Please note, this is a STATIC archive of website hashcat.net from 08 Oct 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

hashcat Forum > Misc > General Talk > Obtain a Hash from a Excel 2007 file
Full Version: Obtain a Hash from a Excel 2007 file
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

taratota

05-19-2013, 08:02 PM
Hi there, According to the Microsoft whitepaper the following specs are defined for the Excel password security encryption:

Key derivation is performed using 50,000 iterations[source] of SHA-1 (increased to 100k in SP2).
Uses a 16-byte (128-bit) random salt.
AES is the block cipher used to encrypt the document.
By default, 128-bit key are used. There is a registry tweak to change this to 256-bit.
The AES block cipher is implemented in Microsoft's CSP / CryptoAPI.

This info give me a good point to crack a Excel password, but... I don't find any information or documentation to get the hash from an Excel file.

Anyone knows how get it?

Thanks in advance and sorry for my english Wink

Byebye!

halfie

05-19-2013, 08:51 PM
See https://github.com/magnumripper/JohnTheR...ce2john.py

taratota

05-19-2013, 11:27 PM
Works fine! Smile (So I think although I have not checked it)
This is the output for my test-Excel: excel-test.xlsx:$office$*2007*20*128*16*93da6e1d346c793d821daf7877d440ff*fdad25c4a27cb26816602397a55e0755*decc89fa6d72b495cac8ced2e66dfca26d4b44111d1def88becd82b749fca647

I don't understand yet de format of this string, but I will investigate this Smile

taratota

05-20-2013, 07:55 AM
Good morning from Spain Smile

I successfully pass the hash obtained from chain obtained from "https://github.com/magnumripper/JohnTheR...ce2john.py" to John the Ripper, was very easily invoking Jhon with this chain directly.

Can anyone help me to pass this Hash to Hashcat? I think, this Hash is splitted in 3 chains, according the documentation White Paper, because the password is too long..

Thanks in advance Smile

epixoip

05-20-2013, 09:32 AM
hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.

taratota

05-20-2013, 09:37 AM
(05-20-2013, 09:32 AM)epixoip Wrote: [ -> ]hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.

Hi, in the documentation figures that this algorithm is SHA1, concretly salt+SHA1. For this reason I trying/playing to do it with Hashcat.

Maybe I'm wrong... Wink

epixoip

05-20-2013, 01:58 PM
(05-20-2013, 09:37 AM)taratota Wrote: [ -> ]Maybe I'm wrong... Wink

yes, you're wrong. it's not near as simple as you think it is.

taratota

05-20-2013, 02:15 PM
(05-20-2013, 01:58 PM)epixoip Wrote: [ -> ]
(05-20-2013, 09:37 AM)taratota Wrote: [ -> ]Maybe I'm wrong... Wink

yes, you're wrong. it's not near as simple as you think it is.

Thanks! I invistigate this, bye! Smile

achaeon

10-24-2014, 03:33 PM
(05-20-2013, 09:37 AM)taratota Wrote: [ -> ]
(05-20-2013, 09:32 AM)epixoip Wrote: [ -> ]hashcat does not support this algorithm. and office2john.py is specific to john the ripper, hence the script's name.

Hi, in the documentation figures that this algorithm is SHA1, concretly salt+SHA1. For this reason I trying/playing to do it with Hashcat.

Maybe I'm wrong... Wink

You're not far off. The hashcat format should look like:
$office$*2007*20*128*16*411a51284e0d0200b131a8949aaaa5cc*117d532441c63968bee7647d9b7df7d6*df1d601ccf905b375575108f42ef838fb88e1cde

So you only need to slightly adjust the office2john output by removing the filename from the front. The hashcat mode you want is 9400 for office 2007, 9500 for 2010, 9600 for 2013.

Rolf

10-24-2014, 04:10 PM
Silence, necromancer!
hashcat Forum > Misc > General Talk > Obtain a Hash from a Excel 2007 file