Didier Stevens, Author at Forensic Blogs

January 6, 2019 by Didier Stevens

Update: msoffcrypto-crack.py Version 0.0.2

In this update of msoffcrypto-crack.py, two new options were added:

-e takes a text file and extracts all words from this text file to be used in the dictionary attack. Words are strings delimited by space characters. Words between single or double quotes, and words after string “password” are put at the beginning of the list for the dictionary attack.

The idea for option -e, is that you give it the content of an email message that contains the password of the encrypted attachment(s).

-c takes the password to decrypt the document. You use this option after the password was recovered (with option -p or -e for example), and need to run the tool again to decrypt the document. You can run the password cracking each time when you need to decrypt the document, but if this takes too long, then you just run it once and from then on provide the recovered password with option -c.

Password VelvetSweatshop was added to the embedded password list.

msoffcrypto-crack_V0_0_2.zip (https)
MD5: 010B7FA68FCF9CE84427815EFDFE1C42
SHA256: 6B368E40EEE8A907D444A49963B37F456A3645991201CE06F0E46A0F2E188A74

December 31, 2018 by Didier Stevens

Overview of Content Published in December

Here is an overview of content I published in December:

Blog posts:

Quickpost: Developing for ESP32 with the Arduino IDE Update: oledump.py Version 0.0.39 Release: strings.py Update: rtfdump.py Version 0.0.9 Update: numbers-to-string.py Version 0.0.6 Update:oledump.py Version 0.0.40 Update: XORSearch Version 1.11.2 Update: numbers-to-string.py Version 0.0.7 New Tool: SimpleEncoder Update: format-bytes.py Version 0.0.7 New Tool: msoffcrypto-crack.py

YouTube videos:

De-DOSfuscation Example

Videoblog posts:

When DOSfuscation Helps… oledump: plugin_ppt CyberChef: BASE64/XOR Recipe Dissecting a CVE-2017-11882 Exploit De-DOSfuscation Example

SANS ISC Diary entries:

Word maldoc: yet another place to hide a command Reader Malware Submission: MHT File Inside a ZIP File Quickie: String Analysis is Still Useful Yet Another DOSfuscation Sample De-DOSfuscation Example Password Protected ZIP with Maldoc KringleCon 2018 Bitcoin “Blacklists” Matryoshka Phish Video: De-DOSfuscation Example Software Crashes: A New Year’s Resolution

December 30, 2018 by Didier Stevens

New Tool: msoffcrypto-crack.py

This is a new tool to recover the password of encrypted MS Office documents. I quickly put together this script to help with the analysis of encrypted, malicious documents.

This tool relies completely on Python module msoffcrypto to decrypt MS Office documents.

Since this is a Python tool based on a Python library, don’t except fast password recovery. This is more a convenience program.

It can recover passwords using a build-in password list, or you can provide your own list via option -p.

The tool can also decrypt the encrypted MS Office document if the password is recovered: used option -o to achieve this. Otherwise, the tool just displays the recovered password.

Like many of my tools, it can take its input from stdin and provide the decrypted document via stdout.

It’s developed with Python 2, and also tested on Python 3.

Read the man page for all the details: option -m.

msoffcrypto-crack_V0_0_1.zip (https)
MD5: F67060E0DE62727A1A69D0FD6F39013A
SHA256: 1466B94B56595BA0B91F0A2606F699E1D737E964F3F1A4DFDF7EAA47843DD063