Join Us!

Password offsets us...
 
Notifications
Clear all

Password offsets using exemplars  

  RSS
mseeley
(@mseeley)
New Member

I have been trying to create password exemplars for MS Word 2003 documents. I have created a blank document (clear.doc), then I created another blank document (hidden.doc) and password protected the file from being opened. Attempting to open the file verifies that the password is effective.

After viewing both documents side-by-side in HexWorkshop and running a compare, I have been unable to identify where the password offsets are.

Is there another way to locate the password offsets? This is an assignment, so I am only looking for a method here.

Any help would be appreciated.

Quote
Posted : 24/03/2005 5:04 am
Andy
 Andy
(@andy)
Active Member

I am not too sure what you are asking?

Attepting to save a MS Word document as any other format (i.e. .txt file) results in a loss of the password protection. MS Word encryption uses the RC4 stream cipher and stores it as a 32-bit password hash.

So what are you using to create the password protected hidden.txt file?

Andy

ReplyQuote
Posted : 24/03/2005 8:07 am
mseeley
(@mseeley)
New Member

My mistake, the file extension was still a .doc

At any rate, I have learned that Word store the password bits throughout the document, so finding the offset values are quite difficult. My instructor recommends Passware as a tool to access password protected documents.

Thanks again.

ReplyQuote
Posted : 24/03/2005 7:12 pm
Andy
 Andy
(@andy)
Active Member

Passware is quite good it has a number of different mini programs for various file types; however I have started to use Access Data PRTK - which is pretty impressive. You can also download the dictionary files free of charge from the Access Data website. They come in handy for all kinds of password crackers. Lophtcrack, Passware, and many more (some software only use .dic dictionary files - but its a simple matter of just renaming the Access Data .txt extensions).

Here is a tip – on how to create a massive all encompassing password dictionary file?

Download them all from Access Data to your local machine. Use EnCase to preview your local drive. Select/blue check all the downloaded dictionaries. Then copy/unerase them out. Keep the radio button selected for all ‘checked files’. And check the radio button for ‘merge into one file’. Name your text file ‘Massive.txt’ or whatever…. And hey presto…. A huge 200MB dictionary file to compliment your forensic & password cracking toolset, "if dat don’t crack it nuttin will".

It does take a while for the millions of words to finish though….. about 2-3 minutes when run in PRTK

Andy 🙂

ReplyQuote
Posted : 24/03/2005 7:26 pm
mseeley
(@mseeley)
New Member

I'll try this in the lab. Thanks for the tip!

ReplyQuote
Posted : 25/03/2005 2:00 am
Share: