19/06/2018 Brute force password search by Interop/Automation - CodeProject

Brute force password search by Interop/Automation

paolo guccini, 14 Jun 2018

How to use the Microsoft Interop/Automation to implement parallel research of a Microsoft Office file password.

Introduction
Is possibile to recover a forgotten password about a Microsoft Office file using automation? The answer is yes, by the brute force
via automation/Interop, the multithreading and a lot of quantifiable cpu time.
The main goal of this software is verify the capability of Interop to open the password protected file and also to check when a
password is strenght enought to resist to attacks. But this software can be anso used in a real world, to find a forgotten password
about your owned files. Infact it was written to open a file that the owner forgive the exact password.

where get it?

The form with algorithm can be here downloaded (^) and inserted in a your new Visual Studio project.

Why use Interop / automation ?

Microsoft Interop allows the developers to manage the Ms Office files and it makes easy to create a program that use brute force to
find a forgotten password:

it's works very well on the Microsoft Office documents;

it's easy to implement;
it permit to avoid to study the cryptografic algoritm (and its eventually non-standard implementation) or to spend time
studying and understanding the file structure of each kind (Excel .xls and .xlsx, Word .doc and .docx and so on).

On the opposite side:

it's not a time performant on the open file password protected operations.

Software requirements
To use the software developed by Visual Studio 2017. It is required to have installed the Microsoft Office (or Excel or Word,
according the file kind to work on) on the target computer .

error CS0234

If you have the error CS0234 , it means you need to reference the Office library. Open the menu Project, Add reference... and
select the tab "COM" and scroll the list to "Microsoft Word 16.0 Object Library" or other version you have.

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 1/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject

Time needed to accomplish the job

The brute force attack have a predictable amount of time needed to accomplish the job. It can be computated as combinations of
ammissible chars powered by the maximum password testable lenght.
For example, if we work on a password composed just by uppercase letters and having the lenght in range between 1 and 6,
then we have 26 chars to test, repeating them from 'A' to 'ZZZZZZ'.

The total combinations (matemathic more correctly term: dispositions) to be tested are:

1 char ('A' to 'Z') : 26 ^ 1 = 26;

2 chars ('AA' to 'ZZ': 26 ^ 2 = 676;
3 chars ('AAA' to 'ZZZ'): 26 ^ 3 = 17.576;
4 chars ('AAAA' to 'ZZZZ'): 26 ^ 4 = 456.976;
5 chars ('AAAAA' to 'ZZZZZ'): 26 ^ 5 = 11.881.376;
6 chars ('AAAAAA' to 'ZZZZZZ'): 26 ^ 6 = 308.915.776;

the sum is 321.272.406 of possibile passwords.

Now last step for computing the time, is adding the time factor.

The old hardware used for testing obtanined c.a. 1.500 test/minute. Then:

321.272.406 combinations / 1.500 test/minute = 214.182 minutes

214.182 minutes / 60 min/h = 3.570 hours
3.570 hours / 24 h/day = 148 days (or 5 months).

The situation of 148 days is the worst case is represented by 'ZZZZZZ'. The best one is the password filled by just 'A' that is
immediatly tested and found.

It is possible to skip too short password, starting, for example, from a 4 char lenght passwords (i.e. 'AAAA')
Of course, if we know the password lenght, it's a great improvment about the time we can save.

Reduced combinations avoiding the absolute unlikely password as 'RKWLPG' or 'TMQNTZ' (just because those are meaningless
then hard to remember or located in a nonsense order of the keybords -to the opposite to 'QWERTY' that is it-) is not possibile by
algorithm and is a concrete risk to jump over the right one.

Standard set of chars to be tested

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 2/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
To complete the informations, is useful to remember the real combinations have to be based on the set of chars that include all the
possibilities. At least:

lowercase: 'a' to 'z': 26

uppercase 'A' to 'Z': 26
numbers: '0' to '9': 10
special chars: parenthesis (six), space, currency symbols (tre or more), interpunctuation (six or more) and other: more than
20.

It sum up to 26+26+10+10 over 70 chars. then, if the password have a size of 5 chars, we obtain 70^1 +70^2 +70 ^3 +70^4 +70^5
=1.680.700.000 possibile passwords to test (against 308.915.776 if used a single alphabet set as seen before).

I have to undeline this software can useful if it will be used on your files, because you can reduce the complexity of all the
possibilities. In fact you know:

witch char set is or is not appliable (for example, if you never used some special char or the uppercase set, you can exclude
them from testing).
the minumum lenght of the password (for example, if you use password of 8 or more chars, if means you start the
elaboration from that length saving a lot ot time)

Dreaming more Cpu speed

The test was conducted by a very old Intel i5 760 2.80GHz 4 cores. For whom need perfomances, around the end of 2018, it is
planned processor Intel® Core™ i9 Extreme Edition processor having 18 cores and 36 threads, with a speed that can be
represented by one teraflop (1012 FLOPS): the proposed computation time will be incredibly shrinked. I suppose from 1 month
became 1 week.
Just to smilem if you have no time to wait, now exists a a new supercomputer that can release 200,000 trillion calculations per
second (200 petaflops, 200x 1015 FLOPS) . I suppose the time will be shortened from a month to a single day or less.

What can be parametrized

The software presented provide the possibility to choise:

the kind of characters that can be tryed to guess the password: uppercase, lowercase, numbers. Actually, special characters
are not inserted as avaiable char set.
the password length range: the minumum and the maximum length to check: it is very useful to avoid to trash time to verify
the too short passwords.
the number of core to be used: this feature is intended to limit the payload on the cpu, to maintain an every day responsible
computer. More, the jobs are executed in a low priority mode, then they don't affect the regular usage.

Using the code

The software use a single form, that create and starts multiple threads: each one loop test requentially a password obtained by the
function PasswordNext() until the StopSearch() is false. When the password is achieved, a flag will be set
by StopSearch(true).

Testing char set

The set of admitted chars is defined in the form through some checkboxes and it will be returned by the
function AllowedCharsToString(): actually can manage:

lowercase letters
uppercase letters
numbers

Creating non invasive threads

Brute force is an heavy cpu resource consumer and it transforms the computer in zombie. To allow you to continue to use it in
almost normal conditions, the threads are are created with a lowest priority. The cpu remains busy to 100% all the time along, but
your interaction by other software or works have the priority: the operating system will serve you and will suspend the brute force
until necessary.

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 3/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject

Here follows the code that creates and starts the all the threads: they will be inserted in a List<Thread> to reference them
further. The instruction T.Priority is used to set the thread to the lowest priority.

TTCll = new System.Collections.Generic.List<System.Threading.Thread>();

for (int numt = 0; numt < ThreadToUse; numt++)
{
TextBox NumTxt = (TextBox)(EsecuzioneTLP.Controls["NumThread" + numt.ToString("00") +
"Txt"]);
var T = new System.Threading.Thread(() => { Runner(NumTxt); });
T.Priority = System.Threading.ThreadPriority.Lowest;
T.Start();
TTCll.Add(T);
}

Showing the running status

When we face with a very long running loops, it is very important to inform the user that everything is working and is not stucked.
The software can use a selectable number of cores, then will be used TableLayoutPanel in the form that will containt startup
generated Labels and Textboxes: each one will be binded to a different thread and they will be used to show the currently tested
passwords.

int ThreadToUse = int.Parse(MaxTasksTxt.Text);

ThreadPanel_Create(ThreadToUse );

Here the form when it is running. In bottom, with a more gray background, is visible the the TableLayoutPanel with four threads
numbered from '00' to '03', displaying the password they are curently testing: '6K', '6L', '6J', '6M'.

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 4/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject

Suggestions

If you will start a test, remember to disable the sleep/stand by function of your computer, otherwise the day after you could find the
computer stopped.

The thread function: Runner()

The main function, used by each thread, is named Runner(). Using the parameter NumTxt that is a TextBox, the loop can
update the form about the current password to be tested. That TextBox was dinamically created in the TableLayoutPanel.

Creating Instance
The thread create an instance of the software to be used to try to open the file protected password:

var WApp = new Microsoft.Office.Interop.Word.Application();

The main loop

the loop that test the variuous possible password is a while that check, by StopSearch(), if the thread must stop because the
right password was found.

The function's core call Open() with a password obtained by PasswordNext()

If is the right password

If the tested password is can open the file, then the routine performs those steps:

StopSearch(true) is called to set a flag;

Achivied() is called using the password as parameter to update the user interface;
Then, the resouce WDoc can released.

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 5/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject

try
{
WDoc = WApp.Documents.Open(FileName, PasswordDocument: test , ReadOnly: true);
StopSearch(true);

Achivied(test);

WDoc.Close();
System.Runtime.InteropServices.Marshal.ReleaseComObject(WDoc);
}

If is not the right one

Calling WApp.Documents.Open() on a password protected file using a wrong one, raise an exception. This is the reason to
wrap that instruction by try/catch.

Inside the catch is not necessary to perform any operation. Infact, WDoc is null. In case you want to do something with
exception, the ex.Message string comparization must be changed according the language used on the computer.

if (ex.Message.Contains("La password non è corretta. Word non può aprire il documento."))

The thread ends

Last job of the rountine is to release the Interop instance using the instruction:

ReleaseComObject(WApp);

To make more rubust it, the ReleaseComObject() is bracked by a try/catch.

Which password next?

The function named PasswordNext() returns the password to be tested next. The first value is 'A' and will be followed by
each single letter to arrive to 'Z'; after, will starts form 'a' to 'z' and '0' to '9' (the type of chars that compose the series come out
from AllowedCharsToString().

private char [] PasswordNext()

{
char[] GiveBack;

lock (SyncLockerobjNewPassword)
{
// --- password to verify
GiveBack = new char[PasswordToVerify.Length];

// --- password to prepare to next round

PasswordToVerify.CopyTo(GiveBack,0);
// prepare next pwd
bool riporto = false;
for (int i = PasswordToVerify.Length - 1; i >= 0; i--)
{
// last char of the set?
if (PasswordToVerify[i] != AllowedCC[AllowedlattertIdx])
{
// increment
PasswordToVerify[i] = AllowedCC[(ammessistr.IndexOf(PasswordToVerify[i]) + 1)];

riporto = false ;
break;
}

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 6/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
else
{
// zero
PasswordToVerify[i] = AllowedCC[0];
riporto = true;
}
}
// --- insert new starting char on left side
if ( riporto)
{
char [] tmp = new char[PasswordToVerify.Length ];
PasswordToVerify.CopyTo( tmp,0) ;

PasswordToVerify = new char[PasswordToVerify.Length + 1];

PasswordToVerify[0] = AllowedCC[0];
tmp.CopyTo(PasswordToVerify, 1);
}
}

return GiveBack ;
}

I got it !
Here the form at the end of elaboration, when the password is found. It reports information about:

the last password tested by each thread (it is useless).

the password found (in this case, is "AB0")
the start time
the end time
the elapsed time to accomplish the job

The start button remains disabled to avoid the user can launch inadvertently another run. To run another test, the software have to
be restarted.

Change file to target

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 7/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject

To use the code against an Excel file, the line to modify is the WApp declatation, changing it to:

var WApp = new Microsoft.Office.Interop.Excel.Application();

Secondary points of interest

For new developer using the TableLayoutPanel, can be useful the function ThreadPanel_Create() to understand how create
columns at runtime, inserting controls like Label and TextBox. To note this control have always a column.

For who approach to the Threading, there is nice example about the creation and syncronization to stop them according a situation
that became true in a one of them.

Conclusions
The Microsoft password protection is strong enough if is respected the simple rule of any password: lenght (more than 8 chars), the
usage of a large set of chars: uppercase and lowercase, numbers and special chars. But if you are looking for your lost password,
you have a good change to recover it. If you are not in hurry, of course!

License
This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

paolo guccini
Software Developer (Senior) Guccini Software
Italy

I start to develope software in the '80, specialized in desktop application in the sales and marketing area and system integration.
Since 2005 I'm a c# DotNet ehntusiast.

Comments and Discussions

0 messages have been posted for this article Visit https://www.codeproject.com/Articles/1247450/Brute-force-password-
search-by-Interop-Automation to post and view comments on this article, or click here to get a print view with messages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile Article Copyright 2018 by paolo guccini
Web04-2016 | 2.8.180618.1 | Last Updated 14 Jun 2018 Everything else Copyright © CodeProject, 1999-2018

https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 8/8