Click here to Skip to main content
13,663,987 members
Click here to Skip to main content
Add your own
alternative version

Stats

2.4K views
48 downloads
8 bookmarked
Posted 14 Jun 2018
Licenced CPOL

Brute force password search by Interop/Automation

, 14 Jun 2018
Rate this:
Please Sign up or sign in to vote.
How to use the Microsoft Interop/Automation to implement parallel research of a Microsoft Office file password.

Introduction

Is possibile to recover a forgotten password about a Microsoft Office file using automation? The answer is yes, by the brute force via automation/Interop, the multithreading and a lot of quantifiable cpu time. 
The main goal of this software is verify the capability of Interop to open the password protected file and also to check when a password is strenght enought to resist to attacks. But this software can be anso used in a real world, to find a forgotten password about your owned files. Infact it was written to open a file that the owner forgive the exact password.

where get it?

The form with algorithm can be here downloaded (^) and inserted in a your new Visual Studio project.

Why use Interop / automation ?

Microsoft Interop allows the developers to manage the Ms Office files and it makes easy to create a program that use brute force to find a forgotten password:

  • it's works very well on the Microsoft Office documents;
  • it's easy to implement;
  • it permit to avoid to study the cryptografic algoritm (and its eventually non-standard implementation) or to spend time studying and understanding the file structure of each kind (Excel .xls and .xlsx, Word .doc and .docx and so on). 

On the opposite side: 

  • it's not a time performant on the open file password protected operations.

Software requirements

To use the software developed by Visual Studio 2017. It is required to have installed the Microsoft Office (or Excel or Word, according the file kind to work on) on the target computer .

error CS0234

If you have the error CS0234 , it means you need to reference the Office library. Open the menu Project, Add reference... and select the tab "COM" and scroll the list to "Microsoft Word 16.0 Object Library" or other version you have.

Time needed to accomplish the job

The brute force attack have a predictable amount of time needed to accomplish the job. It can be computated as combinations of ammissible chars powered by the maximum password testable lenght.
For example, if we work on a password composed just by uppercase letters and having the lenght in range between 1 and 6, then we have 26 chars to test, repeating them from 'A' to 'ZZZZZZ'.

The total combinations (matemathic more correctly term: dispositions) to be tested are:

  • 1 char ('A' to 'Z') : 26 ^ 1 = 26;
  • 2 chars ('AA' to 'ZZ': 26 ^ 2 = 676;
  • 3 chars ('AAA' to 'ZZZ'): 26 ^ 3 = 17.576;
  • 4 chars ('AAAA' to 'ZZZZ'): 26 ^ 4 = 456.976;
  • 5 chars ('AAAAA' to 'ZZZZZ'): 26 ^ 5 = 11.881.376;
  • 6 chars ('AAAAAA' to 'ZZZZZZ'): 26 ^ 6 = 308.915.776; 

the sum is 321.272.406 of possibile passwords.

Now last step for computing the time,  is adding the time factor.

The old hardware used for testing obtanined c.a. 1.500 test/minute. Then:

  •  321.272.406 combinations / 1.500 test/minute = 214.182 minutes
  • 214.182 minutes / 60 min/h = 3.570 hours
  • 3.570 hours / 24 h/day = 148 days (or 5 months).

The situation of 148 days is the worst case is represented by 'ZZZZZZ'. The best one is the password filled by just 'A' that is immediatly tested and found.

It is possible to skip too short password, starting, for example, from a 4 char lenght passwords (i.e. 'AAAA')
Of course, if we know the password lenght, it's a great improvment about the time we can save. 

Reduced combinations avoiding the absolute unlikely password as 'RKWLPG' or 'TMQNTZ' (just because those are meaningless then hard to remember or located in a nonsense order of the keybords -to the opposite to 'QWERTY' that is it-) is not possibile by algorithm and is a concrete risk to jump over the right one. 

Standard set of chars to be tested

To complete the informations, is useful to remember the real combinations have to be based on the set of chars that include all the possibilities. At least:

  • lowercase: 'a' to 'z': 26
  • uppercase 'A' to 'Z': 26
  • numbers: '0' to '9': 10
  • special chars: parenthesis (six), space, currency symbols (tre or more), interpunctuation (six or more) and other:  more than 20.

It sum up to 26+26+10+10 over 70 chars. then, if the password have a size of 5 chars, we obtain 70^1 +70^2 +70 ^3 +70^4 +70^5 =1.680.700.000 possibile passwords to test (against 308.915.776 if used a single alphabet set as seen before).

I have to undeline this software can useful if it will be used on your files, because you can reduce the complexity of all the possibilities. In fact you know:

  • witch char set is or is not appliable (for example, if you never used some special char or the uppercase set, you can exclude them from testing).
  • the minumum lenght of the password (for example, if you use password of 8 or more chars, if means you start the elaboration from that length saving a lot ot time)
Dreaming more Cpu speed

The test was conducted by a very old Intel i5 760 2.80GHz 4 cores. For whom need perfomances, around the end of 2018, it is planned processor Intel® Core™ i9 Extreme Edition processor having 18 cores and 36 threads, with a speed that can be represented by one teraflop (1012 FLOPS): the proposed computation time will be incredibly shrinked. I suppose from 1 month became 1 week. 
Just to smilem if you have no time to wait, now exists a a new supercomputer that can release 200,000 trillion calculations per second (200 petaflops, 200x 1015 FLOPS) . I suppose the time will be shortened from a month to a single day or less. 

What can be parametrized

The software presented provide the possibility to choise:

  • the kind of characters that can be tryed to guess the password: uppercase, lowercase, numbers. Actually, special characters are not inserted as avaiable char set.
  • the password length range: the minumum and the maximum length to check: it is very useful to avoid to trash time to verify the too short passwords.
  • the number of core to be used: this feature is intended to limit the payload on the cpu, to maintain an every day responsible computer. More, the jobs are executed in a low priority mode, then they don't affect the regular usage.

Using the code

The software use a single form, that create and starts multiple threads: each one loop test requentially a password obtained by the function PasswordNext() until the StopSearch() is false. When the password is achieved, a flag will be set by StopSearch(true).  

Testing char set 

The set of admitted chars is defined in the form through some checkboxes and it will be returned by the function AllowedCharsToString(): actually can manage:

  • lowercase letters
  • uppercase letters
  • numbers

Creating non invasive threads 

Brute force is an heavy cpu resource consumer and it transforms the computer in zombie. To allow you to continue to use it in almost normal conditions, the threads are are created with a lowest priority.  The cpu remains busy to 100% all the time along, but your interaction by other software or works have the priority: the operating system will serve you and will suspend the brute force until necessary.

Here follows the code that creates and starts the all the threads: they will be inserted in a List<Thread> to reference them further. The instruction T.Priority is used to set the thread to the lowest priority.

TTCll = new System.Collections.Generic.List<System.Threading.Thread>();
for (int numt = 0; numt < ThreadToUse; numt++)
{
    TextBox NumTxt = (TextBox)(EsecuzioneTLP.Controls["NumThread" + numt.ToString("00") + "Txt"]);
    var T = new System.Threading.Thread(() => { Runner(NumTxt); });
    T.Priority = System.Threading.ThreadPriority.Lowest;
    T.Start();
    TTCll.Add(T);                
}

Showing the running status

When we face with a very long running loops, it is very important to inform the user that everything is working and is not stucked.  The software can use a selectable number of cores, then will be used TableLayoutPanel in the form that will containt startup generated Labels and Textboxes: each one will be binded to a different thread and they will be used to show the currently tested passwords.

int ThreadToUse = int.Parse(MaxTasksTxt.Text);
ThreadPanel_Create(ThreadToUse );             

Here the form when it is running. In bottom, with a more gray background, is visible the the TableLayoutPanel   with four threads numbered from '00' to '03', displaying the password they are curently testing: '6K', '6L', '6J', '6M'.

Suggestions

If you will start a test, remember to disable the sleep/stand by function of your computer, otherwise the day after you could find the computer stopped.

The thread function: Runner()

The main function, used by each thread, is named Runner(). Using the parameter NumTxt that is a TextBox, the loop can update the form about the current password to be tested. That TextBox was dinamically created in the TableLayoutPanel.   

Creating Instance

The thread create an instance of the software to be used to try to open the file protected password:

var WApp = new Microsoft.Office.Interop.Word.Application(); 

The main loop

the loop that test the variuous possible password is a while that check, by StopSearch(), if the thread must stop because the right password was found. 

The function's core call Open() with a password obtained by PasswordNext()

If is the right password 

If the tested password is can open the file, then the routine performs those steps:

  • StopSearch(true) is called to set a flag;
  • Achivied() is called using the password as parameter to update the user interface;

Then, the resouce WDoc can released.

try
{
    WDoc = WApp.Documents.Open(FileName, PasswordDocument: test , ReadOnly: true);
    StopSearch(true);

    Achivied(test); 

    WDoc.Close();
    System.Runtime.InteropServices.Marshal.ReleaseComObject(WDoc);
}

 

If is not the right one

Calling WApp.Documents.Open() on a password protected file using a wrong one, raise an exception. This is the reason to wrap that instruction by try/catch.

Inside the catch is not necessary to perform any operation. Infact, WDoc is null. In case you want to do something with exception, the ex.Message string comparization must be changed according the language used on the computer. 

if (ex.Message.Contains("La password non è corretta. Word non può aprire il documento."))            

 

The thread ends

Last job of the rountine is to release the Interop instance using the instruction:

ReleaseComObject(WApp);       

To make more rubust it, the ReleaseComObject() is bracked by a try/catch. 

Which password next?

The function named PasswordNext() returns the password to be tested next. The first value is 'A' and will be followed by each single letter to arrive to 'Z'; after, will starts form 'a' to 'z' and '0' to '9' (the type of chars that compose the series come out from AllowedCharsToString().

private char []  PasswordNext()
{
    char[] GiveBack; 

    lock (SyncLockerobjNewPassword)
    {
        // --- password to verify
        GiveBack = new char[PasswordToVerify.Length]; 

        // --- password to prepare to next round
        PasswordToVerify.CopyTo(GiveBack,0);
        //  prepare next pwd 
        bool riporto = false;
        for (int i = PasswordToVerify.Length - 1; i >= 0; i--)
        {
            // last char of the set?
            if (PasswordToVerify[i] != AllowedCC[AllowedlattertIdx])
            {       
                // increment
                PasswordToVerify[i] = AllowedCC[(ammessistr.IndexOf(PasswordToVerify[i]) + 1)];                 
                riporto = false ;
                break;
            }
            else
            { 
                // zero
                PasswordToVerify[i] = AllowedCC[0];
                riporto = true;
            }
        }
        // --- insert new starting char on left side
        if ( riporto)
        {
            char [] tmp = new char[PasswordToVerify.Length ];
            PasswordToVerify.CopyTo( tmp,0) ;

            PasswordToVerify = new char[PasswordToVerify.Length + 1];
            PasswordToVerify[0] = AllowedCC[0];
            tmp.CopyTo(PasswordToVerify, 1);
        }
    }

    return GiveBack ;
}

I got it !

Here the form at the end of elaboration, when the password is found. It reports information about:

  • the last password tested by each thread (it is useless).
  • the password found (in this case, is "AB0")
  • the start time
  • the end time
  • the elapsed time to accomplish the job

The start button remains disabled to avoid the user can launch inadvertently another run. To run another test, the software have to be restarted.

Change file to target

To use the code against an Excel file, the line to modify is the WApp declatation, changing it to:

var WApp = new Microsoft.Office.Interop.Excel.Application();      

Secondary points of interest

For new developer using the TableLayoutPanel, can be useful the function ThreadPanel_Create() to understand how create columns at runtime, inserting controls like Label and TextBox. To note this control have always a column.

For who approach to the Threading, there is nice example about the creation and syncronization to stop them according a situation that became true in a one of them.

Conclusions

The Microsoft password protection is strong enough if is respected the simple rule of any password: lenght (more than 8 chars), the usage of a large set of chars: uppercase and lowercase, numbers and special chars. But if you are looking for your lost password, you have a good change to recover it. If you are not in hurry, of course!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

paolo guccini
Software Developer (Senior) Guccini Software
Italy Italy
I start to develope software in the '80, specialized in desktop application in the sales and marketing area and system integration.
Since 2005 I'm a c# DotNet ehntusiast.

You may also be interested in...

Comments and Discussions

 
-- There are no messages in this forum --
Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web04-2016 | 2.8.180810.1 | Last Updated 14 Jun 2018
Article Copyright 2018 by paolo guccini
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid