How to retrieve a forgotten Word document password through Hashca

2025-05-13 22:33:05

In our daily office and study, we often use Microsoft Word to store important documents and set password protection to prevent unauthorized access. However, over time, we may forget our password and be unable to open our documents. That's where Hashcat, a powerful password recovery tool, comes in handy.

This article will introduce in detail how to use Hashcat to crack Word document password, including preparation, basic principles of Hashcat, specific operation steps, and how to improve the success rate of cracking. Even if you're a tech novice, you can follow this guide step by step to retrieve your lost password.

1. The encryption mechanism of Word documents

Microsoft Word (2010 and later) uses AES-256 encryption by default, which is more secure. The early Word 97-2003 used RC4 encryption, which was relatively easy to crack.

When a user sets a password, Word will:

1. Hash the password (convert it to a fixed-length string).

2. Use that hash to encrypt the document content.

Therefore, the essence of cracking a Word password is:

• Extract the password hash of the document (similar to a "fingerprint").

• Use Hashcat to try different password combinations until the match is successful.

2. Preparation: Obtain the Word password hash

Hashcat cannot directly read .docx or .doc files, and needs to extract the hash value of the password first. We can do this using office2john.py tools (from the John the Ripper toolset).

1. Install Python and download the office2john.py

• Visit the Python official website to download and install Python (version 3.8+ recommended).

• Download the office2john.py script (available on GitHub by searching for "John the Ripper").

2. Extract the hash value of the Word document

Open the command line (Windows:cmd/macOS/Linux:Terminal) and run:

bash

copy

Download

python office2john.py 你的文件.docx > hash.txt

When executed, the hash.txt file will contain a hash value similar to the following:

copy

Download

$office$*2013*100000*256*16*...*你的哈希值

This hash is what we're going to crack.

Part 3: Steps of Hashcat to crack Word password

1. Install Hashcat

• Download from the official website: https:// hashcat.net/hashcat/

• Support Windows/Linux/macOS, NVIDIA graphics card (CUDA acceleration) or AMD graphics card (OpenCL acceleration) is recommended.

2. Choose the right attack pattern

Hashcat supports a variety of cracking modes, the common ones are:

• Dictionary Attack: Attempts using a list of common passwords, such as rockyou.txt.

• Mask Attack: Known partial cryptographic structures (e.g., "Pass123?"). ）。

• Brute-Force: Try all possible combinations (for short passwords).

(1) Dictionary attack (it is recommended to try it first)

bash

copy

Download

hashcat -m 9600 hash.txt rockyou.txt

• -m 9600 indicates the hash pattern of Word 2013+.

• rockyou.txt is a commonly used password dictionary (available for download on the web).

(2) Mask attack (known partial passwords)

If you remember that your password starts with "Pass" followed by a number, you can try:

bash

copy

Download

hashcat -m 9600 hash.txt -a 3 "Pass?d?d?d"

• ?d represents a number (0-9).

• ?l stands for lowercase letters (a-z).

• ?u stands for capital letters (A-Z).

(3) Brute-force cracking (applicable to short passwords)

bash

copy

Download

hashcat -m 9600 hash.txt -a 3 ?l?l?l?l?l?l

This tries all 6-digit lowercase letter combinations and works well for simple passwords.

Fourth, tips to improve the success rate of cracking

1. Use a more powerful dictionary

• rockyou.txt (including tens of millions of common passwords).

• Custom dictionaries: Combine personal information (e.g., birthday, name, common words).

2. Optimize dictionaries with rules

Hashcat supports "rules" to transform dictionaries, such as:

• Case conversion (password→ password, PASSWORD).

• Add numbers/symbols (pass→ pass123, pass!).

Example:

bash

copy

Download

hashcat -m 9600 hash.txt dict.txt -r rules/best64.rule

3. Use high-performance hardware acceleration

• GPU cracking is more than 100 times faster than CPU, and it is recommended to use high-end graphics cards such as NVIDIA RTX 4090.

• If your computer is not performing enough, consider a cloud server (such as an AWS GPU instance) or a proxy service (to save time).

5. Successful cases

Case 1: Crack a simple password quickly

If a user forgets a 6-digit numeric-only password (e.g., "198504"), the user uses a mask to attack:

bash

copy

Download

hashcat -m 9600 hash.txt -a 3 ?d?d?d?d?d?d

It only takes 10 seconds to successfully recover the password.

Case 2: Dictionary + rule cracking of complex passwords

The password may be "Company2024!", but the case and symbols are not determined. Terms of Use:

bash

copy

Download

hashcat -m 9600 hash.txt dict.txt -r rules/leetspeak.rule

After 2 hours, the match was "COMPANY2024!".

6. Summary

1. Extract Hash: Use office2john.py to get the hash of your Word password.

2. Select the following attack mode: dictionary attack (recommended to try first), mask attack (partially known), brute-force attack (short password).

3. Optimization strategy: Use stronger dictionaries, rules, and GPU acceleration.

4. Consider running on behalf of the service: If the hardware is insufficient, you can find a professional team to run on your behalf to save time.

If you encounter the problem of forgetting Word password, you may wish to follow this tutorial to try to crack it. If you have a high technical threshold, you can also choose a professional Hashcat running service to retrieve your password efficiently and safely!