Breaking Excel Encryption (Password Recovery) Part 1



We all know this scenario. You produced an extreme valuable Excel spreadsheet, protected it with a password and then... after a while ... forgot the password. At least, thats what we tell others if we ask for help with breaking the encryption. 

However, I will show you how it might be possible to retrieve the password. "Might" because there is no garantuee. Office encryption is very strong, so if your document has a good password it is nearly impossible. Technically we won't recover the password used for entryption, instead we will break the hash key stored within the file. This hash key is used by Office itself to prove if the password is correct. The result is the same, so we won't mind.

I will only cover Excel files here. Cracking other Office files is similar, however I will not deal with other file types like .docx or .pptx. 
And I will only focus on Office 2010 and 2013 files. Actually older file types are much easier to break. 

This topic will be at least 3 posts long.

In this post I will only deal with how to get the hash key we want to crack. 

We will need the following programs:

1. Hashcat

Hashcat is a very nice program. It is able to crack Office (Excel) files and a lot of other types of hash keys as well. It is very quick and uses GPUs for cracking instead of (for this calculations) much slower CPUs.
Make sure to use Version 6.0.0 or later, because I had problems with cracking other files than xlsx (xlsb or xlsm) with previous versions.

2a. Python and office2hashcat.py

A Python file written by Philippe Lagadec to extract the hash key from the Excel File. I got this link from the hashcat website. However this file was floating around under the name Office2john.py. No Idea where "John" came from...

OR

2b. R (and R-Studio) and my script (additionally you need 7-zip for this!)

As I was interested in how office2hashcat.py extracts the hash, I wrote my own version for R. (see below)

OR

2c. Neither office2hashcat.py nor R.

You can do it all by hand using online tools! And you will need an unzipper.

Before we start just some remarks. 
Nowadays Excel files are some kind of .zip archives with a bunch of xml files inside. If you rename an .xlsx file to .zip you should be able to unzip it. (at least 7-zip can deal with it). If the file was encrypted (an password for opening the spreadsheet was set under Excel), the xml files are encrypted, not the overlay zip.
So it is possible to decompress the zip file (the renamed.xlsx). You can't do anything with the xml files, as they are encrypted, but the information how the file was encrypted is readable. Unfortunately this is not the same as "the password is readable"!

Ok! Lets start!

For testing purpurses I produced an encrypted Excel file. I typed some nonsense into a cell and saved the file protected with an opening password to .xlsx. Then I saved it as .xlsm and as .xlsb as well. The password I used was "blog" and to always remember which password I used I named the files to "blog.xlsx", "blog.xlsm" and "blog.xlsb".


2a first!

You will nead a current version of python for this method.

Download office2hashcat.py, move it into your python directory and type:
python.exe office2hashcat.py blog.xlsx

That is what you get:



Even if you choose the same password "blog" your hex numbers will differ from mine, because Excel used some salt for encryption.
There may be some depreciation warnings as decodestring() should not be used after Python 3.1., but as long as you get some output everything is ok.

Copy the lines (or the line if you only have one file) that start with $office$*2013 into a text file (e.g. via notpad.exe or notepad+) and end each line with an Enter.
So finally you got a Text file with one or more lines and are ready to crack!

If you want to try another way or can't use Python for some reason, try:

2b

You will need R and R-Studio for this. If you have zero experience using R you maybe should skip this section. Additonally you will need the librarys tidyverse (for pipeing) and jsonlite (for base64 to hex conversion). And you need 7-zip on your computer!

Create a new directory e.g. C:\mydir
Copy your .xlsx (or .xlsb, or .xlsm) and the file "7z.exe" from your 7-zip folder into this directory. 

library(tidyverse)
library(jsonlite)
setwd("C:/mydir")
# create a copy from your original file and rename it to .zip
file.copy(from = "blog.xlsx", to = "blogxlsx.zip", overwrite = T)
# use 7-zip to unzip the file. I tried some R build unzipper, but none could read this
system("7z -aoa e blogxlsx.zip")
# use read.csv to read from a text file. pure lazyness. there are some warnings, but it works
EncryptionInfo = read.csv("EncryptionInfo") %>% 
  unlist(use.names = F) %>% 
  as.character() %>% 
  strsplit(">") %>% 
  unlist(use.names = F) %>% 
  nth(6) %>% 
  strsplit(" ") %>% 
  unlist(use.names = F) %>% 
  as.data.frame() %>% 
  select(field=1) %>% 
  mutate(field= as.character(field)) %>%
  mutate(v = regexpr("=",field)) %>% 
  filter(v>0) %>% 
  mutate(w = str_sub(field,1,v-1),
         x = str_sub(field,v+1,nchar(field))) %>% 
  select(w,x)
saltValue = EncryptionInfo %>% 
  filter(w=="saltValue") %>% 
  select(x) %>% unlist(use.names = F) %>% 
  base64_dec() %>% 
  paste(collapse="")
encryptedVerifierHashInput = EncryptionInfo %>% 
  filter(w=="encryptedVerifierHashInput") %>% 
  select(x) %>% 
  unlist(use.names = F) %>% 
  base64_dec() %>% 
  paste(collapse="")
encryptedVerifierHashValue = EncryptionInfo %>% 
  filter(w=="encryptedVerifierHashValue") %>% 
  select(x) %>% 
  unlist(use.names = F) %>% 
  base64_dec() %>% 
  paste(collapse="") %>%
  str_sub(1,64)
xx= EncryptionInfo %>% 
  filter(w=="keyBits"|w=="blockSize"|w=="spinCount") %>% 
  select(x) %>% 
  unlist() %>% 
  unlist(use.names = F) %>% 
  paste(collapse = "*")
paste("$office$","2013",xx,saltValue,encryptedVerifierHashInput, encryptedVerifierHashValue,sep = "*")
finally you get an output:
[1] "$office$*2013*100000*16*256*9f9184ee29637978c8e6bc981e057242*b09c317e09b72721f8379e963dcce6d7*582556ef2f4f270b8c3baec4171f15ae404dd6e3523463afc7bea26b3ac14d09"

If you want to do it manually or can not use neither Python nor R, than it is time for 

2c

You only need an unzipper here. I recommend 7-zip.

I. Copy the encrypted Excel file(s) into a seperate directory. 
II. Rename the file(s) to .zip
III. Use 7-zip to uncompress everything inside the zip file.
IV. You will notice a file named "EncryptionInfo" inside your directory. 
Use an text editor (notepad+) to open the file.

This file is an xml file. 

 
It is all in one line, however if you look at the components by pressing enter you get something like the following: (my xlsx file as example)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<encryption xmlns="http://schemas.microsoft.com/office/2006/encryption" 
xmlns:p="http://schemas.microsoft.com/office/2006/keyEncryptor/password" 
xmlns:c="http://schemas.microsoft.com/office/2006/keyEncryptor/certificate">
<keyData 		saltSize="16" 
				blockSize="16" 
				keyBits="256" 
				hashSize="64" 
				cipherAlgorithm="AES" 
				cipherChaining="ChainingModeCBC" 
				hashAlgorithm="SHA512" 
				saltValue="Ja8ENjlfpBn9tLqWJeZwog=="/>
<dataIntegrity encryptedHmacKey="OQNSFdhv+ODGM3yEnGWL5vXiz4cMA67E97y2oTxrBKjr2rTHVl4xdV7lrb06TRhoEfEGtR8Rap0dBP5zulnGrw==" 
encryptedHmacValue="E861EkWTMJcBRxFscpRLFGyve5A79YKuBnjyBLRoyd83GS9yfAKC6Y/C5xFDTqwbCyq1q2bcG6TpsEYC+dc0Ww=="/>
<keyEncryptors><keyEncryptor uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password">
<p:encryptedKey spinCount="100000" 
                saltSize="16" 
				blockSize="16" 
				keyBits="256" 
				hashSize="64" 
				cipherAlgorithm="AES" 
				cipherChaining="ChainingModeCBC" 
				hashAlgorithm="SHA512" 
				saltValue="n5GE7iljeXjI5ryYHgVyQg==" 
				encryptedVerifierHashInput="sJwxfgm3JyH4N56WPczm1w==" 
				encryptedVerifierHashValue="WCVW7y9PJwuMO67EFx8VrkBN1uNSNGOvx76iazrBTQk8CNjmCLVtMphyY0ZKAixo9g0SdyA4AzeIKl+vAsbWJA=="
				encryptedKeyValue="VMx9/Ilw07wR30qPxPcX/KjYRFDCgrkLPPkQ9O0Q3kI="/>
				</keyEncryptor></keyEncryptors></encryption>

We are only interested in the bold blue part of the file, especially the keyBits, the blockSize, the spinCount, the saltValue, the encryptedVerifierHashInput and the encryptedVerifierHashValue.
For the latter three the values are stored in Base64
We look for an online Base64 to Hex Converter and get:

saltValue="n5GE7iljeXjI5ryYHgVyQg==" equals
9f9184ee29637978c8e6bc981e057242
encryptedVerifierHashInput="sJwxfgm3JyH4N56WPczm1w==" 
b09c317e09b72721f8379e963dcce6d7
encryptedVerifierHashValue="WCVW7y9PJwuMO67EFx8VrkBN1uNSNGOvx76iazrBTQk8CNjmCLVtMphyY0ZKAixo9g0SdyA4AzeIKl+vAsbWJA===" equals
582556ef2f4f270b8c3baec4171f15ae404dd6e3523463afc7bea26b3ac14d093c08d8e608b56d32987263464a022c68f60d127720380337882a5faf02c6d624

Surprise, surprise, these are the same values as in option a or b.

The line you need for hashcat ist constructed by:
$office$*2013*spinCount*SaltSize*keyBits*saltValue*encryptedVerifierHashInput*encryptedVerifierHashValue
or:
$office$*2013*100000*16*256*9f9184ee29637978c8e6bc981e057242*b09c317e09b72721f8379e963dcce6d7*582556ef2f4f270b8c3baec4171f15ae404dd6e3523463afc7bea26b3ac14d09


This is end of part one. We extracted the hash key and are ready to begin cracking.


Comments

Post a Comment

Popular posts from this blog

Ultima 5 Underworld in R

Image
Weihnachten 1989! Unter dem Gabentisch liegt Ultima V. Yippie... Mama sei Dank! Quelle: wikipedia.org Meine vom Papa "ausgeborgte" Hardware war eher bescheiden, ein Aries Computer XT mit 8088er Prozessor, wahlweise 4,77Mhz oder mit Turbo Taste 10Mhz. Die Grafikkarte ein Hercules Graphics Adapter. Auflösung 720x348 Pixel in 2 Farben. Also genau genommen 1 Farbe, bei mir nämlich Grün, oder eben kein Grün, heisst Schwarz. Damals gab es kein Internet, zumindest nicht für mich, und man musste alles selbst herausfinden, oder man hat es von Freunden erfahren oder aus Spielemagazinen. Ein Zentraler Punkt in dem Spiel ist es die in der Spielreihe neu erschaffene Unterwelt zu erkunden. Ähnlich wie der " CRPG Addict " hatte ich damals schon das Bedürfnis die Spielwelt zu kartographieren. Zu Beginn habe ich in der Unterwelt über "view a gem" die In Game Map aufgerufen und den kleinen dort angezeigten Bildausschnitt über eine Tastenkombination direkt an den Matrixdruck...
Read more

Schach mit ggplot

Image
Quelle: Wiki Commons, MichaelMaggs Schach! Verbundene Freibauern sind normal ein Garant für den Sieg, doch manchmal ist die Partie auch nur Remis. Wir wollen uns heute anschauen wie man das in R schön darstellen kann. Joshua Kunst hat das Paket rchess geschrieben. In Rchess bietet einige Möglichkeiten was Schachpositionen betrifft, ich will hier aber nur auf einige wenige Bezug nehmen: library rchess laden library(rchess) eine neue Schachpartie, erzeugt die Klasse "Chess" chss <- Chess$new() die Position die uns interessiert in FEN fen = "8/1k6/pP1K4/P7/8/8/8/8 w - - 0 40" wird in die oben erzeugte Klasse Chss eingefügt (wäre nicht notwendig) chss$load(fen) mit chessboardjs wird die Position im RStudio Viewer ausgegeben chessboardjs(fen = fen,width = 500, height=500) oder einfach: plot(chss) Doch jetzt ein Problem. Wie kann man dieses Bild als Datei abspeichern? Natürlich kann man auf den Export Button klicken und dann händisch das Bild abspeichern. Das ist bei ...
Read more