Sean's Blog
0%

hashcat破解excel密码

发表于 更新于 分类于

记录使用hashcat配合GPU性能快速破解加密excel

环境

Window11

GPU环境:安装NVIDIA官方驱动(Windows自带的不行)、CUDA、cudnn(完成后重启)

hashcat6.2.6 https://hashcat.net/hashcat/

测试,查看是否能够成功启用GPU

1
2
3
4
5
6
7
8
9
10
11
12
13
hashcat.exe -b

CUDA API (CUDA 12.6)
====================
* Device #1: NVIDIA GeForce RTX 4060 Laptop GPU, 7099/8187 MB, 24MCU

OpenCL API (OpenCL 3.0 CUDA 12.6.41) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4060 Laptop GPU, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) Iris(R) Xe Graphics, 3168/6404 MB (1601 MB allocatable), 96MCU

获取文件哈希

kali自带office2john.py,在/usr/share/john/目录下。

可单独下载:https://github.com/openwall/john/blob/bleeding-jumbo/run/office2john.py

1
python office2john.py test.xls>hash.txt

具体的哈希值只取第一个冒号和第二个冒号之间的,类似以下格式

1
$oldoffice$0*32aaaaaaaa*3aaaaa*caaaaa

参数分析

查看excel文档属性,确定office版本(测试文件为97-2003),在hashcat中找对应参数。

1
2
3
4
5
6
7
8
9
10
11
12
hashcat.exe -h | findstr /i Office

   9400 | MS Office 2007                                             | Document
   9500 | MS Office 2010                                             | Document
   9600 | MS Office 2013                                             | Document
  25300 | MS Office 2016 - SheetProtection                           | Document
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4                         | Document
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1            | Document
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2            | Document
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1              | Document
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2              | Document
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4

根据上面hash头部的$oldoffice$0可将范围缩小到9700、9710、9720。其中9700为直接猜解密码,9710是先猜解5个字节的中间哈希(可看为RC4密钥),再用9720碰撞真密码的哈希。(ref: https://hashcat.net/forum/thread-3665.html)

具体原理参考office MD5/RC4加解密流程

爆破

由于存在哈希碰撞,得到的结果不一定是原密码,但是可以通过密码验证

9700

1
hashcat.exe real_hash.txt -m 9700 -1 ?l?d -a 3 ?1?1?1?1?1?1?1?1 -w 3 -o pass.txt --self-test-disable
  • -1 ?l?d ?1?1?1?1?1?1?1?1:自定义掩码,八位数字+小写字母
  • 加最后一个参数是因为不加会报错……

9710+9720

1
2
3
hashcat.exe real_hash.txt -m 9710  -a 3 ?b?b?b?b?b -w 3 -o rc4.txt --self-test-disable
#cracked
hashcat.exe rc4.txt -m 9720 -w 3 -a 3 -1 ?l?d  ?1?1?1?1?1?1?1?1 -o pass.txt

others

解出过的hash及其密码被保存至hashcat.potfile