by: chakoPosted on:

crack MS office2003-2013 password with Hashcat

1. download Office2John
2. run office2john

office2John.py ok.docx

null

3. download Hashcat
4. run hashcat

we get hashed string from office2john s now we can start to crack it with hashcat


-a, --attack-mode              | Num  | Attack-mode, see references below
-m, --hash-type                | Num  | Hash-type, see references below
-i, --increment                |      | Enable mask increment mode
-1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
-2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
-3, --custom-charset3          | CS   | User-defined charset ?3                              |
-4, --custom-charset4          | CS   | User-defined charset ?4                              |

- [ Attack Modes ] -

  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

- [ Built-in Charsets ] -

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

- [ Basic Examples ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

ex: 

hashcat64.exe -a 3 -m 9600 "$office$*2013*100000*256*16*04fcfd77d02d20ce7a2203ad9fed844a*0a3c0c0ba3fbe431b4334253498aef6c*b6898f2ba067baa5a6fa20e07a1df4ba55a2c559cf60f21f0ac5c156633d5094" --force

hashcat64.exe -a 3 -m 0 md5.txt -o result.txt ?1?1?1?1?1 -1 ?d --force

hashcat64.exe -a 3 -m 9600 hash.txt -o result.txt ?1?1?1?1?1?1?1?1?1 -1 ?l?s

hashcat64.exe -a 3 -m 9600 hash.txt -o result.txt ?1?1?1?1?1?1?1?1?2 -1 ?l?s -2 ?l

there are maybe options and hash mode you can choose from
just run hashcat –help then you can see all the options.
you can use hashcat to crack many different has mode/file like md5, pdf,zip,office,wpa/wpa2…etc
easy and short password can easily cracked within mins or even seconds.

Office hash mode options

   9700 | MS Office <= 2003 $0/$1, MD5 + RC4               | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1  | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2  | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4              | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1    | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2    | Documents
   9400 | MS Office 2007                                   | Documents
   9500 | MS Office 2010                                   | Documents
   9600 | MS Office 2013                                   | Documents

example

null


C:\Users\chako\Desktop\hashcat-4.0.0>hashcat64.exe -a 3 -m 0 md5.txt -o result.txt ?1?1?1?1?1 -1 ?d
hashcat (v4.0.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 530, skipped.
* Device #2: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 960M, 512/2048 MB allocatable, 5MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

Password length minimum: 0
Password length maximum: 256


Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 827ccb0eea8a706c4c34a16891f84e7b
Time.Started.....: Sat Nov 18 03:37:08 2017 (0 secs)
Time.Estimated...: Sat Nov 18 03:37:08 2017 (0 secs)
Guess.Mask.......: ?1?1?1?1?1 [5]
Guess.Charset....: -1 ?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#3.....: 93590.8 kH/s (0.23ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 50000/100000 (50.00%)
Rejected.........: 0/50000 (0.00%)
Restore.Point....: 0/10000 (0.00%)
Candidates.#3....: 12345 -> 97646
HWMon.Dev.#3.....: Temp: 43c Util: 26% Core:1032MHz Mem:2505MHz Bus:16

Started: Sat Nov 18 03:37:03 2017
Stopped: Sat Nov 18 03:37:10 2017

C:\Users\chako\Desktop\hashcat-4.0.0>