subtafuge.com Just some stuff on the web

23Jun/128

Intelligent bruteforce password attack for Excel, for free




Sometimes there is a need to open an Excel file that you don't have the password for. Occasionally this will be when a colleague who has password protected an Excel document has now left the company...usually it is because the idiot who password protected the document forgot the password.

I work in the IT world, and this problem comes up on a pretty frequent basis...even more so because I am involved in the security and investigations realm. Usually when I need to get into the document I would use a brute force method. Unfortunately even with the best commercial solutions, brute force can take a ridiculous amount of time...and for the average person these solutions are not cheap. For excel files that were made in versions of Excel earlier than Excel 2007, this method will still work, but isn't entirely necessary. Excel 2003 and earlier is a lot easier to crack than later versions. From 2007 onwards, there is a level of encryption involved. Also, this method is for the password used to open the Excel document, not the password protected sheets and formulas (these are simple to bypass anyway).

If you aren't sure what brute force is, basically it is checking every possible combination of passwords possible. Starting from A to ZZZZZZZZZZZZZZZZZZZ. This is a pretty quick process if the password is 3 or 4 characters long and doesn't include special characters (!,*,% etc). Start looking at 7 character passwords and it is near impossible to get the password using this method unless you have quite a bit of cash to spend. Check this link to see how long a typical bruteforce attack would take.

For example, at the moment I have had an Excel document going for 3 days using brute force and still do not have a solution. This is what actually prompted me to come up with another way of doing it. This solution is more of a method to try before you attempt full on brute force.

You see, the fact of the matter is that people in general aren't as paranoid as your average "cracker" or techy is. They use rules for their password. When creating a password, a person is told "make sure you use a capital letter, a number and a punctuation mark". So what does the person do? They make a password that is exactly that. Instead of the password "sally" they go and make the password "Sally1!". Now this is not a bad idea, and in brute force terms, this makes things exponentially harder. But my method uses this knowledge to crack the password MUCH quicker than a standard brute force method. Another thing to remember is that generally people will not use something personal in the password when sharing a document with colleagues. So instead of having "sally1!" the user might use "june2012!" or something similar. I know that where I work there are certain passwords that are quite commonly used, well at least certain words with variations of numbers and punctuation. So modify the three CSV files as to your specific environment. Of course you could go and put the entire dictionary in there but that would take ages!

Essentially what my method does is instead of testing every combination of letters, numbers and character...it uses a combination of a dictionary attack and brute force. It picks a combination of common words, numbers and punctuation and tries them in all possible combinations. To test each combination the code is trying to open the document with the generated password, if it fails it tries the next combination. The problem with this is the way that Excel handles files opening. It creates a temp file each time that needs to be deleted before trying the same file again. This really slows things down. However I have made this multi-threaded (in a manner of speaking). You can set how many threads run at the same time. You will be left with a bunch of copies of the original Excel file after this has finished because the code creates copies of the file you want cracked. Feel free to delete these after you have finished.

I have used VB Script to code this because it is pretty much accessible to anyone with a Windows PC, and also to anyone that would need this code (there are plenty other free options out there in the Linux space).

There are 5 files necessary to this (plus the excel file you are trying to open of course). (Archive of all the files).

The files are

  • runCrack.vbs - Spawns the threads
  • cracker.vbs - the code that does the actual work
  • 1.csv - list of common words. Add or remove as you see fit.
  • 2.csv - common numbers. Add or remove as you see fit.
  • 3.csv - common punctuation. Add or remove as you see fit.

Alternatively you can copy & paste the code direct from below (don't forget to create the 3 CSV files for the source of the password generation):

Save the below code into a file called runCrack.vbs:

Option Explicit
'=================================================================
'Password cracker, using a type of dictionary attack
'Most passwords tend to be a combination of three 
'elements - common word + number + punctuation. i.e. Password123!
'This code uses this fact to check passwords against XLSX files 
'using three CSV files containing lists of these three elements.
'
'usage: "cscript runCrack.vbs pw_protected_excel_file.xls number_of_threads"
'  e.g: "cscript runCrack.vbs openme.xlsx 8"
'
'I have found the optimum number of threads to be the same as the number of
'cores of the CPU, however you might have different results
'
'Full Article:
'http://www.subtafuge.com/?p=682
'=================================================================

Dim theFile, nCores, objWMI, intJobID, objDateTime, i, objFSO, fileThread, currentPath
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2:Win32_Process")
Set objFSO = CreateObject("Scripting.FileSystemObject")
currentPath = replace(WScript.ScriptFullName, WScript.ScriptName, "")
theFile = currentPath & WScript.Arguments(0)
 
Dim numProcs
numProcs = WScript.Arguments(1)
if numProcs < 3 then numProcs = 2
msgbox(numprocs)
if objFSO.FileExists(theFile) then
	For i = 1 To (numProcs + 1)
		objFSO.CopyFile theFile, theFile & i, True
		objWMI.Create "cmd /K cscript " & chr(34) & currentPath & "cracker.vbs" & chr(34) & " " & chr(34) & theFile & i & chr(34) & " " & i & " " & chr(34) & currentPath & chr(34) & " " & numProcs, Null, Null, intJobID
	next
else
	msgbox("File: " & theFile & " doesn't exist")
end if

Save the below code into a file called cracker.vbs:

Option Explicit
'=================================================================
'Password cracker, using a type of dictionary attack
'Most passwords tend to be a combination of three 
'elements - common word + number + punctuation. i.e. Password123!
'This code uses this fact to check passwords against XLSX files 
'using three CSV files containing lists of these three elements.
'
'usage: "cscript runCrack.vbs pw_protected_excel_file.xls number_of_threads"
'  e.g: "cscript runCrack.vbs openme.xlsx 8"
'
'I have found the optimum number of threads to be the same as the number of
'cores of the CPU, however you might have different results
'
'Full Article:
'http://www.subtafuge.com/?p=682
'=================================================================

'On Error Resume Next

Dim objStdOut
Set objStdOut = WScript.StdOut
 
 
 
Dim currentPath, xlsFile, starttime, endtime, countX, threadNo, numProcs
 
xlsFile=wscript.arguments(0)
threadNo = wscript.arguments(1)
currentPath = wscript.arguments(2)
numProcs = wscript.arguments(3) * 1
 
starttime = now()
 
 
 
 
 
 
Dim objExcel
Set objExcel = WScript.CreateObject("Excel.Application")
objExcel.visible=False
 
 
Dim pwFound, whileFinish
pwFound = false
whileFinish = false
Dim objFSO, strInput1,strInput2,strInput3, objInput
Dim arrPW1(), arrPW2(), arrPW3()
Dim txtCSVLine, the_password 
the_password = ""
 
 
Dim x1
Dim val1, val2, val3
 
 
 
Const ForReading = 1
 
' Specify the CSV files. strInput1 is the primary list of words to check, strInput2 and strInput3 are appendages
' Only use the file name, not the full path
strInput1 = currentPath & "1.csv" 
strInput2 = currentPath & "2.csv"
strInput3 = currentPath & "3.csv"
 
x1 = 1
' Open the input file for read access
Set objFSO = CreateObject("Scripting.FileSystemObject")
wscript.echo strinput1
Set objInput = objFSO.OpenTextFile(strInput1, ForReading)
 
' Read file1.
Do Until objInput.AtEndOfStream
	txtCSVLine = objInput.ReadLine
' Skip the blank lines

	If (Trim(txtCSVLine) <> "") Then
' Increment the Array and assign value
		ReDim Preserve arrPW1(x1)
		arrPW1(x1-1) = Trim(txtCSVLine)
 
	End If
	x1 = x1 + 1
Loop
if x1 = 1 then
	wscript.echo(strInput1 & " contains no data")
	wscript.quit
end if
x1 = 1
Set objInput = objFSO.OpenTextFile(strInput2, ForReading)
 
' Read file2.
Do Until objInput.AtEndOfStream
	txtCSVLine = objInput.ReadLine
' Skip the blank lines
	If (Trim(txtCSVLine) <> "") Then
' Increment the Array and assign value
		ReDim Preserve arrPW2(x1)
		arrPW2(x1-1) = Trim(txtCSVLine)
 
	End If
	x1 = x1 + 1
Loop
if x1 = 1 then
	wscript.echo(strInput2 & " contains no data")
	wscript.quit
end if
 
x1 = 1
Set objInput = objFSO.OpenTextFile(strInput3, ForReading)
 
' Read file3.
Do Until objInput.AtEndOfStream
	txtCSVLine = objInput.ReadLine
' Skip the blank lines
	If (Trim(txtCSVLine) <> "") Then
' Increment the Array and assign value
		ReDim Preserve arrPW3(x1)
		arrPW3(x1-1) = Trim(txtCSVLine)
 
	End If
	x1 = x1 + 1
Loop
if x1 = 1 then
	wscript.echo(strInput3 & " contains no data")
	wscript.quit
end if
 
countX = 0
dim lowerVal1,upperVal1,xVal1
 
 
 
lowerVal1 = round((threadNo * (ubound(arrPW1)/numProcs)) - (ubound(arrPW1)/numProcs))
upperVal1 = round((threadNo * (ubound(arrPW1)/numProcs)))-1
if (threadNo = numProcs) then upperVal1 = ubound(arrPW1)
 
 
objStdOut.WriteLine lowerVal1 & " " & upperVal1
 
msgbox(threadno & " - " & numprocs)
 
if ((threadNo*1) = (numprocs + 1)) then
Dim calcA,calcB, calcC, possibleCombos, possibleCombosMessage 
calcA = ubound(arrPW1)
calcB = ubound(arrPW2)
calcC = ubound(arrPW3)
possibleCombos = (calcA+calcB+calcC)+(calcA*calcB)+(calcA*calcC)+(calcB*calcA)+(calcB*calcC)+(calcC*calcA)+(calcC*calcB)+(calcA*calcB*calcC)+(calcA*calcC*calcB)+(calcB*calcA*calcC)+(calcB*calcC*calcA)+(calcC*calcA*calcB)+(calcC*calcB*calcA)
possibleCombosMessage = "Checking " & possibleCombos & " possible passwords. "
msgbox(possiblecombosmessage)
 
	While (not pwFound) and (not whileFinish)
 
		for each val3 in arrPW3
			pwFound = attemptPW(val3)
		next
 
		for each val2 in arrPW2
			pwFound = attemptPW(val2)
		next
 
		for each val1 in arrPW1
			pwFound = attemptPW(val1)
		next
 
		for each val1 in arrPW1
			for each val2 in arrPW2
				pwFound = attemptPW(val2 & val1)
				pwFound = attemptPW(val1 & val2)
			next
		next
 
 
 
		for each val1 in arrPW1
			for each val3 in arrPW3
				pwFound = attemptPW(val1 & val3)
				pwFound = attemptPW(val3 & val1)
			next					
		next
 
 
 
 
		for each val2 in arrPW2
 
			for each val3 in arrPW3
				pwFound = attemptPW(val2 & val3)
				pwFound = attemptPW(val3 & val2)
			next	
		next		
		whileFinish = true
	Wend
 
 
end if
 
While (not pwFound) and (not whileFinish)
 
	for xVal1 = lowerVal1 to upperVal1
 
		for each val2 in arrPW2
 
			for each val3 in arrPW3
				pwFound = attemptPW(arrPW1(xVal1) & val2 & val3)
				pwFound = attemptPW(arrPW1(xVal1) & val3 & val2)
				pwFound = attemptPW(val2 & arrPW1(xVal1) & val3)
				pwFound = attemptPW(val2 & val3 & arrPW1(xVal1))
				pwFound = attemptPW(val3 & arrPW1(xVal1) & val2)
				pwFound = attemptPW(val3 & val2 & arrPW1(xVal1))
			next
		next
	next
	whileFinish = true
Wend
 
 
' Clean up.
objexcel.quit
set objExcel = nothing
objInput.Close
 
if the_password <> "" then
	msgbox("Success! Thread " & threadNo & " - Password: " & the_password & " (Total Time: " & round((endtime-starttime)*60*60*24) & "seconds)")
else
	endtime=now()
	msgbox("Failure. Thread " & threadNo & ". Password not found. (Total Time: " & round((endtime-starttime)*60*60*24) & "seconds)")	
end if
 
 
Function attemptPW(fPassword)
	On Error Resume Next
	countX = countX + 1
 
	objExcel.Workbooks.Open xlsFile, , , , fPassword & ""
	If Err.Number >  0 then
		Err.Clear
		objStdOut.WriteLine(fPassword)
		attemptPW = false
	Else
		attemptPW = true
		endtime=now()
		the_password = fPassword
	End If
 
End Function

Usage:

  • Make sure you have the 5 files (runCrack.vbs, cracker.vbs, 1.csv, 2.csv and 3.csv) in the same folder. Make a copy of the excel document you want cracked, and put this in the same folder too.
  • Open up a DOS command prompt (RUN cmd.exe).
  • Change to the folder containing all the files
  • run cscript runCrack.vbs file_to_crack.xlsx 8. file_to_crack.xlsx is the name of your excel file, and 8 is the number of threads to open. You can make this as many as you like. Too many threads will slow the process down so try to keep it in the range of 4 - 16.
  • And thats it, if your password is found you will get a message box showing the password. Unfortunately even if the password is found, the other threads will keep running. You can just close them.


Comments (8) Trackbacks (0)
  1. getting this error on win7 x86

    ————————————————————-

    C:\vbs_crack1\cracker.vbs(152, 9) Microsoft VBScript compilation error: Expected
    statement

  2. @jcy sorry about that. The problem is now sorted out. Was an issue with versioning (I uploaded the wrong version onto the site). If you download it again, you shouldn’t have any issues

  3. I keep getting a vb runtime error

    line:23
    char: 1
    Error: subscript Out Of Range
    Code 800A0009
    Source: Microsoft CBScript runtime error

    :/ what do

  4. hi all?
    I need writing excel password crack code in c programming language. Help me!

  5. HI, thank your for programming and publishing this tool, works perfect, today I was able to find a password for a very important file…I was testing many different cracking sotware and online services to crack it for almost a year…nevertheless with a simple combination of numbers and common words, that I used to put some old passwords, your script found it in minutes! Thank you again, its a great job.

  6. It is not working for me, pls help need to retrieve information

  7. What error are you getting? What file type is it? (xls or xlsx)

  8. Hi, tnx for the code but I still found difficulties using this apps. Even if I set a xlsx file with 123 as a password, then test it, it does not seem to match with those tag. Any idea why?


Add Comment Register



Leave a comment

No trackbacks yet.