I have an assignment to crack an Office password for a document. I have tried using john and hashcat with several large wordlists, and had no luck, so I decided to go all-in and just leave a Kali instance running john in incremental (brute force) mode for “as long as it takes.” It’s been two days so far.
I have it running within ‘screen’ so that I can occasionally login to the system remotely to check progress without risk of losing it. I was excited at one point yesterday seeing that it was in the middle of checking seven-character passwords, but then I checked back later and it was checking six-character passwords. This morning, five. I wanted to understand — I assumed (without doing a deep dive on the mechanics) that it would just go literally incrementally. aaaaa, aaaab, aaaac, etc. That was an incorrect assumption.
John’s incremental mode actually operates on “trigraph frequencies.” While I understand the concept of trigraph frequencies (certain sets of three characters occur more frequently than others, and this can help with decryption efforts, I have my doubts as to whether this helps in cracking passwords. Passwords aren’t always natural speech, after all.
Anyhow, it’s been running for two days now, and I’ll post about it again when it’s done just to give an idea of whether it’s successful, and if so, how long it took vs the complexity of the password.
If anyone else wants to try using similar or other methods, let me know, and I’ll send you the hash (generated by office2john). No, I can’t send you the actual document. That would be unethical.
Update: I added another VPS doing a simultaneous crack run using the rockyou.txt wordlist. I believe I did this before, but I don’t have my notes handy. Both crack attempts are configured to check every hour, and send me an SMS via a Plivo account when a correct hash has been detected.
There is literally almost no point to hashing with just a CPU in a VM.
Running hash against a wordlist using john in a VM configured with 6 CPUs results in maybe 70 hashes per second, and a predicted completion time of sometime in May of this year. Running the same hash against the same wordlist using hashcat on a Windows box with a GT 1030 GPU results in over 1200 hashes per second, and an estimated completion time of lunchtime. That’s against rockyou.txt, with 14 million passwords.
Update: Hashcat blew through rockyou.txt in under four hours. Now I have it doing a brute-force incremental, 5 to 10 chars, using the full charset (upper, lower, digits and specials), and it’s looking like that’ll take about two months. I don’t anticipate that this particular person used 10-character passwords, but I’ll let it run and see.
BTW that namespace appears to be over 7 BILLION hashes.
I interrupted the brute force incremental to run through rocktastic, which is an enhanced version of rockyou. I’m 4 days in and 54% through, obviously no success yet. This is turning out to be an interesting experiment. Rocktastic is over a billion passwords.