Shulou(Shulou.com)06/02 Report--

The original text has already sent out the technology stack.

Word software is one of the most widely used office word processing software in the world, and it should be used by more than 90% users in China. Governments, enterprises, companies and individuals all like to use Word files to deal with work and personal affairs, but when using Word files to save the contents of files, according to different security needs, they need to be encrypted when they need to be protected, and when they need to read the contents of files, they need to be decrypted. Many individuals have the habit of keeping a diary, but after a long time, they often forget their passwords, and if they can't get them back, they can't check the contents of the document.

At present, there are many software about Word password cracking on the Internet, such as Word Password Recvery Master unlimited plate making and Advanced Office Password Recovery. The main way to crack it is to use violence to crack it, and the original encrypted password will be displayed after successful cracking. If the password setting is relatively complex, it takes a long time to crack. "Office Password Remover" is developed by a foreign company that does password recovery software alone, and the company also has many other password recovery software, the original "Office Password Remover" software download address http://www.rixler.com/download.htm. Rixler cracked word encrypted files of "Office97/2000 compatible" encryption type, which is very fast, and the slowest speed is no more than one minute. Its disadvantage is that it needs to access the network http://www.rixler.com/ when cracking, and does not show the original password after cracking (network cracking requires paying for its software). Through the author's research, it is found that many new features have been added to the new version of hashcat. Hashcat uses brute force cracking and hash collision. According to its official statement, an word encrypted file may have multiple passwords that can be used to open the file.

1.1.1word file encryption

1. Encrypt Word files

Generally speaking, Word file encryption refers to the use of Word word processing software with its own encryption function, to use this feature, in the word document editing state, select "tools"-"options"-"Security", there will be the interface shown in figure 1.

Figure 1 Open the encrypted Word file option

two。 Set encryption password

There are two main options for Word encryption, one is to open the permission, and the other is to have the permission to modify the file. When encrypting the Word file, you can set the open permission password and modify the permission password as needed. When you click "OK" to save the settings after setting, you often need to reconfirm the password, as shown in figure 2. After confirming, after closing the Word file, you need to enter the password when you open it again. If you set the change permission password, you will be prompted to enter the open permission password and modify the permission password respectively when you open it.

Figure 2 setting the encryption password

At present, there are also encryption and decryption software developed separately for Word files, so it is very difficult to decrypt this kind of Word files. A variety of encryption algorithm types are available in Word word processing software, and click Advanced in figure 3 to view and select different encryption types. Word default encryption type is Office97/2000 compatible, this encryption type is very easy to crack, and if you want to protect Word files with a higher level of security, it is recommended to use other encryption types. In addition to "Office97/2000 compatible" encryption types, other encryption types are more difficult to crack. When cracking these encryption types, use violence to crack, and its cracking is mainly related to dictionaries.

Figure 3 Select Word encryption type

1.1.2 method for retrieving the password of office documents

For encrypting Word files, I think there are three ways to retrieve them:

1. Brute force cracking. This is the most commonly used, through programming to enter the values in the dictionary in turn to confirm the attempt, once the attempt is successful, it means that the value is a cracked value, and the success of cracking often depends on the perfection of the dictionary. Dictionaries play a very important role in network security, constantly improving and updating dictionaries is a good habit, a master often has many dictionaries, dictionaries can be .dic and .txt ending files, each string in the file is a line.

two。 For the cracking of the algorithm. There are many experts in the learning forum, you can go and have a look!

3. Alternative cracking. Alternative cracking is the genius of genius, that is, "only what you can't think of, there's nothing you can't do." Often use ordinary people can not think of cracking methods to crack, such as Professor Wang Xiaoyun crack Md5 encryption algorithm.

1.1.3 password recovery using hashcat software

Hashcat is a powerful comprehensive password cracking tool, it supports up to hundreds of encryption algorithms to crack, there used to be an Advanced Office Password Breaker to recover the Office password, the following describes how to use hashcat to crack office documents.

1. A password is required to open the file

To open an encrypted word file using office software, you need to enter a password, as shown in figure 4. Only the correct password can be accessed normally.

Figure 4 Open encrypted word file

two。 Calculate the hash value of an encrypted word file

Download http://www.openwall.com/john/j/john-1.8.0-jumbo-1.tar.gz, get the office2john.py file from its archive, and execute:

Office2john.py 6.doc

The execution effect is shown in figure 5. You can direct the execution result to the hash file:

Office2john.py 6.doc > hash

Figure 5 calculating the hash value of the word file

3. Organize hash files

The content generated by the Hash file is shown in figure 6. The hash file cannot be calculated directly and some extraneous information needs to be removed.

Figure 6hash file content

Sort out the hash file, remove "6.doc:" and ":: chapter 6 * detect mythological Yuqiao Normal Deng Qihao 2 Microsoft Word 9.0 YuQiao Studio::6.doc", as shown in figure 7, get the correct hash value:

$oldoffice$1*ae8adb6a8b3aeb7c1bd3bb6bf6514ef4*5e4ffbe5034d9fa2bf05dce0a9d34bb7*db9ca3e3291f536620ad7c987ac6e514

Figure 7 sorted hash value

4. Cracking the Office encryption Offcie version corresponds to the hash type

Office 97-03 (MD5+RC4,oldoffice$0,oldoffice$1):-m 9700

Office 97-03 ($0 Compact 1, MD5 + RC4, collider # 1):-m 9710

Office 97-03 ($0 Compact 1, MD5 + RC4, collider # 2):-m 9720

Office 97-03 ($3 Compact 4, SHA1 + RC4):-m 9800

Office 97-03 ($3, SHA1 + RC4, collider # 1):-m 9810

Office 97-03 ($3, SHA1 + RC4, collider # 2):-m 9820

Office 2007:-m 9400

Office 2010:-m 9500

Office 2013:-m 9600

5. Use hashcat to crack

(1) Custom cracking meaning values in Hashcat

L = abcdefghijklmnopqrstuvwxyz stands for lowercase letters

U = ABCDEFGHIJKLMNOPQRSTUVWXYZ stands for capital letters

D = 0123456789 represents a number

? s =! "# $% &'() * +, -. /:; @ [\] ^ _ `{|} ~ represents special characters

A = l?u?d?s combination of uppercase and lowercase numbers and special characters

B = 0x00-0xff

6. Crack the example

(1) 8-digit cracking

Hashcat64-m 9700 hash-a 3? d?d?d?d?d?d?d?d-w 3-O

(2) 1-8 digit cracking

Hashcat-m 9700 hash-a 3-- increment--increment-min 1-- increment-max 8? d?d?d?d?d?d?d?d

(3) cracking of 1 to 8 lowercase letters

Hashcat-m 9700 hash-a 3-- increment--increment-min 1-- increment-max 8? l?l?l?l?l?l?l?l

(4) cracking of 8-digit lowercase letters

Hashcat-m 9700 hash-a 3? l?l?l?l?l?l?l?l-w 3-O

(5) cracking of 1-8-digit capital letters

Hashcat-m 9700 hash-a 3-- increment--increment-min 1-- increment-max 8? u?u?u?u?u?u?u?u

(6) cracking of 8-digit capital letters

Hashcat-m 9700 hash-a 3? u?u?u?u?u?u?u?u-w 3-O

(7) 5-digit lowercase + uppercase + number + special character cracking

Hashcat-m 9700 hash-a 3? b?b?b?b?b-w 3

(8) use dictionary to crack

Use password.lst dictionary for brute force cracking. The-w 3 parameter is specified power consumption.

Hashcat-m 9700-a 0-w 3 hash password.lst

The principle of easy before difficult is adopted in cracking, and the suggestions are as follows:

(1) use 1-8 digits to crack.

(2) use 1-8 lowercase letters to crack.

(3) use 1-8 uppercase letters to crack.

(4) use 1-8 bits mixed case + numbers + special characters to crack.

(5) use the collected public dictionary to crack.

As shown in figure 8, after the digital cracking of the hash file is completed, continue to crack 1-8-digit lowercase letters, in which the mask value, cracking progress, cracking start time, cracking expected time, and cracking the graphics card or CPU temperature, generally set to 90 degrees Celsius will automatically terminate to avoid burning out the computer.

Figure 8 begins to crack

7. View the cracking results

After the successful execution of the crack, the hashcat will automatically terminate the crack, and the cracking status will also be shown in Cracked,Recvoered. As shown in figure 9, after 34 minutes of cracking, an encrypted document has been successfully cracked.

Figure 9 successful cracking of word file

You can also view it by viewing the hashcat.potfile and adding the "--show" command after executing the cracking command, that is:

Hashcat64-m 9700 hash-a 3-- increment--increment-min 1-- increment-max 8? l?l?l?l?l?l?l?l-show

As shown in figure 10 and figure 11, the word file password is shirley.

Figure 10: view the potfile to see the cracking result

Figure 11 execute the command to view the cracking result

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.