DocX Word Document

Chris. · 25 Nov 2017 at 13:52

**Mods, feel free to remove this if you feel it breaks any forum rules**

Basically, I have been writing a book recently. But over the last few months I have been so busy that I have put it to one side.

My partner keeps trying to read it, so I password protected it a few months back.

I come to continue today and I've forgotten the bloody password.

Is there any way I can recover this without paying some shady site, or am I likely to be spending the rest of my days guessing? I have been using Word 2010 and its a docx. The password is set to open.

Feel so stupid right now but I don't particularly want to lose my work.

Chris.

ivrytwr3 · 25 Nov 2017 at 14:12

i've got some password cracking tools - not guaranteeing anything, but if you want me to have a look i'm up for it!!

wesimmo · 25 Nov 2017 at 15:30

I can't imagine it's that hard.

I can break internal excel worksheet passwords using a quick force of weight VBA attack and you can remove the passwords from VBA modules very easily using a hex editor (iirc).

If Word has a similar level of security you should be ok.

Pho · 25 Nov 2017 at 15:38

wesimmo said:
I can't imagine it's that hard.

I can break internal excel worksheet passwords using a quick force of weight VBA attack and you can remove the passwords from VBA modules very easily using a hex editor (iirc).

If Word has a similar level of security you should be ok.

That works for the old versions of Excel I believe (xls format). Newer versions of office using the .***x format use AES 128 which you'll likely need to bruteforce using a proper tool that uses your GPU to speed things up.

If ivry isn't able to sort it out I've a copy of Passware which should be able to do it

.

wesimmo · 25 Nov 2017 at 15:42

Pho said:
That works for the old versions of Excel I believe (xls format). Newer versions of office using the .***x format use AES 128 which you'll likely need to bruteforce using a proper tool that uses your GPU to speed things up.

If ivry isn't able to sort it out I've a copy of Passware which should be able to do it .

I've used the VBA force of weight on .xlsx sheets, but can't for sure tell you the what the latest version I have used the hex editor on is.

Vince · 25 Nov 2017 at 15:53

hex editors should only work on documents in the old format (.doc) The correct method for a docx would be to rename it to .zip then extract it. You will have a load of xml files doc(x) are built around xml.

Open up settings.xml and in there you should see the following block:

<w:documentProtection
w:edit=""
w:enforcement="1"
w:cryptProviderType=""
w:cryptAlgorithmClass=""
w:cryptAlgorithmType=""
w:cryptAlgorithmSid=""
w:cryptSpinCount=""
w:hash=""
w:salt=""/>

Change the enforcement value to 0 or remove this block entirely. Add settings.xml back to the zip and rename it back to docx.

That should get you in provided you did not lock read protection. I can't remember the method for that but there is a simple way.

Chris. · 26 Nov 2017 at 12:50

Vince said:
hex editors should only work on documents in the old format (.doc) The correct method for a docx would be to rename it to .zip then extract it. You will have a load of xml files doc(x) are built around xml.

Open up settings.xml and in there you should see the following block:

<w:documentProtection
w:edit=""
w:enforcement="1"
w:cryptProviderType=""
w:cryptAlgorithmClass=""
w:cryptAlgorithmType=""
w:cryptAlgorithmSid=""
w:cryptSpinCount=""
w:hash=""
w:salt=""/>

Change the enforcement value to 0 or remove this block entirely. Add settings.xml back to the zip and rename it back to docx.

That should get you in provided you did not lock read protection. I can't remember the method for that but there is a simple way.

I Tried that but I'm not getting the expected info I'm just getting:

[6]dataspaces
EncryptedPackage
Encryption Info

There are a few directories through the main folder also, but nothing I can open or view (they are just named file with no ext.

Chris. · 26 Nov 2017 at 12:54

FYI the other files are go through the top one above, go through dataspace info and there is a file strong encryption data space

EDIT Daft O didn't try opening them in notepad, I have but cant find the above in any of the files

ivrytwr3 · 26 Nov 2017 at 19:05

still happy to to try and crack the p/word for you.......................

Trust me the file and any info you have on the p/word and i'll see what i can do (unless you want to keep it private, then i understand).

Chris. · 26 Nov 2017 at 21:11

Ill let you know.

Sorry but the content is a bit personal, not sure I'm quite ready to let it be read yet lol

Pho · 26 Nov 2017 at 22:47

OK, I've done a bit of research for you. Here's how you can do it yourself for free. It might look daunting, but it's pretty simple just persist with my instructions

.

This assumes you used an alphanumeric password (a-z A-Z, 0-9). If you used a very long complex password, you'll probably have a bad time cracking it.

If you used dictionary words (apple, orange, potato etc) you could use a dictionary rather than brute-forcing using random numbers/letters, but for now at least..

Get your Word document's hash file

Either upload your document to this site (they don't store your document).

Or (method #1 is far quicker!):

Download Python from here. Install it, it'll likely get installed to c:\python36.

Save a copy of office2hashcat.py inside your Python install folder, and copy your docx there too (just because it's easier)

Open a command prompt, run:
cd c:\python36 (or wherever you installed it)
python office2hashcat.py YOURFILENAME.docx

You'll get something like this, which is the same as the URL above would give you:
$office$*2013*100000*256*16*3c7236c277d1c92210efac1f3ce29abc*0decdbfe71cd114713aeae0beb1ed46a*40ef3ccac47c6c377a34465d361656d04e2192ea49c7bb8a6355a0318126799e
With your hash check what the office version is. In mine above you can see it's Office 2013. Cross reference this table to find the number you need. For office 2013, it's 9600:
9400 | MS Office 2007
9500 | MS Office 2010
9600 | MS Office 2013
Download Hashcat and extract somewhere, e.g. c:\temp\hashcat
Copy your Word document into the Hashcat folder (because it's easier), and run this command:
hashcat64.exe -a 3 -w 3 -m THE_NUMBER_FROM_ABOVE -o found.txt -i YOUR_HASH_YOU_FOUND --increment-min=4 --increment-max=4

e.g., from my example:

hashcat64.exe -a 3 -w 3 -m 9600 -o found.txt -i $office$*2013*100000*256*16*3c7236c277d1c92210efac1f3ce29abc*0decdbfe71cd114713aeae0beb1ed46a*40ef3ccac47c6c377a34465d361656d04e2192ea49c7bb8a6355a0318126799e --increment-min=4 --increment-max=4

This tries passwords between increment-min and increment-max length - tweak this to what you think your password may have been, e.g. min 4 to max 6. In this example it's min 4 max 4.
You should hopefully see it doing something, and your GPU starting to burn . Keep pressing S to see the current status, how many passwords it's checking per minute etc.

When it's finished, assuming it's worked, you can open up found.txt and see the password at the end after the hash:
$office$*2013*100000*256*16*3c7236c277d1c92210efac1f3ce29abc*0decdbfe71cd114713aeae0beb1ed46a*40ef3ccac47c6c377a34465d361656d04e2192ea49c7bb8a6355a0318126799e:0cuk

Here's my sample file from above. It's worth testing it with this first to make sure it works.

You can find more about the mask attack options here and more about the general command options here - I've not picked very optimised parameters, or limited which uses during characters it bruce force etc.

Terrier_Jimlad · 27 Nov 2017 at 20:44

Cracked passwords for many of our staff in the past, feel free to send over in trust if you want me to have a go!