Cracking my old Excel file encryption

 I got this very old file and can't remember what was my password! DARN!

So, here I am trying with what is out there (which seems pretty powerful). At the time of starting writing this I am (hopefully) half way. Have not been able to crack it yet. But will write here some of the key links/explanations I have found so far:

• Very simple intro from The Guardian on encryption jargon.
• FYI, I am working in Kali Linux.
• Used: Phython office2john.py file_you_want_to_crack > hash.txt This will extract the hash of the file.
• Now you could use something that uses a dictionary to try to crack it, like john --wordlist=/usr/share/wordlists/nmap.lst hash.txt
• But that may not be powerful enough (it wasn't for me) because I wasn't dumb enough to just use words for my password... So, we are now trying brute force attack (try every combination, basically) with hashcat (which is smarter than that). I am having problems using it though but here some interesting stuff as I learn along the way...
• Really nice example/explanation step by step of the whole encryption process and cracking approach. The Atom post he is referring to (that guy is a beast) is here.
• Ok, so after searching, I figure that 1/ I had to remove also the back file name in the hash and all the "::::" (I still had that) and 2/ can't run hashcat in VM Kali (basically needs intensive access to the HW which the VM is simply emulating).
• So, now I got the Hashcat version for Windows 10, but still not running. Issues seem related to the Intel OpenCL driver. You can run Hashcat -I and will give you the devices where it can run the cracking:

hashcat (v6.1.1) starting...

* Device #1: Unstable OpenCL driver detected!

OpenCL Info:

============

OpenCL Platform ID #1

  Vendor..: Intel(R) Corporation

  Name....: Intel(R) OpenCL HD Graphics

  Version.: OpenCL 2.1

  Backend Device ID #1

    Type...........: GPU

    Vendor.ID......: 8

    Vendor.........: Intel(R) Corporation

    Name...........: Intel(R) Iris(R) Plus Graphics

    Version........: OpenCL 2.1 NEO

    Processor(s)...: 64

    Clock..........: 1100

    Memory.Total...: 6450 MB (limited to 3225 MB allocatable in one block)

    Memory.Free....: 6386 MB

    OpenCL.Version.: OpenCL C 2.0

    Driver.Version.: 27.20.100.8280

OpenCL Platform ID #2

  Vendor..: Intel(R) Corporation

  Name....: Intel(R) OpenCL

  Version.: OpenCL 2.1 WINDOWS

  Backend Device ID #2

    Type...........: CPU

    Vendor.ID......: 8

    Vendor.........: Intel(R) Corporation

    Name...........: Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz

    Version........: OpenCL 2.1 (Build 0)

    Processor(s)...: 8

    Clock..........: 1300

    Memory.Total...: 16126 MB (limited to 4031 MB allocatable in one block)

    Memory.Free....: 16062 MB

    OpenCL.Version.: OpenCL C 2.0

    Driver.Version.: 2020.11.11.0.13_160000

It identifies both, the GPU (device 1) and the CPU (device 2). It doesn't seem to say "unstable driver" for the device #2. So I give it a shot to use that: hashcat -a0 -m9700 -D1 hashtest.txt

Using D1 tells him to use only CPU, not GPU and it started working!

hashcat (v6.1.1) starting...

./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel

* Device #1: Unstable OpenCL driver detected!

This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.

You can use --force to override this, but do not report related errors.

OpenCL API (OpenCL 2.1 ) - Platform #1 [Intel(R) Corporation]

=============================================================

* Device #1: Intel(R) Iris(R) Plus Graphics, skipped

OpenCL API (OpenCL 2.1 WINDOWS) - Platform #2 [Intel(R) Corporation]

====================================================================

* Device #2: Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 16062/16126 MB (4031 MB allocatable), 8MCU

./OpenCL/m09700_a0-optimized.cl: Pure kernel not found, falling back to optimized kernel

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 15

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Rules: 1

Applicable optimizers applied:

* Optimized-Kernel

* Zero-Byte

* Precompute-Init

* Not-Iterated

* Single-Hash

* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 204 MB

Starting attack in stdin mode...

Session..........: hashcat

Status...........: Running

Hash.Name........: MS Office <= 2003 $0/$1, MD5 + RC4

Hash.Target......: $oldoffice$0*47dddd306ed3c1e272c9e3cd6013906e*5cf05...d7066a

Time.Started.....: Sat Jan 02 10:10:26 2021 (10 secs)

Time.Estimated...: Sat Jan 02 10:10:36 2021 (0 secs)

Guess.Base.......: Pipe

Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:1 Thr:64 Vec:16

Recovered........: 0/1 (0.00%) Digests

Progress.........: 0

Rejected.........: 0

Restore.Point....: 0

Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-1

Candidates.#2....: [Copying]

It keeps going but gives this message:

ATTENTION! Read timeout in stdin mode. The password candidates input is too slow:

* Are you sure that you are using the correct attack mode (--attack-mode or -a)?

* Are you sure that you want to use input from standard input (stdin)?

* If so, are you sure that the input from stdin (the pipe) is working correctly and is fast enough?

I think the issue is that we are trying a dictionary attack (a0) but not sure what list was using. So, I changed to mask_attack (a3) but I had changed to m9710 which was limiting the length to exactly 5 characters (not sure why) and obviously my experimental 1234 password was not getting cracked. Finally I tried: hashcat -a3 -m9700 -D1 -o outfile.txt hashtest.txt ?d?d?d?d

and that cracked it!!

Other notes... I am using now (to crack the real file) the command:

hashcat -a3 -m9800 -D1 -o outfile.txt hashprostatitis.txt --increment ?l?l?l?l?l?l?l?l

and we get:

[...]

Host memory required for this attack: 204 MB

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat

Status...........: Exhausted

Hash.Name........: MS Office <= 2003 $3/$4, SHA1 + RC4

Hash.Target......: $oldoffice$4*778b3815ae4fe0c33b38500455d85742*0d3bf...b08f61

Time.Started.....: Sat Jan 02 11:06:06 2021 (0 secs)

Time.Estimated...: Sat Jan 02 11:06:06 2021 (0 secs)

Guess.Mask.......: ?l [1]

Guess.Queue......: 1/8 (12.50%)

Speed.#2.........:   108.0 kH/s (0.04ms) @ Accel:4 Loops:26 Thr:64 Vec:16

Recovered........: 0/1 (0.00%) Digests

Progress.........: 26/26 (100.00%)

Rejected.........: 0/26 (0.00%)

Restore.Point....: 1/1 (100.00%)

Restore.Sub.#2...: Salt:0 Amplifier:0-26 Iteration:0-26

Candidates.#2....: s -> x

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat

Status...........: Exhausted

Hash.Name........: MS Office <= 2003 $3/$4, SHA1 + RC4

Hash.Target......: $oldoffice$4*778b3815ae4fe0c33b38500455d85742*0d3bf...b08f61

Time.Started.....: Sat Jan 02 11:06:06 2021 (0 secs)

Time.Estimated...: Sat Jan 02 11:06:06 2021 (0 secs)

Guess.Mask.......: ?l?l [2]

Guess.Queue......: 2/8 (25.00%)

Speed.#2.........:   719.5 kH/s (0.75ms) @ Accel:4 Loops:26 Thr:64 Vec:16

Recovered........: 0/1 (0.00%) Digests

Progress.........: 676/676 (100.00%)

Rejected.........: 0/676 (0.00%)

Restore.Point....: 26/26 (100.00%)

Restore.Sub.#2...: Salt:0 Amplifier:0-26 Iteration:0-26

Candidates.#2....: sa -> xz

The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat

Status...........: Exhausted

Hash.Name........: MS Office <= 2003 $3/$4, SHA1 + RC4

Hash.Target......: $oldoffice$4*778b3815ae4fe0c33b38500455d85742*0d3bf...b08f61

Time.Started.....: Sat Jan 02 11:06:06 2021 (0 secs)

Time.Estimated...: Sat Jan 02 11:06:06 2021 (0 secs)

Guess.Mask.......: ?l?l?l [3]

Guess.Queue......: 3/8 (37.50%)

Speed.#2.........:  3935.9 kH/s (4.20ms) @ Accel:4 Loops:26 Thr:64 Vec:16

Recovered........: 0/1 (0.00%) Digests

Progress.........: 17576/17576 (100.00%)

Rejected.........: 0/17576 (0.00%)

Restore.Point....: 676/676 (100.00%)

Restore.Sub.#2...: Salt:0 Amplifier:0-26 Iteration:0-26

Candidates.#2....: sna -> xqz

Approaching final keyspace - workload adjusted.

Session..........: hashcat

Status...........: Exhausted

Hash.Name........: MS Office <= 2003 $3/$4, SHA1 + RC4

Hash.Target......: $oldoffice$4*778b3815ae4fe0c33b38500455d85742*0d3bf...b08f61

Time.Started.....: Sat Jan 02 11:06:06 2021 (0 secs)

Time.Estimated...: Sat Jan 02 11:06:06 2021 (0 secs)

Guess.Mask.......: ?l?l?l?l [4]

Guess.Queue......: 4/8 (50.00%)

Speed.#2.........:  5325.5 kH/s (5.44ms) @ Accel:16 Loops:6 Thr:64 Vec:16

Recovered........: 0/1 (0.00%) Digests

Progress.........: 456976/456976 (100.00%)

Rejected.........: 0/456976 (0.00%)

Restore.Point....: 17576/17576 (100.00%)

Restore.Sub.#2...: Salt:0 Amplifier:24-26 Iteration:0-6

Candidates.#2....: uegy -> xqzz

I.e., one can see how the --increment flag is working and it is testing initially just one character, then combinations of 2, then 3.. Each taking longer time, obviously. It tells you how many it tried. For instance, for 4 characters it does 456976 combinations. Pressing "S" gives us the current status. Of course, this may take hours... (The 6 char long took 1 min, the 7 char long took 37 min) so I canceled.

In that sense, notice that it also shows the speed of how many trials per second: 5325.5 kH/s All 8 cores were at 100% at this time :)

Then I tried hashcat -a3 -m9800 -D1 -o outfile.txt hashprostatitis.txt -1 abcdefghijklmnopqrstuvwxyz0123456789 ?1?1?1?1?1?1 but no luck. I think I am going to have to give up on this. Probably too hard to crack...

Other links:

• A link that I found (unfortunately late) relatively close to this.
• Youtube
• Hashcat wiki
• On the old Office vulnerability when saving multiple versions of a document with the same password. I was thinking to do this as I got two documents using the same password, but I don't think it works for that.