Extracting Hash from Password Protected Microsoft Office Files

I came across a Microsoft Office file that was password protected while working on a lab. Although I attempted to brute force the password by using tools that the infosec community has put out there for the public, the process was taking too long. After shifting focus by looking for another way to tackle this problem, I came across a way to extract the password hash!

In this example, I am using a Microsoft Word Document called demo.docx, which is password protected. I use a script called office2john.py to extract the hash from demo.docx, which I save to a file called hash.txt.

When we open up the contents of the hash.txt, we get something like this:

Hashcat is unable to process this hash in its current format, so we need to modify it a bit. To do this, all we need to do is delete the string demo.docx: in front of the hash so that the hash looks like this:

$office$*2013*100000*256*16*3d903c8976fd20fd2f819ec284450645*2f8460564d085088be3082639961e0b3*05b6aaa94a2dc99fd27c35a607942457aa3b9926547a25069acb83a7c6c2a19f

We can now feed this into hashcat using the following options:

./hashcat64.exe -m 9600 -o cracked.txt hash.txt wordlist.txt

After hashcat finishes processing, we get the following output that indicates that our hash has been cracked.

When we open up cracked.txt, which is the output file we identified in our hashcat command, we can retrieve the password.

Conclusion

Although there are open source tools out there that allow attackers to brute force the password of Microsoft Office files, that method is generally inefficient when using large wordlists such as rockyou.txt. Extracting the hash and feeding it to a password cracker, such as hashcat or john, is a lot more productive when larger wordlists are required. Although this example uses a Microsoft Word document, this technique should be applicable to any password protected Microsoft Office files such as Excel and Powerpoint.