injection – Blind
OS Command Injection
XPATH Injection
Formula Injection
PHP Object Injection
Unrestricted File Upload
Reflected Cross Site Scripting
Stored Cross Site Scripting
DOM Based Cross Site Scripting
Server Side Request Forgery / Cross Site Port Attacks(CSRF/XSPA)
File Inclusion
Session Issues
Insecure Direct Object Reference
Missing Functional Level Access Control
Cross Site Request Forgery (CSRF)
Cryptography
Unvalidated Redirect & Forwards
Server Side Template Injection

Set Up XVWA:

wget https://raw.githubusercontent.com/s4n7h0/Script-Bucket/master/Bash/xvwa-setup.sh
chmod +x xvwa-setup.sh
./xvwa-setup.sh
oot@kali:~/xvwa# ./xvwa-setup.sh 
__  __       __    __  _     __      _
\ \/ /\   /\/ / /\ \ \/_\   / _\ ___| |_ _   _ _ __
 \  /\ \ / /\ \/  \/ //_\\  \ \ / _ \ __| | | | '_ \
 /  \ \ V /  \  /\  /  _  \ _\ \  __/ |_| |_| | |_) |
/_/\_\ \_/    \/  \/\_/ \_/ \__/\___|\__|\__,_| .__/
                                              |_|
 >> Project Repo : https://github.com/s4n7h0/xvwa
 >> Scripted by : Sanoop Thomas aka @s4n7h0

MySQL found with 
Apache found with Version: 2.4.25-3
MySQL is down. Starting MySQL Service
Apache is down. Starting Apache Service
Enter mysql username : root
Enter mysql password : toor
Enter the full web root path : /var/www/html
Cloning latest version of XVWA from GitHub
Cloning into '/var/www/html/xvwa'...
remote: Counting objects: 977, done.
remote: Total 977 (delta 0), reused 0 (delta 0), pack-reused 977
Receiving objects: 100% (977/977), 2.16 MiB | 1.76 MiB/s, done.
Resolving deltas: 100% (226/226), done.
Setting XVWA configuration
Creating xvwa database
XVWA Setup Finished Successfully. Happy hacking and happy learning !

—————————————————
Then you can view XVWA in web browser http : //127.0.0.1/xvwa

XVWA

Source: https://github.com/s4n7h0/Script-Bucket/blob/master/Bash/xvwa-setup.sh


#!/bin/bash
# XVWA Automatic Setup by Sanoop Thomas a.k.a @s4n7h0
# Project Repo : https://github.com/s4n7h0/xvwa
# License : GPLv2
# License URL : http://www.gnu.org/licenses/gpl-2.0.html


cat << "EOF"
__  __       __    __  _     __      _
\ \/ /\   /\/ / /\ \ \/_\   / _\ ___| |_ _   _ _ __
 \  /\ \ / /\ \/  \/ //_\\  \ \ / _ \ __| | | | '_ \
 /  \ \ V /  \  /\  /  _  \ _\ \  __/ |_| |_| | |_) |
/_/\_\ \_/    \/  \/\_/ \_/ \__/\___|\__|\__,_| .__/
                                              |_|
 >> Project Repo : https://github.com/s4n7h0/xvwa
 >> Scripted by : Sanoop Thomas aka @s4n7h0

EOF

function clone(){
	echo "Cloning latest version of XVWA from GitHub"
        git clone https://github.com/s4n7h0/xvwa.git $webroot/xvwa
        echo "Setting XVWA configuration"
	sudo chmod -R 777 $webroot/xvwa
        sed -i '2 c $XVWA_WEBROOT = "";' $webroot/xvwa/config.php
        sed -i '5 c $user = "'$uname'";' $webroot/xvwa/config.php
        sed -i '6 c $pass = "'$pass'";' $webroot/xvwa/config.php

        #creating database
        echo "Creating xvwa database"
        mysql -u $uname -p$pass -e "CREATE DATABASE IF NOT EXISTS xvwa"
        echo "XVWA Setup Finished Successfully. Happy hacking and happy learning !"
}


#checking mysql is installed
isMYSQL=$(apt-cache show mysql-server | grep 'Version');
if [[ $isMYSQL == *"No packages found"* ]]; then
	echo -n "MySQL Package Not Found. Do you want to install (Y/N)?"
	read mysql_flag
	if [ $mysql_flag == "Y" ] || [ $mysql_flag == "y" ]; then
		echo "Installing MySQL Server. This might take a while."
		sudo apt-get install mysql-server
	else
		echo "XVWA Setup Terminated. MySQL is a must requirement for XVWA to run"
		exit 0
	fi
else
	echo "MySQL found with "$isMYSQL
fi
#checking apache is installed
isApache=$(apt-cache show apache2 | grep 'Version');
if [[ $isApache == *"No packages found"* ]]; then
        echo -n "Apache Package Not Found. Do you want to install (Y/N)?"
	read apache_flag
	if [ $apache_flag == "Y" ] || [ $apache_flag == "y" ]; then
		echo "Installing Apache. This might take a while."
		sudo apt-get install apache2
	else
		echo "XVWA Setup Terminated. Apache is a must requirement for XVWA to run"
		exit 0
	fi
else
        echo "Apache found with "$isApache
fi

#asserting mysql and apache services
MYSQL=$(pgrep mysql | wc -l);
if [ "$MYSQL" -eq 0 ]; then
        echo "MySQL is down. Starting MySQL Service";
        sudo service mysql start
fi
APACHE=$(pgrep apache | wc -l);
if [ "$APACHE" -eq 0 ]; then
        echo "Apache is down. Starting Apache Service";
        sudo service apache2 start
fi

#configuring mysql and apache for xvwa
echo -n "Enter mysql username : "
read uname
echo -n "Enter mysql password : "
read pass
echo -n "Enter the full web root path : "
read webroot

#cloning latest version of XVWA from  GitHub
if [[ -d $webroot/xvwa ]]; then
	echo -n "Folder "$webroot"/xvwa already exists. Do you want to clean and build a fresh latest copy ? (Y/N)"
	read clean_flag
	if [ $clean_flag == "Y" ] || [ $clean_flag == "y"]; then
		echo "Cleaning up old copy"
		rm -rf $webroot/xvwa
		clone
	else
		echo "XVWA Setup Terminated."
	fi
else
	clone
fi