if you store information in
password-protected documents you should
know how important it is to pick a
strong password
today we'll be cracking Microsoft Word
documents on this episode of cyber
weapons lab
[Music]
[Applause]
[Music]
in order to check out how to crack
password-protected documents we're going
to follow along with the null-void
article written by Dr Dee now this is a
really cool guide to how you can use a
Python program to extract the hash
that's basically the key to unlocking a
protected file once we have that we can
run it through a program called John
which is able to basically search for
weak passwords by using a password list
that we can find online today I provided
a locked file which I put on my github
page and you can follow along by
downloading it and attempting to crack
it yourself now in order to do this
you'll need a Linux system which can
either be a virtual machine or installed
on your hard drive as I've done on this
computer and it can be either Kali Linux
or Debian it doesn't really matter you
can even use a bun too but I do
recommend having a Linux system because
this would be pretty tricky on Mac OS or
on a Windows computer once you have that
ready to go you can check out the no
bite article written by Dr Dee if you
need any troubleshooting guides but
aside from that you should be ready to
go to get started cracking password
protected documents we're going to
follow this XML bite article written by
Dr Dee now we're gonna go about this in
two different ways we're going to first
use a tool to extract the hash and then
we'll use two different tools to
actually actually crack it now the first
step will be to get the program that's
going to extract the hash from the dummy
file and for this we can use the dummy
file that's provided on the no bite
article so that we know that we're going
to get a positive result when we guessed
the right password now you can download
it right here by clicking on the link
and I've gone ahead and downloaded it
also to this folder to keep everything
organized and I recommend you create a
folder to keep all these things as well
now what we're going to need is first be
dummy file to crack then we'll need to
extract the hash and save that to a file
and next we'll need a password list
which if you're using Kali Linux we're
going to use the built-in password list
that is meant for nmap however if you
don't have a password list you can just
go ahead and google search says I
recommend you look
for the ones on github and you'll find a
variety of different password list that
you can substitute for this particular
one it doesn't need to be very long
because the password not to spoil it is
password one two three but provided our
password list our password is on this
password list we should be able to get a
positive result thus showing that if
we're able to intercept this document
and have enough time to processing power
we should be able to crack Ridgely any
password provided we're willing to put
the work into it so first we'll need to
get this Python program that's going to
extract a hash from the program sorry
from the dummy file so now that we have
the dummy file we can go into a terminal
window and we'll I'll start out by going
to my desktop I'm going to make a file
file sorry I'm gonna make a folder
called
cracking for Johnny and I've already
made this so I'm going to CD into it and
here we're going to have a couple
different things first we'll have office
to john dot pi now that's the program
that we just downloaded and this is
going to be responsible for getting the
hash from the dummy doc dot X now all
right first I'm gonna go ahead and
remove the hash text just so we're not
messing anything up and now let's go
ahead and run this program according to
the way the article says to so we'll
just go ahead and basically copy this
and what we're doing is redirecting the
output from dummy dot doc being put
through office to john dot pi into this
new file called called hash text so
let's go ahead and paste this in and
when we type tell us again we can see
there's hash text and if we type cat
hash text we can see that we've
successfully extracted the hash which
actually contains some additional
information here we can see that this
was created using an office 2007 version
and that's important because it will
help
that actually understand how we're
supposed to crack this now that we have
this text file our next step is going to
be to choose which method of cracking we
want to go with and I've created to bash
files here in order to automate the
process a little bit but I'm going to
unpack them a little bit so we can see
exactly what they do and what our
options are
now the first tool we're going to look
at is John so if I type cat John cracked
on Sh we can see what this is actually
going to do so we're going to call John
and then we're going to use the built-in
word list for nmap of which this is the
file path but this is the part where you
would want to substitute substitute in a
word list you downloaded if this wasn't
available let's say you're using Ubuntu
and this isn't installed by default next
you'll just provide the hash that we
want to crack in this case hash text and
we'll go ahead and run this and let's
see if we can get a positive result here
we go
[Music]
all right this session was completed and
we can see the password was successfully
extracted password one two three so the
second attack that we can use oops
the second attack that we can use is
using hash cat instead so if I type cat
hash cat which is fun oops dot Sh you
can see that we're calling hash cat
we're setting the mode and then after
that we are essentially just using the
cracked password dot txt the hash text
and the user slash shared slash board
lost at and map that list as the
arguments that were supplying to the
hash cat script now if we go back to the
main article you can see that this is a
little bit more complicated than the
previous one but essentially we're just
passing a couple variables in this case
we're ignoring any user names in the
hash file we are setting the output to
crack text with the o flag and then
we're using the attack a flag as the
attack which is just a default straight
attack of zero so since we have all
these things already set in our bash
file we're just gonna go ahead and run
bash
- cats Sh
and this should start the attack and we
after a little bit should see some sort
of result from our cracking attempt now
this process will go ahead and continue
as the addiction cache is built and we
can press s for status and there we go
once we finish this we can type LS again
and we should now see a new file called
cracked past text so if we cat cracked
past text we can see that we have the
original hash and then at the very end
after the colon we have the successfully
cracked password and that is how you can
use both of these programs to
successfully crack the hash that is
extracted from a MS or other word
protected document as we saw today it is
incredibly easy to brute-force a file
that uses a weak password if you're
storing any data or anything important
in a Microsoft Word file and you're
using a password that's weak you should
assume that anybody could open it in a
matter of seconds now of course if you
selected a super strong password this
just wouldn't work so again this goes
back to the importance of always
selecting a strong password anytime
you're using some sort of hashing system
or password management system like this
that's all we have for this episode of
cyber weapons lab if you have any
questions or you need help
troubleshooting you can check out the
null byte article linked in the
description and if you have any ideas
for future episodes send me a message on
Twitter because we'd love to hear from
you we'll see you next time