Cracking Microsoft Excel 97-2004 .xls Documents

A client emailed to say they had forgotten a password for their Microsoft Excel .xls document and asked if it was possible to recover it. After searching on Google it was clear that there was plenty of shi...bloatware, which may have worked if you were willing to go through a few of them and pay a few dollars. It wasn't that important of a document according to the client but nevertheless a challenge is a challenge.

The document was encrypted when using 'save as', according to various sources online the encryption algorithm is 40bit RC4. As it is encrypted nothing could be gleaned by opening the document with a hex editor.

As always when Google turns up nothing useful I turn to Twitter. A few people recommended Elcomsoft which do Windows software to both recover and obtain the password of a Microsoft Excel document. This looked like a good bet and they offer free trials! The recover software which seems to do a brute force attack looked like it could have worked (especially now I know how weak the password was) but I was running the software on a Virtual Machine. The recovery tool unfortunately didn't reveal the password, the paid for version may have, I don't know.

Justin kennedy (@jstnkndy) on Twitter recommended John The Ripper (not sure why I didn't consider this before!) and linked to a 'office2john.py' file.

So I ran the office2john.py file against the Excel document and it spat out what looked like John's password file type format. I booted up my most powerful Linux machine (i7, 16GB RAM), installed John 1.8.0 from binary but John errored with "No password hashes loaded (see FAQ)". This looked as though the office2john.py script hadn't worked correctly...

I then noticed that John had 'community-enhanced' versions available for download, so I download and compiled John 1.7.9 Jumbo 7. Same error.

Finally I decided to try and use the code from the GitHub repository where the office2john.py file was hosted. During compiling I did get an error, something something pcap.h file or folder not found. This was remedied by installing the 'libpcap-dev' dependency (sudo apt-get install libpcap-dev) on Ubuntu.

Using the GitHub version of John, which I assume is the latest unstable community-enhanced codebase the Microsoft Excel document password (cocacola) was cracked in a matter of milliseconds. Yea, cocacola...

TLDR: Use the office2john.py file to create a JTR compatible password hash file, also use this version of JTR.