Intelligent bruteforce password attack for Excel, for free
Sometimes there is a need to open an Excel file that you don't have the password for. Occasionally this will be when a colleague who has password protected an Excel document has now left the company...usually it is because the idiot who password protected the document forgot the password.
I work in the IT world, and this problem comes up on a pretty frequent basis...even more so because I am involved in the security and investigations realm. Usually when I need to get into the document I would use a brute force method. Unfortunately even with the best commercial solutions, brute force can take a ridiculous amount of time...and for the average person these solutions are not cheap. For excel files that were made in versions of Excel earlier than Excel 2007, this method will still work, but isn't entirely necessary. Excel 2003 and earlier is a lot easier to crack than later versions. From 2007 onwards, there is a level of encryption involved. Also, this method is for the password used to open the Excel document, not the password protected sheets and formulas (these are simple to bypass anyway).
If you aren't sure what brute force is, basically it is checking every possible combination of passwords possible. Starting from A to ZZZZZZZZZZZZZZZZZZZ. This is a pretty quick process if the password is 3 or 4 characters long and doesn't include special characters (!,*,% etc). Start looking at 7 character passwords and it is near impossible to get the password using this method unless you have quite a bit of cash to spend. Check this link to see how long a typical bruteforce attack would take.
For example, at the moment I have had an Excel document going for 3 days using brute force and still do not have a solution. This is what actually prompted me to come up with another way of doing it. This solution is more of a method to try before you attempt full on brute force.
You see, the fact of the matter is that people in general aren't as paranoid as your average "cracker" or techy is. They use rules for their password. When creating a password, a person is told "make sure you use a capital letter, a number and a punctuation mark". So what does the person do? They make a password that is exactly that. Instead of the password "sally" they go and make the password "Sally1!". Now this is not a bad idea, and in brute force terms, this makes things exponentially harder. But my method uses this knowledge to crack the password MUCH quicker than a standard brute force method. Another thing to remember is that generally people will not use something personal in the password when sharing a document with colleagues. So instead of having "sally1!" the user might use "june2012!" or something similar. I know that where I work there are certain passwords that are quite commonly used, well at least certain words with variations of numbers and punctuation. So modify the three CSV files as to your specific environment. Of course you could go and put the entire dictionary in there but that would take ages!
Essentially what my method does is instead of testing every combination of letters, numbers and character...it uses a combination of a dictionary attack and brute force. It picks a combination of common words, numbers and punctuation and tries them in all possible combinations. To test each combination the code is trying to open the document with the generated password, if it fails it tries the next combination. The problem with this is the way that Excel handles files opening. It creates a temp file each time that needs to be deleted before trying the same file again. This really slows things down. However I have made this multi-threaded (in a manner of speaking). You can set how many threads run at the same time. You will be left with a bunch of copies of the original Excel file after this has finished because the code creates copies of the file you want cracked. Feel free to delete these after you have finished.
I have used VB Script to code this because it is pretty much accessible to anyone with a Windows PC, and also to anyone that would need this code (there are plenty other free options out there in the Linux space).
There are 5 files necessary to this (plus the excel file you are trying to open of course). (Archive of all the files).
The files are
- runCrack.vbs - Spawns the threads
- cracker.vbs - the code that does the actual work
- 1.csv - list of common words. Add or remove as you see fit.
- 2.csv - common numbers. Add or remove as you see fit.
- 3.csv - common punctuation. Add or remove as you see fit.
Alternatively you can copy & paste the code direct from below (don't forget to create the 3 CSV files for the source of the password generation):
Save the below code into a file called runCrack.vbs:
Option Explicit '================================================================= 'Password cracker, using a type of dictionary attack 'Most passwords tend to be a combination of three 'elements - common word + number + punctuation. i.e. Password123! 'This code uses this fact to check passwords against XLSX files 'using three CSV files containing lists of these three elements. ' 'usage: "cscript runCrack.vbs pw_protected_excel_file.xls number_of_threads" ' e.g: "cscript runCrack.vbs openme.xlsx 8" ' 'I have found the optimum number of threads to be the same as the number of 'cores of the CPU, however you might have different results ' 'Full Article: 'http://www.subtafuge.com/?p=682 '================================================================= Dim theFile, nCores, objWMI, intJobID, objDateTime, i, objFSO, fileThread, currentPath Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2:Win32_Process") Set objFSO = CreateObject("Scripting.FileSystemObject") currentPath = replace(WScript.ScriptFullName, WScript.ScriptName, "") theFile = currentPath & WScript.Arguments(0) Dim numProcs numProcs = WScript.Arguments(1) if numProcs < 3 then numProcs = 2 msgbox(numprocs) if objFSO.FileExists(theFile) then For i = 1 To (numProcs + 1) objFSO.CopyFile theFile, theFile & i, True objWMI.Create "cmd /K cscript " & chr(34) & currentPath & "cracker.vbs" & chr(34) & " " & chr(34) & theFile & i & chr(34) & " " & i & " " & chr(34) & currentPath & chr(34) & " " & numProcs, Null, Null, intJobID next else msgbox("File: " & theFile & " doesn't exist") end if |
Save the below code into a file called cracker.vbs:
Option Explicit '================================================================= 'Password cracker, using a type of dictionary attack 'Most passwords tend to be a combination of three 'elements - common word + number + punctuation. i.e. Password123! 'This code uses this fact to check passwords against XLSX files 'using three CSV files containing lists of these three elements. ' 'usage: "cscript runCrack.vbs pw_protected_excel_file.xls number_of_threads" ' e.g: "cscript runCrack.vbs openme.xlsx 8" ' 'I have found the optimum number of threads to be the same as the number of 'cores of the CPU, however you might have different results ' 'Full Article: 'http://www.subtafuge.com/?p=682 '================================================================= 'On Error Resume Next Dim objStdOut Set objStdOut = WScript.StdOut Dim currentPath, xlsFile, starttime, endtime, countX, threadNo, numProcs xlsFile=wscript.arguments(0) threadNo = wscript.arguments(1) currentPath = wscript.arguments(2) numProcs = wscript.arguments(3) * 1 starttime = now() Dim objExcel Set objExcel = WScript.CreateObject("Excel.Application") objExcel.visible=False Dim pwFound, whileFinish pwFound = false whileFinish = false Dim objFSO, strInput1,strInput2,strInput3, objInput Dim arrPW1(), arrPW2(), arrPW3() Dim txtCSVLine, the_password the_password = "" Dim x1 Dim val1, val2, val3 Const ForReading = 1 ' Specify the CSV files. strInput1 is the primary list of words to check, strInput2 and strInput3 are appendages ' Only use the file name, not the full path strInput1 = currentPath & "1.csv" strInput2 = currentPath & "2.csv" strInput3 = currentPath & "3.csv" x1 = 1 ' Open the input file for read access Set objFSO = CreateObject("Scripting.FileSystemObject") wscript.echo strinput1 Set objInput = objFSO.OpenTextFile(strInput1, ForReading) ' Read file1. Do Until objInput.AtEndOfStream txtCSVLine = objInput.ReadLine ' Skip the blank lines If (Trim(txtCSVLine) <> "") Then ' Increment the Array and assign value ReDim Preserve arrPW1(x1) arrPW1(x1-1) = Trim(txtCSVLine) End If x1 = x1 + 1 Loop if x1 = 1 then wscript.echo(strInput1 & " contains no data") wscript.quit end if x1 = 1 Set objInput = objFSO.OpenTextFile(strInput2, ForReading) ' Read file2. Do Until objInput.AtEndOfStream txtCSVLine = objInput.ReadLine ' Skip the blank lines If (Trim(txtCSVLine) <> "") Then ' Increment the Array and assign value ReDim Preserve arrPW2(x1) arrPW2(x1-1) = Trim(txtCSVLine) End If x1 = x1 + 1 Loop if x1 = 1 then wscript.echo(strInput2 & " contains no data") wscript.quit end if x1 = 1 Set objInput = objFSO.OpenTextFile(strInput3, ForReading) ' Read file3. Do Until objInput.AtEndOfStream txtCSVLine = objInput.ReadLine ' Skip the blank lines If (Trim(txtCSVLine) <> "") Then ' Increment the Array and assign value ReDim Preserve arrPW3(x1) arrPW3(x1-1) = Trim(txtCSVLine) End If x1 = x1 + 1 Loop if x1 = 1 then wscript.echo(strInput3 & " contains no data") wscript.quit end if countX = 0 dim lowerVal1,upperVal1,xVal1 lowerVal1 = round((threadNo * (ubound(arrPW1)/numProcs)) - (ubound(arrPW1)/numProcs)) upperVal1 = round((threadNo * (ubound(arrPW1)/numProcs)))-1 if (threadNo = numProcs) then upperVal1 = ubound(arrPW1) objStdOut.WriteLine lowerVal1 & " " & upperVal1 msgbox(threadno & " - " & numprocs) if ((threadNo*1) = (numprocs + 1)) then Dim calcA,calcB, calcC, possibleCombos, possibleCombosMessage calcA = ubound(arrPW1) calcB = ubound(arrPW2) calcC = ubound(arrPW3) possibleCombos = (calcA+calcB+calcC)+(calcA*calcB)+(calcA*calcC)+(calcB*calcA)+(calcB*calcC)+(calcC*calcA)+(calcC*calcB)+(calcA*calcB*calcC)+(calcA*calcC*calcB)+(calcB*calcA*calcC)+(calcB*calcC*calcA)+(calcC*calcA*calcB)+(calcC*calcB*calcA) possibleCombosMessage = "Checking " & possibleCombos & " possible passwords. " msgbox(possiblecombosmessage) While (not pwFound) and (not whileFinish) for each val3 in arrPW3 pwFound = attemptPW(val3) next for each val2 in arrPW2 pwFound = attemptPW(val2) next for each val1 in arrPW1 pwFound = attemptPW(val1) next for each val1 in arrPW1 for each val2 in arrPW2 pwFound = attemptPW(val2 & val1) pwFound = attemptPW(val1 & val2) next next for each val1 in arrPW1 for each val3 in arrPW3 pwFound = attemptPW(val1 & val3) pwFound = attemptPW(val3 & val1) next next for each val2 in arrPW2 for each val3 in arrPW3 pwFound = attemptPW(val2 & val3) pwFound = attemptPW(val3 & val2) next next whileFinish = true Wend end if While (not pwFound) and (not whileFinish) for xVal1 = lowerVal1 to upperVal1 for each val2 in arrPW2 for each val3 in arrPW3 pwFound = attemptPW(arrPW1(xVal1) & val2 & val3) pwFound = attemptPW(arrPW1(xVal1) & val3 & val2) pwFound = attemptPW(val2 & arrPW1(xVal1) & val3) pwFound = attemptPW(val2 & val3 & arrPW1(xVal1)) pwFound = attemptPW(val3 & arrPW1(xVal1) & val2) pwFound = attemptPW(val3 & val2 & arrPW1(xVal1)) next next next whileFinish = true Wend ' Clean up. objexcel.quit set objExcel = nothing objInput.Close if the_password <> "" then msgbox("Success! Thread " & threadNo & " - Password: " & the_password & " (Total Time: " & round((endtime-starttime)*60*60*24) & "seconds)") else endtime=now() msgbox("Failure. Thread " & threadNo & ". Password not found. (Total Time: " & round((endtime-starttime)*60*60*24) & "seconds)") end if Function attemptPW(fPassword) On Error Resume Next countX = countX + 1 objExcel.Workbooks.Open xlsFile, , , , fPassword & "" If Err.Number > 0 then Err.Clear objStdOut.WriteLine(fPassword) attemptPW = false Else attemptPW = true endtime=now() the_password = fPassword End If End Function |
Usage:
- Make sure you have the 5 files (runCrack.vbs, cracker.vbs, 1.csv, 2.csv and 3.csv) in the same folder. Make a copy of the excel document you want cracked, and put this in the same folder too.
- Open up a DOS command prompt (RUN cmd.exe).
- Change to the folder containing all the files
- run
cscript runCrack.vbs file_to_crack.xlsx 8. file_to_crack.xlsx is the name of your excel file, and 8 is the number of threads to open. You can make this as many as you like. Too many threads will slow the process down so try to keep it in the range of 4 - 16. - And thats it, if your password is found you will get a message box showing the password. Unfortunately even if the password is found, the other threads will keep running. You can just close them.
June 29th, 2012 - 17:07
getting this error on win7 x86
————————————————————-
C:\vbs_crack1\cracker.vbs(152, 9) Microsoft VBScript compilation error: Expected
statement
June 30th, 2012 - 09:34
@jcy sorry about that. The problem is now sorted out. Was an issue with versioning (I uploaded the wrong version onto the site). If you download it again, you shouldn’t have any issues
October 5th, 2012 - 07:53
I keep getting a vb runtime error
line:23
char: 1
Error: subscript Out Of Range
Code 800A0009
Source: Microsoft CBScript runtime error
:/ what do
November 15th, 2012 - 18:35
hi all?
I need writing excel password crack code in c programming language. Help me!
January 31st, 2013 - 10:25
HI, thank your for programming and publishing this tool, works perfect, today I was able to find a password for a very important file…I was testing many different cracking sotware and online services to crack it for almost a year…nevertheless with a simple combination of numbers and common words, that I used to put some old passwords, your script found it in minutes! Thank you again, its a great job.
May 18th, 2013 - 10:16
It is not working for me, pls help need to retrieve information
May 18th, 2013 - 10:20
What error are you getting? What file type is it? (xls or xlsx)